tal , 9 hours ago (edited 8 hours ago)

That sounds like an absolutely horrible idea.

• Biometrics are non-revocable. It gets compromised, you can’t change your face. Well, not easily.
• Your face is not a secret. You plaster it everywhere all day long, unless you’re gonna wear a mask. Anyone armed with a smartphone can steal your facial biometricd. Any camera you walk by is grabbing them.
• Cameras and the systems feeding them on consumer systems are not trusted hardware. I can feed synthesized video to you. That’s before even making a physical face they looks like someone else.

Give me a little hardware device, like a scaled down smartphone, with a trusted display (so I can trust what I see on the thing, instead of what some point-of-sale system is saying) and keypad with PIN and contacts that can interface with my phone or computer or PoS system (because wireless authorization of financial transactions is also not great). Maybe even put a fingerprint scanner on it (not that a fingerprint is great, also a non-revocable biometric plastered all over, but it makes swiping someone’s token after viewing their PIN harder). Someone submits a transaction to the thing, it displays the information to me, I authenticate myself to the device, it cryptographically signs my approval, done.

I don’t want my keystore on my phone or computer, because they are big and complicated and I don’t want a lot of routes into the device. I want to have a trusted piece of hardware holding my auth keys that works with all of my phone, computer, and point-of-sale systems.

Why do payment systems determinedly persist in insecure approaches?

The original credit card – a number printed on the card – was terrible from a security standpoint, but at least they had the excuse of technological limitations of the time. Adding a CCV number that retailers aren’t supposed to retain was a marginal improvement.

The magstrip is pretty much equivalent.

The smartcard was an improvement – you aren’t copying your authentication data to every person you do a transaction with, letting them swipe it, but still didn’t have a trusted display. And there was no little to rollout to let consumers do smartcard stuff on computers for online purchases.

Tap-to-pay is a downgrade from a security standpoint, since it’s easier to bump someone and authenticate as them using a tap-to-pay card in a pocket.

Apple or Google Wallets come with the downside of having a lot of untrusted, complicated hardware and software in the loop.