High-profile names in retail banking like Barclays and HSBC have already adopted biometric authentication in some form. So, how comfortable are you with banks using biometrics to confirm your identity? In Great Britain, they seem pretty comfortable. According to research from Visa, British consumers are nearly twice as likely to trust banks (60 percent) to store and keep their biometric information safe than they are to trust government agencies (33 percent).
When asked whom they would trust to offer biometrics authentication as a service to confirm identity, the largest percentage selected banks (85 percent) and payment networks (81 percent) ahead of global online brands (70 percent), and smartphone companies (64 percent). This level of trust has grown significantly in the past two years, up by 20 percent since 2014, when the Visa Biometric Payments study was first conducted.
Fingerprint authentication is viewed by survey respondents as the most secure form of payment (88 percent), ranking higher than other biometric authentication options such as iris-scanning (83 percent) and facial recognition (65 percent). The growth in fingerprint authentication for mobile payments is bringing to life the benefits of biometric authentication. This is why 80 percent of the people surveyed said they were the most comfortable with fingerprint recognition.
Since many banks and lenders are now using the latest biometric technology to give customers a more convenient way to check their account balance or make payments, how safe is it? A cyber security expert from consultancy NCC recently provided a demonstration to the Financial Times for how simple it is to hack into a smartphone’s biometric authentication software. Matt Lewis, NCC research director, showed how to make a copy of his own fingerprint using wood glue, candle wax and a printed circuit board that allowed a Financial Times correspondent to hack into his smartphone. Mr. Lewis also tricked voice-recognition software by playing back recordings of his own voice and produced a 3D-printed mask of his face based on photos of himself, which was then worn by the Financial Times correspondent to hack into his phone.
While you cannot forget your voice or face — making them a simpler way to verify your identity — they are also much harder to change than your password if they are ever stolen by cybercriminals. This means that if biometrics become the dominant form of authentication it is likely to be much more damaging if the systems are hacked.
“Unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM [Office of Personnel Management] Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data,” cautioned Robert Capps of NuData Security in an interview with The Register.
Ultimately, making mobile banking truly convenient while reassuringly secure is likely to rely on even more sophisticated systems that use hundreds of different data points — from how fast we type to where we are — to build up a unique profile that can be used to recognize us automatically whenever we use our phone. These behavioral biometric systems are already being piloted by several banks and have the advantage of being much harder to fake while also not being usable across multiple accounts of the same person. Consequently, identity authentication used by banks in the next several years is likely to go well beyond fingerprint-based biometrics. Given what’s at stake, it should.
Selfie Pay Augments Credit Card Biometrics
Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti
(Photo: Binary Digital, PublicDomainPictures.net)