Can you bank on Biometrics ?
As the custodians of customers’ most sensitive data, banks are trusted to provide the gold standard in data security. However, year after year Identity theft and fraud have been costing billions of dollars to both banks and consumers.
Identity verification and authentication are critical issues for banks. Confirming that a person is who they claim to be is usually based on one of three things: something the person knows, such as a password; something the person possesses, such as al key or a token; or something about the person’s appearance or behaviour.
Traditionally, most banks have used a multi-factor authentication process using a combination of passwords, personal identification numbers (PINs), smart cards/tokens or security questions. But, as criminals become more sophisticated – is it good enough? Probably not. Over the years many issues with password linked authentication have surfaced. Humans tend to create passwords and PINs that are easily remembered, using information that’s readily accessible to all – things such as birth dates, names of spouses, children or pets. These things are now part of the digital footprint that people create on social media and online. And this makes them vulnerable to hacking. Secondly, as the world becomes increasingly digital, the number of passwords people need to manage is becoming a serious problem. This in turn leads to other issues like static passwords or duplicate passwords across multiple accounts. In a recent survey it was revealed that 81% of people use the same password for multiple accounts with that number being even higher, at 92%, for millennials.
As the hackers become more sophisticated and hacks get more complex, the banks’ standard response is to introduce more complex passwords — longer, more characters, changing more frequently—and all this takes a toll on the customer experience. If a bank has a great mobile app but the authentication is cumbersome or frustrating, it won’t be able to drive adoption.
So how do banks manage the delicate balance between security and customer experience?
This is where biometrics can help, While lots of definitions exist, Biometric authentication uses identifiers such as physiological characteristics (fingerprint, face recognition, DNA, palm print, hand geometry, iris recognition, retina) and behavioral characteristics (typing rhythm, body movement, and voice). It is an effective personal identifier because it’s unique to and because it is embodied in each person it cannot be forgotten, lost or stolen like other conventional identification methods. Biometric technologies therefore have the potential to help make the financial services experience more convenient while maintaining security for consumers and financial institutions – and ultimately deliver a better customer experience. Replacing passwords with fingerprints, for example, can simplify the login process for online and mobile banking. Verifying identity on a real-time basis through face recognition could help digitize the lending process by automating KYC for customer onboarding.
Biometrics is not new, government agencies have been using it for many years. So why is it suddenly making waves?
The recent advancements in recognition technology and artificial intelligence coupled with increases in digital storage capacity and computer processing speed have made biometric technology more practical in many more applications. The introduction of Touch ID on the Apple iPhone in 2013 was a pivotal moment. Consumers could suddenly use their thumb or finger print as an identity verification tool instead of a passcode. The next step was mass adoption of voice interaction and recognition with millions of people asking questions of Alexa, Siri or Google every day. Alexa now has a range of banking “skills” where you can check your account balance, make a payment or track spending at several major banks.
With the recent launch of Apple’s iPhone X, large scale adoption of facial recognition technology seems to be imminent. Over 100 million of these devices are expected to ship in the next 12 months and a key part of their security is Apple’s new Face ID. With so many people using this technology to unlock their phones every time they use it, it will only be a matter of time before financial institutions adopt facial recognition technology in a similar fashion as they did with Touch ID.
Some banks and lenders have already taken the lead in using biometrics. USAA, one of the first financial institutions to adopt biometrics already offers three variations of biometrics authentication in their mobile app. With 2 million users already using it, it is the one of the first big success stories coming out of the mobile biometrics revolution. In India, ‘Aadhaar’ which is already the world’s largest biometric database, was rolled out to allow more effective delivery of targeted government programs and is now helping to digitize financial transactions. Many banks and financial institutions have now linked their credit systems to Aadhar to speed up finance and digital inclusion of the unbanked population. Xiaohua, which operates a virtual bank in China grants loans and offers payments by installments through a mobile app, deploys Face ID for user authentication. Users scan their face using the app to get approved for loans and to ensure that nobody can authorize actions in the app if their phone is lost or stolen. Another Chinese lender An Puhui has developed a digitized loan process that can analyse facial expressions of applicants to determine their willingness to repay the loans.
So is biometrics the silver bullet for the “security vs convenience” conundrum of Banks?
While the prospects look promising, it may be too early to give a verdict. We are still in the early stages of the adoption of biometrics in banking. Whist biometrics is a huge leap to counter fraud and identity theft, at the heart of it is still a technological application with the potential to be hacked. A few concerns have already been raised. For example biometrics are not definitive but rather they are ‘probabilistic’ in nature – which means that algorithms calculate the probability that the biometric being presented is a match with the one that it has on record for the user, hence there could be chances of error. Also unlike passwords, biometrics can be affected by environmental conditions—if you’re in a crowded area, for example, you may not achieve optimum success with voice-recognition, or if you’re in a dark room, facial recognition may be affected by shadows. Also, many users may feel vulnerable exposing such unique aspects of themselves, with no guarantee of how it could be used or potentially abused in the future. Another aspect is the absence of industry standards to determine how applications interface with various technologies.
The reality is that as the biometrics technology is built into our mobile device it is bound to become pervasive. However, until the technology achieves widespread adoption and rigorous testing it may be better for banks to look at combining what customers know and have, with what they do, or behavioral biometrics and offer them choice in terms of acceptable authentication options.