Biometrics Light the Way for Secure Financial Services
Financial institutions need to pay special attention to the pro-biometrics sentiment now established among consumers. When a recent Credit Union Times study asked 9,000 consumers worldwide how they perceived a range of authentication methods in terms of security, for the first time in years passwords were not even ranked as among the top three. Instead, a majority of consumers said they preferred biometrics such as fingerprint or face recognition or more passive behavioral biometrics that track how users type and swipe on their mobile device.
Meanwhile, COVID-19 and its associated lockdowns clearly accelerated people’s adoption and engagement with digital financial services – and those changed habits will likely persist post-pandemic. Supporting this, a recent Mastercard survey asked 14,000 consumers how the pandemic had affected their banking habits. An overwhelming 96% of the respondents said they completed banking tasks digitally, 53% engaged with mobile banking apps more than they did pre-pandemic, and 87% of people who hadn’t used apps previously said they would now continue to do so (see Figure 1).
Studies also regularly report that consumers want both stronger data security and better user experiences from their digital financial services, as shown in Figure 2. A common proviso to this is that there is a necessary trade-off between security and user experience in delivering digital services: if you increase one, the other is reduced by default. But that’s a myth that needs busting. With its human-computer interaction, biometrics deliver both security and convenience simultaneously.
In this article I also contend that, while counter-intuitive, an argument can be made that digital identity verification – used together with artificial intelligence (AI), risk analytics and biometric authentication – can in fact lower the risk of fraud, when compared to in-person processes.
Combatting Increased Fraud
The digital fraud threat is certainly growing, as cyber-criminals take notice of people’s increased adoption of online financial services. For example, the use of mobile banking Trojans – malicious apps that steal banking credentials from an account holder’s mobile device – increased 125% in 2020 compared to 2019, according to anti-virus software vendor Kaspersky. The company also found a 20% increase in financial account takeover events in 2020. The large majority of those incidents were the result of weakness with passwords – their vulnerability to phishing. That’s especially problematic when financial institutions’ customers are one of cyber-criminals’ top three phishing targets.
In response, financial institutions are increasingly modernizing their authentication systems in order to reduce fraud and improve the user experience, by using biometric identification and in particular liveness detection and behavioral biometrics.
The key security element of biometric templates is they provide a mathematical representation of the actual fingerprint, face, iris or retina, rather than the modality itself. So these representations are essentially worthless to attackers. They can’t be offered to the biometric sensor, fingerprint reader or camera, and because they’re encrypted, they can’t easily be reverse-engineered to mimic the biometric template.
Meanwhile, liveness detection protects against presentation attacks – where hackers use a manufactured model of the real user’s biometric (such as a photo, video, high-quality mask or 3D-printed finger) to spoof the system and access the registered user’s account. In this respect, AI and machine learning have fueled massive gains in biometric systems’ accuracy and defense against presentation attacks in recent years.
Finally, behavioral biometrics enable banks to continuously authenticate the user by monitoring patterns in their navigation through a mobile banking app, keystroke dynamics, finger pressure and swipe actions. This is especially useful when assessing unknown users, such as someone applying for a new bank account online. The behavioral biometrics system can compare that user’s behavior to the wider population – for example, criminals engaged in application fraud tend to copy and paste information into forms and betray a certain familiarity with the application, moving faster than typical legitimate applicants do. Behavioral systems can also discern non-human and/or bot activity.
Security: Remote Versus In-Person
Consumers themselves have come to recognize the security benefits offered by both physical and behavioral biometrics systems. In fact, I believe that non-face-to-face biometric ID authentication provides financial institutions with similar or even less risk than face-to-face identification.
Take the example of preventing fraud at the point of account opening or registration. Someone seeking to open a new bank account through the physical branch, web or mobile channel is a stranger. The bank therefore needs to walk through a series of steps to assure that the applicant is who they claim to be. As part of know your customer (KYC) requirements, the individual must present one or more official identification documents, typically issued by a government agency. The bank then needs to check the authenticity and validity of that documentation and compare the face of the in-the-flesh person presenting this, with the photo on the ID.
To do this, digital identity verification uses AI to evaluate an image of the ID document and calculate an authenticity score, which determines whether the ID is genuine. Next, combining facial recognition, liveness detection and the device’s camera, the system verifies the user’s physical presence and compares a biometric sample of their face to the photo on the valid ID, to verify that the user is the rightful owner of that ID.
Now, do you think performing these actions digitally is less, equally or more reliable and secure than performing them in person? Here’s the opinion of global, intergovernmental money laundering and terrorist financing watchdog, the Financial Action Task Force (FATF): “Non-face-to-face customer-identification and transactions that rely on reliable, independent digital ID systems with appropriate risk mitigation measures in place, may present a standard level of risk, and may even be lower-risk.”
Despite knowing that FATF members possess far more knowledge and experience than me when it comes to money laundering and terrorist financing, I originally scoffed at this claim. How could digital identity verification be more secure than its in-person equivalent? It turns out that this depends on your definition of “non-face-to-face” or “in-person”. Looking at FATF’s official ‘Guidance On Digital Identity’ document, its use of the phrase “non-face-to-face” aligns with NIST’s definition of “in-person”. And “non-face-to-face” and “in-person” in this context allow for supervised remote identity verification such as that achieved by a high-resolution video transmission supervised by a trained representative.
IAL3, the highest of three identity assurance levels (IALs) defined by NIST, requires in-person or supervised remote identity verification. Unsupervised remote identity verification is acceptable for IAL2. The verification strength of IAL2 is considered strong, while the verification strength of IAL3 is considered superior.
Of course, any financial institution needs to evaluate digital identity verification in terms of their own risk appetite and consider their specific security, privacy and compliance requirements – and also whether the vendor they choose can deliver on them. But there are a number of sound arguments for why even remote and unsupervised identity verification can introduce less risk than on-site verification:
- There is less room for human error compared to manual verification.
- It provides a secure audit trail for non-repudiation and mitigation of human co-conspirators.
- It offers increased privacy with self-serve document scanning as opposed to photocopies, etc.
- It provides faster, more thorough and more accurate ID validity/authenticity checks with AI.
In line with this, some banks have recognized that the strength of these security and risk mitigation benefits is so compelling that they are exploring the implementation of digital identity verification in their branches. Other drivers include cost savings and increased employee morale because the technology rescues them from the tedium of photocopying identity documents.
Digital ID Based on Trust
While this article puts the case for the security of biometric authentication – and how digital identity verification might harbor less risk than the in-person counterpart – optimal levels of security and convenience are rooted in a combination of the two.
Arguably, the most secure and convenient digital financial services possible today can be achieved by binding the biometric authentication credentials and other identity and device attributes to the identity-proofed individual, and then applying behavioral biometrics and continuous risk analytics to the mix. Whenever that user returns to your web or mobile application, the trust established during the original identity proofing remains, because it’s bound to the user along with their device and other identity attributes.
You then continue to gather data throughout the lifecycle of the user’s relationship with you. Through machine learning, you are able to assess risk at any time and trigger actions in order to stop fraud; and all the while you increase the level of your understanding of that user, to build trust and develop more accurate risk scoring. This allows you to only interrupt the user if absolutely necessary, or if that person might expect or appreciate a visible signal of security such as a biometric authentication prompt for a higher-risk activity. In conclusion, moving forward we can expect banks and financial institutions to balance the usability of their platforms with security tools for identity verification and authentication, and to increasingly use biometrics together with AI and machine learning to combat the rising wave of digital fraud.
This blog, written by Sam Bakken, Senior Product Manager, Mobile Security at OneSpan, was first published in Biometric Technology Today Volume 2021, Issue 6 in June 2021.