I recently attended the Biometrics in Banking & Financial Services conference where Samsung SDS moderated a panel, “Building a Case for the C-Suite”. It was an intimate event of about 50 banking technologists and providers focused on the state of biometrics in this industry.
Richard Lobovsky, Samsung SDS’s VP of Enterprise Solutions, moderated an engaging discussion with panelists Dave Johnson, VP/Security R&D at U.S. Bank; Carin Oswald, Product Manager at Chevron Credit Union; Brett McDowell, Executive Director of the FIDO Alliance; and Raja Bose, VP Global Advisory Services at Diebold.
Here are a few interesting takeaways from discussing this hot topic:
Biometrics are here to stay
Demand is out there but consumers can’t always articulate what they need. It’s up to solution providers and financial services technologists to bring the best solutions to market for consumers and employees based on their pain points and needs.
Passwords are dirty words
Banks are moving away from traditional passwords and PINs for many reasons. The most important include:
-High user frustration over forgotten or lost credentials
-How easily passwords and PINs can be hacked or stolen
Biometric authentication offers an enticing alternative to passwords for much of the population because it provides a simple, intuitive, and convenient user experience and a more secure way for users to authenticate. Also, if the process is designed suitably (think FIDO standards), biometric templates aren’t as easily stolen.
Not all biometrics are created equal
There’s a new approach to modern user authentication, Fast IDentity Online (FIDO) standards, which is based on public/private key cryptography. With FIDO, the biometric template and private key are securely encrypted and never leave the device, so they can’t be intercepted or hacked on a server. Even if you lose your device, the biometric information on the device cannot be used to access the application because you can de-provision the public key the application has on file. This is very different from the old approach to authentication where the biometric template also resides on the server—an attractive repository of confidential information for hackers.
No one type of biometric is a silver bullet
No biometric modality is unimpeachable, and each has its advantages and disadvantages. Multi-factor authentication is the key. This means combining modalities—for example, fingerprint combined with facial or eye vein. A combination of methods will ensure a higher level of security.
Fingerprint is the most popular modality today because the sensors are already on the device. However, many interesting modalities are on the horizon
If you need to move fast, scanning a finger still makes a lot of sense. But even with fingerprint, sensors are advancing to measure “liveness detection”, that is, blood flow under the skin’s surface. Going below the skin’s surface is a popular emerging area with palm/eye/finger vein and heartbeat recognition as a unique way to prove you are an actual human being.
Some modalities are harder to spoof—for example, iris recognition, which is still widely considered the most accurate. Chances are this mode will be the next popularized on the smartphone.
The combination of modalities will make consumer biometrics even more exciting
Today’s mobile devices have the capability to offer strong authentication, and manufacturers will begin shipping more consumer-facing biometric options as standard fare. It will be really exciting when integration to wearables and virtual reality systems become more pervasive. Imagine having the capability to measure a heartbeat that then syncs to your phone or laptop to authenticate passively—authentication becomes seamless and unobtrusive.
Eat your own dog food
The proliferation of different types of biometrics—for example, face, voice, iris, and palm vein—can seem intimidating for some customers. A great way to get your customers comfortable with a new application is to adopt it internally with employees first. This way, employees will evangelize and teach their customers with greater ease. Biometric authentication is easily integrated into many common employee workflows, when an extra layer of security to access sensitive information is needed.
We are on the precipice of exciting change and I, for one, am looking forward to not having to remember all those password/PIN combinations when conducting my online banking!