Biometric Authentication in a Multi-Channel Environment
The proliferation of banking channels generates an equal proliferation of authentication methods; can biometrics help reduce the clutter?
Banks go to great lengths to safeguard their customer’s personal information and finances but the rapid adoption of multi-channel strategies increases the pressure on current authentication practices.
Core to protecting customers is ensuring that any individual trying to access banking services is actually who they claim to be. Typically, this is achieved using magstripe credit cards requiring a signature, EMV-enabled cards requiring a PIN or personal security keys that generate unique codes for online banking. The result: nearly every channel has a different method for authentication. So, as digital security becomes more widespread, the average person uses 20 different types of identification or authentication in a single day, including passwords and PINs, unquestionably producing a negative impact on the customer experience.
While additional contact points for customers are designed to improve accessibility and convenience, they also can increase vulnerabilities and the potential for fraudsters to strike. PINs are relatively easy to steal and information stored on magnetic stripes can even be copied and reproduced using equipment readily available on the Internet. With online forums promoting cybercrime proliferating, fraudsters don’t have to be criminal masterminds to breach systems relying solely on passwords. In the fight against fraud, criminals continually appear to be one step ahead.
Additionally, it’s often overlooked just how expensive and resource draining password usage can actually be. According to the Gartner Group, between 20% and 50% of all help desk calls are for password resets and Forrester Research also states that the average help desk labor cost for a single password reset is about $70. With the average online user having 40 personal or professional accounts each requiring a password or PIN, it’s easy to see why they are easily forgotten and the impact this is having on businesses.
To cope with the demands of using multiple contact points and simplify the process of authentication, banks need a solution that is channel-agnostic and solves security concerns. We recommend a multi-factor approach that uses biometrics alongside other security factors to maximise protection. This is particularly effective for digital transactions or access to accounts and services where the potential for a user to present a false identity can be higher.
There are three factors involved in multi-factor authentication: something the user knows (i.e. a password or PIN); something the user has (i.e. credit card or smart card); and something the user is (a biometric characteristic). Two-factor authentication comprising something a user has and something they know is currently the most common approach. An example would be EMV technology that requires users to present a card and type in a PIN to complete a transaction. The secure capability of biometrics is unparalleled, however, so incorporating the third factor, something a user is, has a major potential to improve authentication processes in the banking sector.
Biometrics uses an identifier that is unique to each person, that remains with the user at all times and cannot be forgotten, solving many of the problems that currently threaten security. While PIN authentication must be performed in secret, customers can be biometrically authenticated in the open, which makes it much easier to use in public situations such as in-store or at ATMs. The same authentication method can be used across a variety of situations and environments, which makes it simpler for issuers and banks to safely increase their service offerings and customer contact points.
One solution currently being piloted through a partnership of leading banks, retailers and Natural Security in France integrates biometrics with a smart payment card that contains a secure element on which the user’s biometric data is stored. Unlike typical database-led biometric solutions, this would give users complete control over their biometric data, be it a fingerprint, finger vein or iris scan. The user for the first time is given real security as they have to carry the device on them for a transaction to be completed. In this instance, it would be impossible for one user to be mistaken for another and therefore stealing a device would be fruitless for any criminal.
Whilst the stipulation that the user must carry the device everywhere may be seen as an inconvenience, the security benefits of this authentication method far outweigh any potential hassle. The secure element and accompanying technology can also be incorporated into an SD card, for use with a mobile phone for example, so this would actually reduce the number of items the user would need to carry, improving convenience.
Usability is a major factor in the successful adoption of any new authentication method. So far in trials, biometric technology appears to have all the required elements of a convenient authentication method. Due to privacy and performance impacts, however, storage of the biometrics on a personal device is recommended. Using midrange contactless technology (with approximately a 1.5 meter read distance) removes the need for the user to handle the personal device, making authentication even quicker.
Wincor Nixdorf’s recently published electronic payment barometer highlighted that 69% of consumers interviewed were in favour of replacing the PIN for their payment card with a fingerprint scan. Interestingly, this was almost double the number of consumers that were in support of using contactless alone, which stood at only 39%. Despite biometric development still being in its early stages, the results of the survey are encouraging in suggesting that widespread acceptance is a possibility.
Issuance and integration with existing technologies are other considerations any bank looking to adopt new authentication will need to assess. It is likely consumers will have to physically enter a banking branch for biometric solutions to be issued as the biometric data has to be given in person. Whilst this may seem like an inconvenience, it is a one-off process and improves the transaction and access experience overall so will likely not obstruct adoption in the long run.
What’s interesting about biometrics and certain multi-factor approaches is that they don’t require changes to current technological infrastructure to be implemented. This doesn’t mean they’re cost-free, but the impact is less than many people expect. Creating a business model that copes with the cost will be core to the growth of biometrics in banking.
It’s clear that the current landscape of authentication methods is far too varied and no longer offers the secure, convenient experience consumers have come to expect. While the future of biometrics in the banking world remains uncertain, there is great potential for new multi-factor approaches that incorporate biometrics.