FIDO Meets the Point of Sale
The easiest way of preventing a stranger from gaining access to my treasures is to lock it up in a box and keep a key that only I have access to. With computer systems or websites, the key to the system is usually a password.
Like most people, I wish I didn’t have to use passwords. A good password is very difficult to create and very easy to forget, and you use lots of them - everyday. We must also change all of our passwords frequently, just in case somebody has guessed a password and is accessing our information.
How many times have you just stared at your keyboard for what feels like minutes, hoping that the ultra safe password, containing a long list of random letters numbers and symbols, that you created only yesterday will magically pop back into your brain? How can you access your computer, your online store or a social network now?
After typing in a whole list of passwords that get rudely rejected, you end up clicking the forgotten password button and go though a one or more step process to prove that you are you (if your system has not already banned you from access because you have had too many incorrect password attempts). Once the system is happy that you are not a fake you, you can then create a new password; to forget again tomorrow.
This is stressful and time consuming. But imagine if somebody is waiting for you to access your system? This may be the case if password security is used to access a Point of Sale system in a busy store or cafe. The queue is getting longer and there is a very high chance that customers will simply give up waiting for the shop assistant to remember his password and walk away without making a purchase.
So what’s the solution?
You could write the password on a sticky note and attach it to the computer. You could use a really easy to remember password, such as the name of the store, the manager’s birthday, or the name of a pet, a TV show, a pop star or a favourite film character. Or, you could turn the password function off.
No! No! No!
Passwords have to be secret. Passwords have to be complex to prevent a rogue party from guessing them after gaining a little bit of information about us from social networks. You must protect your information.
The Worldpay Innovation team really want to make life easier for everyone. People should not have to even think about using technology. Technology should make life easier, not harder.
We can replace password authentication with systems that celebrate how unique we really are. This is the topic of biometrics. We don’t have to remember anything at all, we, ourselves, become the living key to the system.
A biometric simply means converting something from our biology into to digital world. New techniques are being developed everyday and technologists are always looking for new ways to authenticate us, using anything that they can find that proves we are individuals.
Many of us are already using a finger print to confirm a transaction on our phones. We may also use our face to get through the gates at the airport and voice recognition is active with some telephone banking or insurance services. Other biometric authentication techniques include finger vein (which we used in the Worldpay café in 2015), heart rate, thermal images, walking patterns and even ear shapes. There are so many biometric authenticators, that it is very difficult to keep up with them all.
Most flagship mobile phones have biometric authenticators built in. Some have more than one authenticator for their users to choose from. App developers now have a problem. There are so many phones and so many authenticators; and the numbers of each are forever increasing. How do you support them all?
This is where FIDO comes in. FIDO stands for Fast Identity Online. It is an emerging standard developed by a large consortium of organisations within the mobile identity and authentication industry. The basic aim of FIDO is to create a universal interface to the phone’s authenticator. This means the developers of an application do not have to write separate software for each and every combination of handset and authenticator, they just have to use a FIDO SDK that will do the job for them.
Worldpay worked with Samsung SDS (the software consultancy division of Samsung) to create a proof of concept Point of Sale application that uses FIDO-based authentication to access the application. This means that a shop assistant can simply use a finger print to launch the application. There are no long and complicated passwords to enter (or forget).
We built a very simple mobile Point of Sale (PoS) system for a fictitious cake shop to run on the Samsung Galaxy S6 phone. This application is based upon the Worldpay Total Mobile solution that will handle the card payments using a Bluetooth connected chip and PIN credit or debit card acceptance device.
The cake shop’s table staff can use the mobile PoS to total up the purchases while at the table and take a payment without actually going back to the shop’s counter. As there is a risk of a phone being left on the table, we wanted to make sure that the PoS could only be controlled by official staff, so added a layer of security to the application in the form of FIDO biometric authentication using the tools provided by Samsung.
Using FIDO is basically a case of asking a question: “Is the user authentic?” through an API when the mobile PoS App wishes to access something that should be secured. The phone’s biometric system will be launched, the user will carry out whatever authentication steps that they would normally do, with whatever phone they are using, and the Samsung FIDO system will tell the application “Yes”, “No” or “Error”. It’s basically as simple as that. This will be the same for any authenticator that is added to the ever growing list of FIDO compliant authenticators without making further changes to the application or separate versions for each model of phone.
With the FIDO standard, the App using the authenticator does not receive any personal data about the user. If for instance a finger print reader is being used, then this finger print pattern stays on the phone and is matched with the registered pattern that is on the phone.
Our whole Proof of Concept mobile Point of Sale was built within the time of just a few weeks, using Samsung SDS’s FIDO solution and Worldpay’s Total Mobile solution.
We are very happy with the end result. The user experience could not be easier. There is now no need for our cake shop assistant to remember long and complicated passwords and the customers do not walk away empty handed (or empty stomached) because of waiting too long to be served.
See the video below for more information on this project.