In the bio(metrics) sphere – new authentication technology


7 December 2016


Biometrics can provide security and convenience for customers, two often uneasy bedfellows, but what are the implications for privacy when using this form of authentication? Abi Millar speaks to Kevin Nevias, director of the group information security office at UBS, as he explains what the future for banking biometrics may hold.


For the typical banking user, security and convenience don’t always go hand in hand. On one hand, few would begrudge their bank’s tight security measures, accepting that this is simply what it takes to mitigate the risk of fraud.

On the other hand, it can make life more complicated. Take two-factor authentication, which typically requires something they know (a password, for example) plus something they have (say, a security token). Should they forget their password, or misplace their security token, they risk being locked out of their account. The situation is clearly less than optimal, and it gives rise to a question – is heightened security necessarily detrimental to the customer experience? And if not, might there be a way to enhance both at once?

According to various industry pioneers, we already have an answer to that question. In June 2016, a piece in the New York Times claimed “the banking password may be about to expire – forever”, contending that strings of letters and numbers would soon give way to fingerprinting and eyeball scanning. Biometrics, it said, is no longer the stuff of science fiction but has become “sufficiently accurate and cost-effective to use in a big way”.

Certainly, technologies of this kind are becoming a more ingrained part of people’s lives. In 2013, Apple introduced the iOS Touch ID, which allowed users to deploy a fingerprint rather than a passcode for certain functions. The feature is now available across multiple Apple devices, and many other smartphone manufacturers have introduced similar features of their own. For many people, the idea of scanning their thumb to unlock their phone, or even to authenticate Apple Pay, has become second nature.

However, rather than signalling a bold new dawn in biometric technology, Touch ID remains relatively unusual; one of very few situations in everyday life in which biometrics is used in place of a password.

If anything, biometrics is notable for its limited permeation within banking. While several large banks have recently introduced fingerprint sign-in capabilities (Bank America and JPMorgan Chase being two notable examples), as of the start of 2016 only about 10% of financial institutions offered any type of biometric authentication.

 

What is more, customer interest may be lagging some way behind technological readiness. When Gartner conducted its 2015 digital banking survey, it found that many consumers were not even aware their bank offered Apple Touch ID.

“There were also many consumers who were happy to do the extra step, and type in a username and password because it felt more secure to them. So even with the base stuff, like Touch ID, it’s certainly gaining momentum, but still has a long way to go,” Alistair Newton, an analyst at Gartner, said in early 2016.

Don’t let fear win

According to Kevin Nevias, director of the group information security office at UBS, we really are seeing a newfound surge of interest in biometrics, fuelled predominantly by banks’ fear of fraud. In recent years, there have been various well-documented ‘cyberheists’, with hackers stealing as much as $45 million from ATMs. Banks are drawn to the extra layer of authentication that biometric technologies provide.

Customers, however, may remain hesitant for several reasons. They might be concerned about the overall security provided by biometric systems, and unsure whether they trust the system to protect their information and their money. Some are worried that they will be impersonated or that their biometric data will be stolen.

“We have all heard stories of how less-mature finger scanners can be fooled with a print made on gelatin or a gummy bear and how facial scanners could be fooled with a picture,” says Nevias. “Mature and well-tested solutions are much less likely to be vulnerable to this type of attack, and combining multiple factors also substantially reduces this risk. The benefits and limitations of biometrics need to be communicated to consumers.”

So what kind of potential does banking biometrics truly hold – is it really a straightforward means to safeguard customer data? Or are retail banking users right to be cautious about leaving the password behind?

For those in the industry, the superiority of biometric technologies is not a controversial proposition. While two-factor authentication does provide a high level of security, biometrics goes one step further, binding system access to a given person. After all, you may be able to steal somebody’s debit card and PIN, but you can’t very easily steal the pattern on their retina.

However, when discussing biometrics, it is important to be clear about what you mean. According to Nevias, it is important to differentiate between on-device storage of biometric data (such as iOS Touch ID), and off-device biometric systems (such as fingerprint scanning at ATMs).

With the former, the data is stored in the device only, which poses few privacy concerns but does tie the authentication to that device. With the latter, it is stored and controlled centrally by a financial institution or government agency, which removes these limitations but raises questions about whether the data is secure.

“A perfect biometric method doesn’t exist, and the reason that we have so many different biometric methods in use is that each method has its pros and cons,” says Nevias. “When looking at a biometric method, we need to consider the accuracy, the social acceptability, the implementation costs, performance and several other factors.”

Look me in the eye

He points out that the most accurate technologies are not always the most cost-effective or acceptable to users. Retina scans, for instance, have a very low false-acceptance or rejection rate, but they require specialised equipment. Facial recognition, meanwhile, is much cheaper but also much less accurate. These methods also require the use of additional technology to ensure that a human being is being authenticated as opposed to a picture or video.

Mature and well-tested solutions are much less likely to be vulnerable to attack, and combining multiple factors also substantially reduces this risk. The benefits and limitations of biometrics need to be communicated to consumers.

“The highest level of security and user acceptance can be achieved by having a multimodal biometric system that can use more than one method of biometrics,” he says. “A system that uses a combination of voice recognition, facial recognition, iris scanning and fingerprints could potentially achieve a very high level of security and user acceptance. The challenge to implementing this type of system lies in the high implementation costs, including the enrolment process, and ensuring that all of the user biometric data is properly secured and that privacy concerns are addressed.”

One way round this conundrum might be to require different levels of biometric authentication for different transactions.

“The ideal biometric system would use multiple physical and behavioural characteristics to derive a level of trust score for an individual,” Nevias says. “A retina scan might generate a score of 100, while a facial scan might generate a score of 50 and signature biometrics might generate a score of 30. A large financial transaction might require a trust score of 100, while getting an account balance or finding out if a cheque has cleared may only require a score of 40.”

In the long term, he feels the typical customer experience could change drastically. Suppose a person wanted to open a new bank account. Following the normal identity checks (utilities bills and passport, for example), they might be taken to a private area to have their fingerprints, face and iris scanned, as well as having their voice and signature captured.

“Once all of this data is captured, the user could in theory perform any banking function with just their biometric data, and the possibility of fraud would be extremely low,” says Nevias. “Obviously, all of this assumes that the security and privacy issues around storing the data are properly addressed.”

Time to address concerns

It is difficult to say to what extent privacy might pose a concern. Nevias feels that the data’s integrity and availability is generally more important than its confidentiality – in essence, you would need to make sure it can’t be changed or destroyed.

He envisages a time when we will have a limited number of centralised data stores that hold an individual’s biometric data and can be used by multiple authorised organisations. A person would only have to enrol once, rather than going through a separate and distinct enrolment process every time.

“I would argue that having all of this data stored in one place actually reduces the risk rather than having the data spread across many different organisations,” he says.

This kind of scenario, however, is some way in the future. He feels that, realistically, it will be several years before biometrics becomes the primary method to safeguard accounts, and that even where biometric authentication is supported, additional passwords may still be required. What is more, while mobile devices are becoming better equipped with biometric capabilities, the same does not apply to desktop computers or ATMs. 

For biometrics to become more common, banks will need to be able to justify the cost of implementation, while standards and regulations will need to further evolve. Meanwhile, more work needs to be done to convince consumers that these methods are secure.

All this said, Nevias does feel that the adoption rate will increase in future and the next few years are likely to prove an interesting ride.

“The devices that we have today are vastly different than the devices that we had ten years ago, and nobody knows what the market will look like ten years from now,” he says. “It is possible that many devices will no longer have finger scanners or cameras, and they may have other biometric capabilities that we aren’t even thinking about today.”

A balance needs to be found between the level of information required for a customer to access their own financial information, whether that be biometrics or hard data.