What determines the success or failure of biometric rollouts?
Now its time to turn our attention the realities of using biometrics, and the attention to detail that will make this approach work, or not.
Trust is a critical factor that often doesn’t get the attention it deserves. In a recent global survey by FIS, security and the protection of one’s identity ranked highest in customer concerns and demands. With the spate of recent hackings, data losses and intelligence agency scandals, the general public has as good a reason to be cautious about giving up their biometric data. Organisations collecting this data need to be transparent about how the data will be used, and provide adequate assurances that user data will be held securely and not made available to third parties without permission. They also need to make registration as easy as possible, and highlight the security advantages of the new technology in order to encourage people to register.
In Banks we Trust?
Unfortunately due to comfort levels around providing biometrics to a third party, multi-factor authentication will be the intermediary step that banks may need to go through to make customers comfortable. Hopefully the extensive use of biometrics by governments should increase the general public’s comfort with using biometrics and sharing their data with large corporations. For the time being however, pins and passwords, as well as our biometric identification, will probably have to run in parallel. The quicker financial institutions get to an authentication that is strong, reliable and individual – such as biometrics – the quicker they can marry increased security with a better customer experience – something the banking industry has struggled with traditionally.
The Need for Speed
For a biometric authentication system to have any hope of mass adoption, it has to be as easy – if not easier – than typing in a username and password. Fingerprint recognition by phone is a great example of quick and easy authentication, but not all biometric methods compare. Current facial recognition methods can take up to 10 seconds to scan facial features and decide if authentication is permissible. Although that seems like a reasonable amount of time, it’s just too slow. In that time, the customers could have typed in a username and password. And they will.
Better at Biometrics than Banks? Enter New Entrants
An alternative approach to creating a seamless biometric authentication process is to take the onus away from banks to create the authentication systems altogether. Banks and other organisations can leverage third party applications to quickly create secure biometric authentication systems. For users, they can be quick to set up (customers only need to enroll once), they’re easy to use, and biometric data is only stored in one place rather than with several different handlers.
There are already many third party products out there, such as 1U by Hoyas Labs*, which can authenticate users for any website using fingerprint and facial recognition. Consumers can already use 1U to access e-mail, Amazon, American Express and other online accounts using a combination of fingerprint and “live” facial recognition. From a security perspective, it’s quite impressive for a third party new entrant. Not only does it register facial recognition, it also allows an additional layer of security by asking the user to perform random facial expressions that haven’t been pre-determined, as well as couple it with a secret facial expression that only that user knows. Cool tricks!
On the Biometrics Horizon
An extremely interesting new solution is the Nymi Band* which uniquely authenticates an individual based on their Electrocardiogram (ECG). This is essentially the user’s heartbeat “signature” which is unique to each individual. The device takes the form of a wristband so authentication is seamless and the same device can authenticate a user for multiple services. Halifax UK and the Royal Bank of Scotland are already piloting this technology. Also on the horizon is finger vein recognition. This technology uses infrared sensors to scan the pattern of the veins beneath the user’s fingertip – again; these are unique to every individual and unlike fingerprints, cannot be easily replicated.
In the future, phone screens will be embedded with fingerprint scanners and devices will authenticate users using face, voice and ECG recognition together before ever launching a banking app. It’ll be a seamless and foolproof process that’ll make it impossible for fraudsters to impersonate or steal identities. Customers should look forward to this future. The banks, however, have a lot of work to do to keep the bad guys out of their biometrics!