Amex Adds Biometrics to SafeKey Authentication Tool

American Express

American Express said it is adding facial and fingerprint recognition to its SafeKey authentication tool.

The upgrade, announced Thursday (Oct. 5) is designed to prevent fraud and streamline checkout, and makes American Express the first card issuer to roll out these biometric features, the company said in a news release provided to PYMNTS. 

“We’re focused on developing solutions that keep us one step ahead of fraudsters, so our Card Members can shop safely online,” said John J. Kieley, vice president of digital identity and commerce experiences at American Express. “Now, checking out safely and securely is as easy as unlocking your phone. It’s how we check in when you checkout.” 

When customers check out online, SafeKey makes sure it’s really them using the card, and — when necessary — asks for confirmation. Until now, that’s been done via a code or app notification, but will now include a face or fingerprint ID for select members. 

These members will become eligible for the pilot after “completing a security validation during the SafeKey checkout process and using a device and browser that support facial and fingerprint recognition,” the release said. The features will be available to all consumer card members in the U.S. early next year.

The launch is happening as biometric payments such as face and fingerprint recognition become increasingly popular across a range of industries. 

The PYMNTS and AWS study “Tracking the Digital Payments Takeover: Biometric Authentication in the Age of Mobile” – which drew from a census-balanced survey of more than 3,200 U.S. consumers – found that facial recognition is the most common kind of biometric payment for shoppers tend to encounter.

The study found that 28% of consumers had used facial recognition to authenticate an online purchase in the prior 30 days, while 27% said the same of fingerprint scans.

“Yet consumers prefer fingerprint scans to facial recognition,” PYMNTS wrote earlier this week. “The study found that 14% of consumers choose the former as their preferred authentication method, while only 13% said the same of the latter.”

Meanwhile, PYMNTS spoke last month with Greg Esser, director of strategic partnerships in the U.S. at Entersekt, who said the non-biometric validation method of offering customers a one-time passcode (OTP) might need some rethinking.

While OTPs remain a valid way for consumers to authenticate themselves, they are increasingly being targeted by fraudsters, Esser said.

“Man-in-the-middle attacks can easily defeat one-time passcodes,” he added.

It works like this: emails sent with innocuous-seeming links can trick unwitting recipients into giving hackers entrance to communications and back-office systems, and letting them impersonate the user’s banks.

As far as the consumer knows: “You’re receiving a text message from your bank … you click that link, and in all reality, you’re actually navigating to a fraudster site,” Esser said. 

The scammer takes the username and password, shifts to the banking site, sends an OTP requesting authentication, and then gets access to the accounts.