As our world becomes more digitalized, the information we want to keep private is increasingly at risk – and yet no-one wants that information protected by cumbersome security measures which do not fit in with our pace of living. As such, the stage seems to be set for the large-scale adoption of super-convenient biometric technology, especially on the mobile. Different forms of biometric security have already begun working their way into the banking and payments industries; among these are face, fingerprint, iris, palm, vein and voice.
Everyone with a stake in digital banking security has been tracking the rapid developments in biometrics and debating the technology’s usefulness in the battle against cybercrime. There is little doubt that biometrics will play an important role in securing mobile services, particularly when viewed from the perspective of user convenience. But it is also fair to point out that biometrics can place enterprises and their customers at risk if deployed as the sole means of user identification and transaction authentication.
SLICK DOES NOT EQUAL SAFE
To effectively secure high-risk transactions, banks and other financial service providers need a strong base layer of security, such as that offered by Entersekt’s Transakt platform, to which biometrics can be added via a flexible plug-in as required for increased risk levels or improved user experience.
Unlike usernames and passwords, which we can change at will, we only have one set of biometric data. If this falls into hackers’ hands, it becomes of no use to us for authentication purposes. The consensus amongst industry experts, such as the FIDO Alliance, is that we must limit the exposure of our private biometric data by not sharing it, and keeping it instead locked down on our personal devices. Even then, our biometrics are still only as safe as the technology of our devices allows them to be. Devices can be rooted or jailbroken, and their owners often engage in risky behavior.
Attackers have already figured out how to bypass many of today’s biometric solutions, and the fight for supremacy between financial service providers and hackers will only intensify over time. Biometrics can play a valuable role in user verification, but for the strong authentication of users and sensitive transactions, more than one authentication factor must be in place. As we explained in a previous blog, the three possible factors are knowledge (something the user knows), possession (something the user has), and inherence (something the user is). This means that even so-called dual biometrics, which entails using, for example, both a fingerprint and a “selfie” for authentication, does not qualify as strong authentication, because both mechanisms are of the same factor.
Doing it right
Identity theft and account takeover strategies are increasing in sophistication and impact, making the balance between user experience and security more complex – and more challenging – than ever. As is proved almost daily, no single security measure will hold for long against persistent attacks from cybercriminals. It is only by layering cutting-edge technologies such as digital certificates with biometrics that an institution will be able to stand up to fraud.
Selecting an authentication solution that combines the highest level of protection with the lowest possible user friction will ensure that financial service providers meet regulatory requirements, as well as user demands, as industry changes advance from all sides.