The prevalence of digital banking and remote banking via call centers requires new and convenient ways to authenticate customer identity. Even though bank customers agree with the need for security, they do not want to undergo excessive authentication before they can accomplish the simplest transactions in their own account.
Yet it is absolutely essential for banks to verify customer identity before allowing access or transactions to occur over the phone, website, mobile app or ATM. The traditional PIN and password have proven unreliable safeguards to account privacy and integrity. Customers frequently forget them, while cybercriminals are able to obtain customer credentials through phishing and social engineering scams. Banks and their customers lose millions every year to identity theft and fraud.
To assure the highest level of authentication security possible, many banks are leveraging biometric technology. Biometrics offer many advantages to both the financial institution and the consumer, including:
- lower operational costs
- no need for complex passwords and PINs
- no need for duplicate authentication processes
- no ability to exploit stolen information obtained from a malicious data breach
This last point is significant. Even if cybercriminals manage to phish your personal credentials or obtain them in a data breach, they are of little or no value because authentication now depends on your unique voice or fingerprint or face.
Consumers also benefit from biometrics in banking. They no longer have to remember multiple passwords (or keep a handy list tucked away somewhere in case they forget). Just one biometric authenticator – their voiceprint for example – can work with any device, making it much easier to access and manage their account.
Critical Considerations for Biometrics in Banking
Before running to introduce biometrics, banks should assess the different types of biometrics that are available, and how their customer community might react to the technology. Enrollment is a key and often underestimated parameter for successful implementation. If most customers resist enrollment or don’t feel comfortable using biometric-based authentication, then the investment in the new technology is for naught. It’s critical to choose a technology that is easy for customers to accept and use.
Another important consideration is the False-Negative rate of the technology. Customers will not trust a system that fails to recognize a biometric that they have no power to change. Once your authentication system relies on a biometric identifier, it must recognize it every time or the bank risks alienating its customers.
Likewise, False-Positives can be avoided with technologies that include “liveness” detection of the biometric. Does the system need to see your face on a live video cam, or is a picture enough? Does your voice recognition technology prefer scripted phrases, such as “this is Jane Doe” or can users say anything they want? Liveness simulates being there in person and it hinders spoofing (which has been known to happen).
Different Types of Biometrics in Banking
Biometrics uses distinctive and measurable human characteristics that uniquely identify an individual. Popular biometric identifiers are fingerprints, palm veins, iris, retina, face, and voice. Let’s take a quick look and the pros and cons of each.
Fingerprint recognition: Now that mobile apps can scan and digitize a fingerprint in seconds, there is much less resistance to fingerprinting. This biometric is one of the most popular authentication methods used in mobile banking, as well as branch banking, where compact and easy-to-use equipment has a track record for fast and accurate authentication.
Finger or palm vein recognition: Identifies the unique pattern of veins in a person’s finger or palm. Enrollment usually requires a personal visit to scan the palm and enroll the customer. The authentication equipment is bigger and lends itself to branch or ATM installation rather than mobile use.
Voice recognition: Identifies the unique characteristics of each person’s voice. The ongoing popularity of the call center has made this biometric one of the most widely used in the banking industry. It is suitable for any device, and it has the advantage of supporting passive enrollment, which captures the voiceprint from regular phone conversations and does not require customers to use scripted phrases or spend time creating a voiceprint. Voice biometrics are applicable to just about any situation. Users don’t need to remember a cryptic PIN or password; no special equipment is needed; and location doesn’t matter. From the consumer perspective, it strikes a very good balance between convenience and security.
Face recognition: Employs computer algorithms and 3D sensors to recognize a face by measuring the relative position, shape and size of eyes, nose, cheeks, jaw and more. While this modality is picking up steam, the technologies that enable its implementation are not universal. For example, iPhone X is using Apple’s Face ID system to log into the mobile apps of some big banks, but not everyone has an iPhone. One disadvantage is the technology is sensitive to changes caused by lighting, glasses, hair, facial surgery, etc., which can result in too many authentication errors.
Iris recognition – Scans the complex color and line patterns in the iris. Iris scanners are now available on mobile phones and can be easily installed at ATMs and other stationary sites. Iris scanning is a “live” detection technology so it cannot be spoofed. For example, newer cash machines and ATMs require the user’s debit card and also an iris scan before allowing the transaction to be completed.
Retinal scanning: Identifies the patter of blood vessels in the retina. It requires special lighting and scanners to see the retina; is quite expensive; and is not really suitable for customer authentication. Perhaps for entry into the bank vault?
Behavioral biometrics is a new frontier in which big data and machine learning technologies analyze a rich mix of personal behavior and device characteristics to create of a unique profile for each customer. This innovative approach recognizes user patterns such as how keystrokes are made on a phone or tablet, or how a mouse is used. IP addresses and geo-location indicators are also added to the profile analysis. As a result, it’s easier to distinguish fraudsters. Transactions that deviate significantly from the profile can request further authentication or be denied.
Biometrics in Banking: What could go wrong?
Biometric data is the most personal and private data that anyone has. There is no room for error in protecting this customer data, and preventing it from becoming compromised or lost. You can’t change your voice or your iris the way you can change a PIN or a password. Imagine the conundrum that would ensue if a legitimate customer uses a branch office in a different city to conduct a large transaction, but the face recognition technology cannot authenticate the customer. After several failed attempts, a very angry customer and manager intervention, the teller must rely on old fashioned picture ID.
The impact of such a scenario on consumer confidence in biometric technology could be severe. Financial institutions should take care to partner with market leaders in biometric technologies and security to ensure that biometrics in banking can achieve its potential and lead to a fraud-proof future.
Read more about NICE’s real time authentication in our webpage.