Companies across the world are increasingly making use of biometrics to improve security and, especially in the financial services industry, reduce fraud. According to a recent report, the worldwide mobile biometrics market is expected to exceed $50.6 billion in revenue by 2022, growing from a base of $6.5 billion in 2016. Despite this growth, financial services institutions and consumers alike harbor legitimate concerns about whether mobile biometrics actually delivers on its promise of improved security.
Taking a look at some of the major breaches that have compromised biometric data proves that concerns are not unfounded. In 2014, for example, around 22 million people fell victim to an attack where personal data, including fingerprints, were stolen from the Federal Government Office of Personnel Management. And within days of the launch of Apple's iPhone X, hackers were able to use 3D printed masks to beat its facial recognition security system.
Why the Hype Around Biometrics?
In biometric security, unique physical traits, such as a fingerprint, voice, iris, heart rate or vein pattern, are used to prove the identity of an individual. Instead of providing a password, for example, an individual can be identified by means of their fingerprint or voice, meaning that biometric features require less effort than passwords. Hard to copy, they are clearly also not something you can guess, making them more secure than passwords – especially given that many people still use obvious password choices like "1234" or "password" to protect their accounts.
For many financial services institutions, credit unions included, keeping friction to the minimum and making the member experience as simple as possible has always been a key consideration. Given ease of use of biometric-based security measures, they have the potential to provide credit unions with an optimal solution in terms of member experience.
But What Are the Risks?
As the breaches referred to earlier prove, biometric data can be hacked. And when this happens, the consequences can be far-reaching – much more so than when databases containing only passwords are hacked. Passwords can be reset or changed, but you can't change your fingerprint or your voice. The risk of breaches is more significant under server-based biometric models, where multiple individual records are stored in one centralized platform. If the server is hacked, a large number of people are at risk. As more organizations start using biometrics and building databases of biometric data, the security risk will continue to increase.
To avoid large-scale theft of biometric records, most mass market biometric solutions instead rely on device-based biometric models, and are designed never to share data beyond the user-held device (e.g. the smartphone). The biometric solution simply informs the remote service that a biometric record has been matched successfully on the device. But mobile malware could just as well tell the remote service the same thing – without there having been a match at all. A stolen device can also provide hackers with opportunities to commit fraud – albeit in a very targeted attack – if they are able to replicate the user's fingerprint or facial structure.
In either case, there is legitimate concern that, once biometric information is compromised, an individual may not be able to confidently use their own biometric information in the future – or that it could even be used against them.
The Ins and Outs of Biometric Authentication
When utilized correctly, biometrics offers a higher level of safeguarding but, in digital security, no one strategy is sound enough to deter fraudsters from trying their hand at uncovering sensitive information. Relying solely on biometrics as a means to gain access to accounts, or authorize transactions, does not constitute a sufficiently strong security measure. This is especially true in the financial sector, where regulations are increasingly mandating the implementation of two- or multi-factor authentication.
In two- or multi-factor authentication systems, at least two or more of the elements categorized as knowledge, ownership and inherence must be used to identify a user or authenticate a transaction. Knowledge factors would be something only the user knows, such as a static password or personal identification number. Ownership refers to something only the user possesses, such as a token, smart card or mobile phone, while inherence points to something the user is, which includes biometric characteristics like a fingerprint.
While they might be more secure than many password options, biometrics only offers one factor of authentication – inherence, also known as "something you are." Behavioral biometrics identifies a user at a specific place and specific time, but only a second (possession) factor can attest to where, when and why that biometric data was presented.
A strong device ID, where a mobile device can be uniquely identified with a digital certificate, can serve as the possession factor. Together with the user's inherent biometric data, it ensures proof of the context of a login or transaction. Behavioral biometrics used in this context could form part of a two- or multi-factor approach.
How Biometrics Can Form Part of a Sound Security Solution
While members are typically seeking convenience, the strategic object for credit unions and other businesses has always been to decrease fraud without introducing friction into transactions. Through two- or multi-factor authentication, credit unions can implement the best of both worlds. On the one hand, members feel secure and in control and on the other, credit unions can securely confirm their members' identities and intentions.
Combining the ease of use of biometrics with a strong device ID based on digital certificate technology, credit unions can achieve their goal of security while also providing member convenience. Confidence on both sides of a transaction leads to a frictionless member experience with greater consumer trust, which spells success for credit unions' bottom lines.
Sherif Samy is SVP of North America for Entersekt. He can be reached at sherif@entersekt.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.