Despite the launch of new biometric technologies to authorise financial payments, banks should not ditch the traditional password to enable payments to be cleared, according to analyst IDC.
The analyst says biometric identification in financial applications is a "relatively young and experimental business".
IDC points out that the biggest developments are related to the fingerprint scanners built into Apple and Samsung smartphones. And Mastercard this month said it was trialling facial and voice recognition technologies to authorise retail payments.
Apple's Touch ID has been available for a year now, but up to now has only been used for unlocking screens. With the launch of the new iPhone 6 though, Apple has essentially endorsed Touch ID to replace the traditional PIN code for payment cards via Apple Pay, said IDC.
More importantly, said the analyst, Apple has now also given third-party developers access to the Touch ID application programming interface (API), enabling integration of its biometric identification method into iOS apps.
In addition, digital wallet operators PayPal and Alipay have upgraded their apps to allow users to sign in and authorise payments by swiping their finger. IDC said, "These financial institutions are the first to bet that the security level offered by mass market fingerprint scanners is at least as good as that of a PIN code or a password.
"If this is the case, they win by offering a significantly improved user experience to their customers at no extra cost."
But financial institutions like banks should not jump in, warned IDC. Andrei Charniauski, an analyst at IDC, said: ''While improving authorisation experience is attractive and will help adoption of mobile banking services, financial institutions should not just blindly commit to mass market biometric identification solutions, especially those provided by third parties via publicly-available APIs.''
Charniauski said it would take "several years" for the financial industry to assess safety levels. Until then, the best approach, he said, was to use two-factor authentication in mobile applications. In order to maximise user experience, he added, it would be appropriate to introduce biometrics only for the initial sign in and access to the information area that offers account overviews and transaction statements, for instance.
"For the transaction part of the mobile application - including account transfers, bill payments and other sensitive functions such as payment card PIN change - financial institutions should double-up by retaining the traditional password,'' said Charniauski.
Sign up for CIO Asia eNewsletters.