Biometrics in digital banking and beyond

Major companies are turning to biometric authentication in order to reinforce weak points in their security. As much as things like fingerprint or selfie login may look like consumer gimmicks at first glance, they are really part of a much larger shift in the security landscape.

It is an end to end shift. Both hardware and software manufacturers, large and small, are turning their attentions to biometrics, spurred on by Apple’s inclusion of Touch ID, Samsung’s own fingerprint scanner and a host of new innovators to the biometrics scene who are taking advantage of mobile device proliferation and capability advancement.

Research from BBVA indicates that the global biometrics market will reach $22bn by 2020, near enough doubling from the $11bn valuation estimate in 2015. And according to Juniper Research, more than 770 million biometric authentication apps will be downloaded per year by 2019, thanks to high profile deployments driving adoption.

High profile statements are regularly appearing in the media, with finance companies in particular showing more support for biometric authentication than ever. I’m very curious to see how Nationwide’s move into behavioural biometrics will go - it adds a whole new level to a ‘personalised customer experience’. HSBC intends to offer voice recognition and fingerprint authentication to its customers this Summer. Mastercard has opted for a different biometric, announcing that it will be offering selfie authentication in the near future. PayPal has already shifted, making use of TouchID in its mobile app. It remains to be seen how successful the implementation of these schemes will be, but most signs look positive: Mastercard, for example, claims that 92 per cent of test subjects preferred the new system to passwords.

Aside from straightforward security improvement, there are other major benefits for companies adopting biometric authentication. Better fraud detection, better identity management, better audit trails, better internal controls and, as a result of all of that, more trust from consumers. And really, it’s no surprise that banking and payment processors are moving so quickly to adopt new processes - they are under huge competitive pressure from digitally native, mobile experience focused newcomers.

What are consumers making of this shift?

Research from Experian suggests that consumers are in favour of the idea of processes that require biometric information. Of the 2,002 people surveyed, one in three believe biometric identification is either just as secure, or more secure, than the current system of passwords.

And of course, the more it is talked about (in the news, in technology blogs, by word of mouth) the more consumers will gain an understanding and an acceptance of the shift: a global survey revealed that 74 per cent of mobile users expect biometric smartphones to become mainstream this year.

Consumers will appreciate the simplified access as a result of not having to recall passwords and usernames and, although I’m not a marketer, I imagine they will find attraction in the futuristic feel of it all.

Will biometrics actually make businesses more secure?

Biometrics will certainly make businesses more secure than the reliance on transferable credentials does currently. Transferable credentials such as cryptographic keys, passwords and PINs are always going to have the same problem: they can be alienated from the intended person that is granted access to a particular system or device.

As long as the cryptographic key is kept secure, no device can impersonate the original system or device, making this kind of authentication very robust and secure. But what about the person behind the keyboard or screen - is he or she bound to that cryptographic key?

Maybe in the future, with some sort of nanomachine, we could ‘seed’ a human with cryptographic keys. That would be the ideal cancellable biometric, allowing us to bind together a human and a cryptographic key. In the meantime, we’ll have to rely on biometrics to provide some level of confidence that the intended person - using the intended system - has the cryptographic key to authenticate against another system or person.

Can biometrics also be alienated from the intended person?

We have seen many cases of biometrics spoofing, ranging from simple print attacks to spoof face biometrics to fake fingers. There is no silver bullet against biometrics spoofing but there is strength in numbers, or in this case: there’s strength in factors of authentication.

The combination of a cryptographic key, a biometric with a good anti-spoofing method and something that you know is a reasonably strong 3-factor authentication vector.

More factors can be added to each of the categories: something that you are, something that you know, something that you own at the expense of convenience for the user.

Can we avoid a trade-off between user experience and security?

I believe that an adaptive authentication system, which is context and risk aware, is the key to avoiding a trade-off between user experience and security. For example, if you were at home on your wifi, logged into your laptop and decided to check some pictures on Instagram, no further authentication might be needed.

But if you were about to make a high value transfer with your bank application in a coffee shop on free wifi at the CCC conference, it makes sense to expect a stronger authentication vector in order to authorise it.

Paco Garcia, CTO at Yoti

Image source: Shutterstock/Carlos Amarillo