What are biometrics?
Biometrics are physical or behavioral characteristics that are unique to each person and are used to authenticate an individual to have access to applications and other network resources. Examples of biometric identifiers are fingerprints, facial patterns, swiping patterns, typing rhythms or voice. Biometric authentication is a popular component of multifactor authentication (MFA) because it combines a strong authentication challenge with a low-friction user experience.
According to Wikipedia, “biometric identifiers are often categorized as physiological versus behavioral characteristics. Physiological characteristics are related to the shape of the body. Examples include, but are not limited to fingerprint, palm veins, face recognition, DNA, palmprint, hand geometry, iris recognition, retina and odor/scent.” Behavioral biometrics are related to a pattern of behavior, such as a person’s typing rhythm, or how they hold or swipe their phone.
Biometrics are increasingly used in mobile banking apps, helping customers easily log in and adding another layer of security. Biometric systems don't depend on biometric information, such as an image of your face, being a secret. In contrast to passwords and PINs, biometrics can’t be forgotten or shared and they are more challenging to copy or steal.
How do biometrics work?
A biometric system has three different components. There must be a sensor to record and read your biometric information, such as a fingerprint. When you’re using your biometric information to access your mobile phone, there must be a computer securely storing the biometric information for comparison. The third component is software to connect the computer hardware to the sensor.
Static biometrics and behavioral biometrics: What's the difference?
Static biometrics use physical features, such as a fingerprint scan or facial recognition, to unlock mobile phones, log in to bank accounts or do transactions.
Here are the main types of static biometrics used to verify your identity:
- Facial recognition software analyzes the distance between your eyes and the distance between your chin and your nose to create an encrypted digital model of your face. When authenticating you, the facial recognition software will scan your face in real time and compare it to the digital model securely stored within the system. Facial recognition systems with “active liveness detection” require you to move your head, blink, or perform other movements. Liveness detection can also be passive, working behind the scenes using algorithms to analyze biometric samples for signs that they’re not from a live person, such as detecting paper, digital screens or cutouts in a 3D printed mask. Strong liveness detection makes sure that it’s the actual customer presenting their biometric sample to the system, and not an attacker trying to impersonate the individual in what’s called a presentation attack.
- Fingerprint recognition is one of the most popular forms, if not the most popular, of biometric authentication used on mobile devices. It was originally popularized by Apple’s Touch ID. A fingerprint reader analyzes the ridges and patterns of your fingerprint and compares it against the stored digital model of your finger during authentication. Fingerprint recognition can change if your finger is wet or dirty. It’s challenging for an attacker to replicate an individual’s fingerprint when a fingerprint recognition system has strong liveness detection to help prevent presentation attacks, which could use a 3D model or fake image.
- Iris recognition: There are two methods of eye scanning to authenticate a person’s identity. In a retinal scan, a light briefly shines into the eye to show the unique pattern of blood vessels in the eye. By mapping this pattern, the eye recognition tool can compare a user’s eyes against an original. In an iris scan, the colored rings found in the iris are scanned. In some uses, eye recognition can be as fast and accurate as face recognition, but it can be difficult to get a sample for comparison in sunlight when pupils contract. Iris recognition can also be less reliable when a customer wears glasses.
- Voice recognition analyzes the unique sound of a person’s voice, which is determined by the length of their vocal tract and the shape of their nose, mouth, and larynx. Analyzing a person’s voice is a strong method of authentication, but a cold, bronchitis, other illnesses and background noise can distort the voice and disrupt authentication.
- Finger geometry recognition uses 3D geometry of the finger to identity verification.
Overall, static biometrics are considered a secure way to authenticate customers and should include liveness detection to fight spoofed fingerprints or photos in a presentation attack.
Behavioral biometrics analyze your unique habits and movements to create a pattern of behavior that can be recognized when you are typing or how you hold your phone. Like static biometrics, behavioral biometrics add another layer of security to verify your identity. FinancialIT.net says, “This cutting-edge technology uses motion sensors and artificial intelligence to identify unique mannerisms such as the way a phone is held. It is widely being regarded as the final frontier in security.”
Here are the main types of behavioral biometrics:
- Keystroke rhythm analyzes the manner and speed of your typing to determine distinctive patterns. The amount of finger pressure used when you are typing can also be put into a recognizable pattern.
- How you hold your phone analyzes the angle at which you hold your phone and the dominant hand you use when using your phone. Behavioral biometrics also include how you swipe on your phone and with which hand.
- Your gait, or how you walk, is also a behavioral trait that can be studied for a pattern. In addition, your usual time and location for logins and transactions can also be put into a behavioral pattern.
Behavioral biometrics are a seamless experience for customers, but challenging for fraudsters because each individual has a specific profile of their habits and movements. With behavioral biometrics, a user's session is continuously monitored so that if at any point it's interrupted or potentially hijacked, the system can recognize it and take appropriate action to prevent fraud before it occurs.
How biometrics protect against financial fraud
Biometrics are used by financial institutions for the following purposes:
- For digital identity verification when a customer opens a new account remotely
- For customer authentication (when logging in or for continuous authentication throughout the banking session)
- For transaction authentication (to ensure the legitimate account owner is in fact the person initiating the transaction)
Consumers are becoming increasingly comfortable with biometrics and many are choosing to use a fingerprint or facial recognition, for example, as a means of authentication and identity verification with their financial institution. Biometrics add another layer of security and help raise the trust level that customers have in their financial institution. Apple’s Touch ID, introduced in 2013, has contributed to the rise of biometrics in mobile banking because it provides financial institutions with a device-based technology they can use to secure their mobile banking platform.
Similarly, Android Fingerprint ID allows users to verify their identity with a fingerprint on some Android devices. Javelin says consumers are demanding authentication choice. For more than a third of users, the three authentication methods they most strongly want their financial institutions to support are all biometric modalities. Javelin also notes that while it would be typically expected that consumers who want biometric choice would be typically concentrated among younger customers, around 40% were older than age 55.
How biometrics provide strong customer authentication
Biometrics are part of a multi-factor authentication (MFA) process, where multiple technologies can be used to authenticate someone’s identity when they log in to a banking session or make a financial transaction. To achieve multi-factor authentication (MFA), at least two different factors of authentication must be used. Authentication factors include:
Something You Know
This is usually a password, PIN, passphrase or questions with their corresponding answers.
Something You Have
This can be as a one-time PIN, or your smartphone with an authenticator app as the device that generates a one-time passcode behind the scenes.
Something You Are
This is anything from fingerprints, retina scans, facial recognition, voice recognition, or a customer’s behavior (such as how hard or fast they type or swipe on a screen) that can be used to verify a unique customer.
As a result, using a PIN with facial recognition is multi-factor authentication because it combines something you know and something you are, while using a PIN with a password would not be considered multi-factor authentication because it’s simply two things that you know.
How biometrics help protect against financial fraud
Using biometrics as part of Strong Customer Authentication (SCA) or MFA can help mitigate different types of fraud attacks. When fraudsters digitally break into a bank account to take control of it, they often use tactics such as phishing to persuade people to inadvertently reveal their login credentials. The result is account takeover, which is a top threat to financial institutions and their customers due to the financial losses and mitigation efforts involved. Biometrics can help stop attackers at the point of access (login) by asking for a fingerprint scan or facial scan. The attacker will not be able to successfully authenticate and will be prevented from getting into someone else’s account. Further, robust liveness detection and spoof detection make it even more difficult for attackers. The attacker will not be able to mimic a legitimate customer’s biometrics and will be prevented from accessing the account.
How biometrics help prevent fraud during remote account opening
Biometrics also play a role in helping to prevent identity fraud during the remote account opening process. Today, due to COVID-19, many consumers are avoiding unnecessary visits to the bank branch. Even when a new applicant is not face-to-face with a bank representative, the bank must still verify that the remote applicant is in fact the legitimate owner of an identity document, such as a passport or driver’s license. This is essential in the fight against application fraud.
Biometrics are part of this process. For example, facial comparison is used for identity verification, to ensure the remote applicant is who they say they are. Once the authenticity of the applicant’s driver’s license, passport or other government-issued ID is verified, they are asked to take a selfie with their mobile device. When a selfie is used for facial recognition, liveness detection can be applied to prove genuine human presence.
There are two types of liveness detection to identify whether a biometric trait is from a real person or is a digital or manufactured representation. Active liveness detection requires a person to blink or turn their head, and passive liveness detection runs behind the scenes and uses algorithms to detect signs of potential spoofing. Facial comparison technologies use advanced algorithms to look at biometric data from a person’s features. For example, the position and size of a person’s eyes relative to each other can be used to determine whether the selfie and the government-issued ID are from the same person.
How biometrics improve the customer experience
The use of biometrics is making it faster and easier for customers to interact with their financial institution. Biometrics are a more secure means of authentication than passwords, which are often stolen or forgotten. Biometrics can increase customers’ trust in their financial institution because it’s much more challenging for fraudsters to succeed with the use of a fake fingerprint or selfie. Positive experiences with biometrics for identity verification during a remote account opening and for customer authentication during login also can increase customers’ loyalty and confidence in their financial institution.
It’s worth noting that biometric models can learn over time so that changes in a person’s features due to aging are taken into account and don’t invalidate a match. When a user is authenticating regularly, small changes in appearance will not be significant enough to invalidate the match. Instead, the mathematical model of a person will be updated as changes in appearance are recognized.
What analysts say about biometrics
According to Gartner, “Biometric authentication cannot and does not depend on the secrecy of biometric traits, but instead relies on the difficulty of impersonating the living person presenting the trait to a capture device (“sensor”) — i.e., a presentation attack.” Gartner adds that this point isn’t widely known, leading to some common misconceptions, reinforced by limited presentation attack detection (PAD) in consumer devices and publicity about successful attacks against Apple Touch ID, Samsung swipe sensors, Android face recognition and so on. The customer benefits of biometric authentication, Gartner says, have caused an increase in mobile banking applications over the past few years.
Juniper Research has estimated that facial recognition hardware, such as Face ID on recent iPhones, will be the fastest growing form of smartphone biometric hardware. It’s expected to reach over 800 million in 2024, compared to an estimated 96 million in 2019. The new research, Mobile Payment Authentication: Biometrics, Regulation & Forecasts 2019-2024, however, notes that the majority of smartphone facial recognition will be software-based, with over 1.3 billion devices having that capability by 2024.
MarketResearch.com notes that fighting banking fraud in the digital world needs more foolproof technologies. “Biometrics is a powerful weapon to combat the growing threat of financial frauds. The technology is therefore hogging the limelight supported by benefits such as easy fool-proof authentication based on unique physical characters that are hard to replicate or duplicate i.e. voice recognition, iris scanning, fingerprint, and face recognition; elimination of the need to remember passwords and manage one-time-passwords (OTPs); enhanced security immune to cyber hacking strategies; unrivalled convenience; significantly reduced risk of identity theft; higher quality user experience; minimal to zero user interface; time saving and reduction in back office authentication workloads, among others.” MarketResearch.com says the global market for biometrics for banking and financial services is projected to reach US$10.8 billion by 2025.
Javelin says storing biometric templates locally on a person’s device reduces risks associated with data compromise, either in transit or through malicious actors targeting a centralized store of biometric data. “When coupled with authentication standards, such as those developed by the FIDO Alliance, local biometric authentication is nearly impossible to phish or misuse intercepted data.” Javelin also notes that, “If a malicious individual is able to successfully enroll his own characteristics into a biometric authenticator, then even the most sophisticated authentication method will still allow him to pass through security challenges. Consequently, many providers offer additional risk assessment tools built into their platform such as device fingerprinting and geolocation. Other tools, such as document scanning offer natural supplements to biometric scanning, which enables a degree of comparison between the user’s captured biometric input and the image on an identification document.”
Biometrics and regulatory compliance
Biometrics help organizations meet the Strong Customer Authentication (SCA) requirements of the European Union’s Second Payment Services Directive (PSD2), which are regulations for electronic payments services. Under the SCA requirements, authentication must be based on two or more of the following factors: knowledge (such as passwords or PINs), possession (such as tokens or mobile devices) or inherence (biometrics).
Under the EU’s General Data Protection Regulation (GDPR), two-factor authentication is required for compliance. That means a simple username and password combination no longer provides enough security for data protection since passwords can easily be stolen, shared, or exploited. Instead, two-factor authentication, or 2FA, is used to identify a person when two of the three possible factors of authentication are combined to grant access to a website or application: something the person knows, something the person has or something the person is, which involves the use of biometrics such as a fingerprint or facial scan.
In the U.S., the largest state regulator, the New York Department of Financial Services, issued a regulation entitled Cybersecurity Requirements for Financial Services Companies. It requires the use of multi-factor authentication, which includes biometrics, “to protect against unauthorized access to non-public Information or Information systems.” The non-public information is the individual’s private information.