Biometric applications for financial services have emerged as the darling of venture capitalists. Business journals are filled with reports about banks, such as the giant Oversea-Chinese Banking Corporation (OCBC bank), adopting biometric applications that allow it clients to access their accounts on their mobile devices. When biometric development companies, such as EyeVerify and Nymi secure funding, financial magazines pay attention.
Considering the use of biometrics by financial services is expected to top $8 billion by the year 2020, investor interest is understandable. Up until recently biometrics were applied to law enforcement, military, and other niche security applications. Why is banking jumping on the biometric bandwagon?
Follow the fear
There is a growing perception that traditional methods of securing information (such as passwords) have become increasingly unreliable and vulnerable. Just look at a few recent headlines:
In 2014 alone, NASDAQ estimates that 700 breaches exposed an estimated 81.5 million consumer records.
Highly-publicized hacks include Home Depot, Target, and even the personal financial information of the First Lady, Michelle Obama.
In addition, the growth of mobile devices has created a demand for password alternatives. People want to conduct financial transactions on their telephone, but they do not want to input account numbers and complex passwords on small mobile screens. Biometric authentication is not only seen as more secure than passwords, but also more convenient.
What is biometrics?
Biometrics technologies identify a person through physical characteristics. Fingerprints are perhaps the most well-known. Other biometric technologies include iris & retinal scans, heart rhythms, facial & voice recognition, and palm vein identification. Their permanence, convenience, and uniqueness are considered advantageous over conventional passwords.
Biometric applications occupy several broad categories:
Enrollment – Entering a person’s physical characteristic and identity into a database. Enrollment is the first experience anyone has with a biometric application. When a person is arrested, they are enrolled, i.e. their fingerprints are inputted into a police database. Enrollment overlaps with registration, which is a process that involves your identity claims. If I enter my fingerprints into a database, while claiming to be Joe Smith, but I am really John Doe, I have successfully enrolled, but have fraudulently registered. Enrollment applications can be very technologically demanding. The quality of digital information entered into national databases is highly regulated, and can be difficult to achieve.
Verification (AKA matching) – Are you who you say you are? This is by far the most common use for biometric technologies. Every time someone checks the photograph on your driver’s license, they are verifying your identity by comparing it to a physical characteristic. A closely related application is authentication, which determines if you are authorized for access, i.e. not only you are really John Smith as you claim, but you also are entitled to enter the building. Most biometric applications focus on verification, since it is the one most in demand, and the technologically easiest to create.
Identification – Who are you? If you are arrested, and refuse to identify yourself, a police officer can try to find out your name by running your fingerprints through a database. Unlike the verification process, identification doesn’t deal with any claims about identity; it simply establishes identity through a physical characteristic alone. This is a technologically more demanding process than simple verification.
There no standard, universally accepted classification scheme for biometric applications. Even terms can have different meanings (you will notice that sometimes in this article, I use the same word to mean slightly different things). However, the categorizations as defined above are useful in that they communicate broadly the different technologies and needs that are in demand today.
The adoption of biometric applications by financial services has been driven by the assumption that they are more secure than passwords. There is reason to doubt this.
Passwords, despite their bad reputation, actually work fairly well. In spite of alarming headlines, the vast majority of people do not experience hacks, or at least ones with severe consequences. This is especially true if they take some commonsense precautions, such as separate passwords for important financial accounts, and frequent changes in passwords.
Biometric technology, like passwords, can be hacked. For years, experts have warned about criminals using gelatin “sleeves” to “spoof” fingerprints. Of course, countermeasures can be implemented, but then criminals will work hard to defeat them, which lead to different countermeasures, and so on. Pretty soon, the back-and-forth war of biometric technologies begins to look like the current state of passwords, in which criminals and security experts are involved in a constant battle.
The presence of fingerprint sensors on the iPhone 6 and other popular mobile devices has increased the attractiveness of biometric authentication to financial services. Why not exploit the hardware that many of their customers already have? Of course, the very popularity of these sensors increases their value as targets for criminals.
In addition to fraud, another problem with biometrics is the human body itself. For example, fingerprints can be “rubbed away” by hard physical labor or aging. A bank servicing farmers or an elderly population will have to consider this before mandating fingerprint authentication for accessing financial services.
I am not downplaying the importance of biometrics as an emerging technology. I am simply stating that financial services should adopt them cautiously and be aware that they are not without their problems.
I believe that biometric technology will be used in the financial sector primarily in combination with passwords. Two forms of independent authentication will enable the greatest security.
Since many biometric firms focus their efforts on the “low-hanging fruit” of verification, their potential customers in the financial services are often uninformed about the technological challenges of enrollment.
This is especially important for in-house security. Already, in some banks, officers can only make important transactions after they verify their identity with a biometric authentication. Obviously, when a new employee is hired, enrollment into the bank’s database must happen. For this, the bank will need its own enrollment equipment.
Biometric enrollment equipment need not be cumbersome or difficult to use, but they should be sturdy. Enrollment is often performed by various employees with different levels of skill, not to mention clumsiness. Some commercial biometric devices are fragile, and subject to frequent breakdowns, which can lead to costly delays. It actually makes economic sense for the bank to invest in ruggedized devices that may cost more, but are far more reliable.
Enrollment creates unique demands on biometric devices. The quality of any given device captures varies greatly and could be critical to their utility.
Biometric information is stored in Electronic Fingerprint Templates (EFT) or Electronic Biometric Templates (EBT). To access national databases EFTs/EBTs need to conform to strict criteria. Currently, the Automated Biometric Identification System (ABIS) and the Integrated Automated Fingerprint Identification System (IAFIS) demand that EFTs/EBTs match the latest Fingerprint Acquisition Profile (FAP) (the current highest standard being FAP 45). A financial service that wishes to authenticate the identity of its employees or clients would be wise to use enrollment devices that generate FAP 45 quality files.
Solve a security problem by creating a larger one
Although biometric spoofing is a common criminal practice, I am unaware of anyone using a digital biometric file to commit fraud. However, it doesn’t take a lot of imagination to envision a stolen EFT/EBT being used to fake an authentication. One day we will see news banners declaring a high-profile hack has pilfered “millions of fingerprints.”
Consequently, biometric applications will force financial services to take stricter security measures, not more relaxed ones. As one skeptic of biometric authentication remarked, a person can change their password, but not their fingerprints. Consumers will want the greatest assurances from banks that their biometric information is safe.
All’s well that ends Orwell
Consumers will need other kinds of assurances as well. There is something a little Orwellian about large institution having intimate information about your physical characteristics.
Any financial service using biometric applications will need to be proactive in assuring their clients. Privacy policies must be public and displayed prominently. Clients should be informed that biometric information will only be used for identification purposes and will not be shared with any third party.
The good news is that, for the most part, consumers have shown little fear of most biometric applications and appreciate their convenience.
The enthusiasm venture capitalists have shown for biometric banking applications is well-founded, but there are unknowns. For example:
Will passwords be replaced or merely supplemented?
Will facial or voice recognition ever be as robust or support an infrastructure as developed as fingerprints?
Will the future demand multimodal or single mode biometrics?
Pioneers who develop and adopt biometric technologies dream their applications will be gold mines. If they guess wrong or lack caution, their gold mine may turn into a money pit.
To learn more about AMREL’s Biometric Solutions, click here.