In recent years there’s been a significant drive towards the use of biometric information for the authentication of payment card transactions. Today, the technology is mainstream. Beginning with fingerprint recognition systems like Apple’s TouchID, biometrics has rapidly expanded to enable facial and even iris recognition.
It’s easy to see why these systems are so popular. Not only did a recent IBM study suggest consumers believe biometric authentication is more secure than passwords, they’re also more convenient. Rather than having to enter a password, PIN code, or pattern into their phones, consumers can simply touch or look at their device to gain access. In this way, the migration toward biometrics reflects a preference for convenience over security.
You could add a bit about consumer acceptance – when we asked in our survey biometrics lagged behind methods such as passcodes to mobile phones or creation using a pin sentry device.
If you are making a payment online and your bank needs to make additional security checks which method do you prefer (survey of 500 UK adults, November 2018).
IBM’s study also highlighted a strong preference toward biometric authentication among young people. 75 per cent of millennial respondents said they were comfortable with using it, compared to 67 per cent of the wider population. And in a survey FICO conducted last year, biometrics (using their fingerprint on their mobile device) was UK consumers’ second favourite way to authenticate themselves, after a text with a passcode.
So what’s the problem?
The flaws of biometric security
The tech world’s continued migration towards biometrics is short-sighted (no pun intended). Although we’re currently in a honeymoon period for the technology, in the years to come I expect to see attitudes change as its flaws become more apparent.
When used in security applications, biometrics are nothing more than the stored digital interpretation of a biological feature, which is then associated with your account credentials. These digital files can be spoofed, stolen or simply rearranged to point to a digital identity other than your own.
Of course, it’s difficult. But at one time it was considered difficult to counterfeit a magnetically encoded check or credit card – a feat now deemed trivial. As biometrics are neither fool-proof nor fraud-proof, we must rethink the amount of trust we’re continuing to put in them.
We’ve already seen high-profile cases of biometric data being compromised. In 2015, 5.6 million fingerprints belonging to U.S. government employees were stolen by hackers, and India’s biometric identification system - the largest in the world - has been plagued by reports of security flaws for years.
The consequences of biometric hacks are far-reaching
Biometric authentication has fast become the most popular method of unlocking mobile devices: according to Apple, in 2016 89 per cent of iPhone users were using the TouchID service. Access to a user’s phone would mean compromising a wealth of personal data that could facilitate identity fraud, blackmail, and more. This risk is being exacerbated by a number of banks now allowing consumers to use TouchID and its Android equivalents as a method to log into mobile banking apps alongside the increase in mobile wallets like Android and Apple Pay.
And it’s not just personal devices that are at risk; it has been predicted that nearly 90 per cent of businesses will be using biometric authentication technology by 2020, which means important organisational data will be at risk of compromise.
Biometrics vs the password
As much as biometric authentication might feel more advanced and secure than the humble password, passwords have a significant advantage: if they’re compromised, you can change them. Nobody can replace their fingerprints or iris.
When considering the relative downsides of biometrics vs passwords, ask yourself:
- Would you feel comfortable using the same password for every digital account you have, if you knew you could never change it? Remember, in the event of your biometric identification being breached, every single account using that identification is now compromised.
- What would you do if a hacker replaced the digital interpretation of your retina with their own? How would you go about proving that you are really you?
Our ever-growing faith in and reliance on biometrics is dangerous, and needs addressing before it goes any further.
How can we avoid disaster?
For the reasons listed above, biometrics cannot be considered a ‘silver bullet’ when it comes to authenticating users. But they do have a place within a layered security ecosystem – one that evaluates a variety of factors to prove a user’s identity.
To deliver this layered approach, organisations should look to behavioural analytics – a method of measuring how customers behave. By doing so, they can add an extra layer of protection to their security ecosystem. Behavioural analytics can track typical activity for a device and user, and then be used to generate a threat score which gauges how ‘normal’ a certain behaviour is for a specific device.
One of the machine learning-based techniques that can be used for this is known as ‘collaborative profiling’, a process which learns behaviour archetypes and represents each customer’s activity as a mixture of these archetypes, with the ability to track changes in real time. Abnormal behaviour would trigger a preventative intervention – for example, locking down the device until the user’s identity can be verified beyond doubt.
Banking is one area in which this technique is already being applied in some instances. Customers form habits, and by looking at their transactional history the bank can learn their frequent behaviours. Generally, customers use the same devices, go to the same types of online merchants and transfer money to the same types of beneficiaries. These recurrences are analysed to define what normal behaviour looks like for that particular customer. This behaviour profiling process happens in the background, without interrupting their activity.
By applying behavioural profiling techniques to determine ‘normal’ behaviour for a consumer using their mobile phone or other device, banks would be able to detect and prevent cases of fraud – even in cases where biometric information has been compromised.
PSD2 and biometrics
Despite the concerns about biometrics, it’s about to be given a boost by the regulators. From September this year, PSD2 requires Payment Service Providers (PSPs) to secure more transactions with Strong Customer Authentication. This means using two out of three possible factors, with the third — inherence — being biometric in nature.
The good news here is that biometrics isn’t operating alone. The industry should use this as a cue to layer both high-friction (biometrics, passwords) and low-friction (behavioural profiling) approaches.
To be clear, biometrics as a security control measure are here to stay. There are a lot of reasons – many outlined here – why they are desirable, including convenience. But the honeymoon will undoubtedly be short-lived. As the migration towards biometrics as the miracle cure for authentication security continues, there will be incidents of compromise where the risks are exposed and the shine will wear away. Hopefully these incidents will not prove catastrophic for too many users.
Doug Clare, Head of Cybersecurity Solutions, FICO
Image Credit: Zapp2Photo / Shutterstock