Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Pay with Your Fingerprint

Samsung’s Galaxy S5 is the first smartphone that can use a fingerprint to authorize payments in stores and online.

Using fingerprints to authenticate payments could significantly improve security and ease of use.

Anyone with an iPhone 5 can use its fingerprint reader to unlock the device and pay for apps or music in Apple’s iTunes store. Owners of Samsung’s latest flagship device, the Galaxy S5 smartphone, which launches on April 11, will be able to make much broader use of their fingerprints to pay for things. If they visit a website or app that accepts PayPal using the device, they can authorize payments by swiping a finger across the phone’s home button. And PayPal’s own mobile app can be used to pay for goods in some physical stores in the U.S.

Fingerprint payments are likely to be offered on many more smartphones in the near future. The Galaxy S5’s payments system is the first commercial deployment of a new protocol developed by the FIDO Alliance, a group founded by tech companies to end our reliance on insecure passwords (see “PayPal, Lenovo Launch Campaign to Kill the Password”). Indeed, fingerprint readers are expected to become commonplace on mobile devices over the next year or so (see “A Technological Assault on the Password”).

“Today people are having to type in nine-digit passwords everywhere, including one-handed on the subway,” says Joel Yarbrough, senior director of global product solutions at PayPal. This leads many people to use simple passwords and to reuse them across multiple services. This, in turn, makes it easier for criminals to take control of accounts. “Building a smart biometric experience solves both usability and dramatically increases the security level,” says Yarbrough.

To start using your finger for payments on the new Samsung phone, you have to go through a short setup process that registers the identity of the device, based on its cryptographic chip, and links your fingerprint to a PayPal account. Afterward, PayPal’s software asks for a fingerprint swipe anytime an app or site would usually show a log-in screen.

mobile phone showing UI
Fingertip swipe: The fingerprint sensor in Samsung’s upcoming flagship smartphone can be used to make PayPal payments online, in mobile apps, and in physical stores.

The FIDO protocol is designed so that a record of your fingerprint never leaves your device. Instead, the fingerprint reader’s output is used to generate cryptographic keys that are combined with those from the device’s cryptographic chip to create a new key that can’t be used to copy the fingerprint used to make it.

The Galaxy S5 is so far the only device to support PayPal’s new FIDO-based fingerprint system, and PayPal is cagey about how soon others might appear. But Yarbrough acknowledges that Samsung isn’t the only gadget maker looking at fingerprint readers. “It’s our impression that a lot of manufacturers are investing time in this technology,” he says. Brett McDowell, senior security advisor at PayPal and vice president of the FIDO alliance, says widespread adoption is “core to the mission of the alliance.”

The FIDO Alliance was launched in early 2013, and now has over 100 members, including Microsoft, Google, device manufacturers such as Lenovo and LG, and representatives of the payments industry such as PayPal and Mastercard. Apple, which has its own fingerprint authentication technology, is not a member of the FIDO Alliance.

Sebastien Taveau, formerly chief technology officer of Validity, a fingerprint sensor company acquired in October by Synaptics, says fingerprint sensors will soon be widespread. Apple and Samsung—the two largest mobile device makers—have now made fingerprint authentication major features of their flagship devices, he points out, and competitors will likely follow their lead. “It is expected that other devices, like tablets, will be incorporating a sensor.”

Most of the core technology needed for biometric authentication has been around for years. Taveau says that cultural change means we are now ready to embrace the idea. “With the transformation of user interactions with content from local to cloud-based and the collapse of trust in existing authentication mechanisms, a real change is happening,” he says, pointing to the public awareness of security flaws heightened by the NSA leaks and the Target debit card breach. “Trust in security and credentials need to be reëstablished.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.