A recent report from Visa cites that research shows Brits have more faith in their banks than government agencies when it comes to authentication technologies based on biometrics. The report says that we are nearly twice as likely to trust banks to keep biometric data such as fingerprints and iris scans safe. It also revealed that nearly two thirds of us say the British are willing to use biometrics as a method of authentication.
So does biometric authentication for banking offer a safer alternative to pin numbers and passwords? If you've seen one of the many demonstrations over the last year of spoof fingerprints made from Plasticine you might not be quite so quick to adopt it as a primary authentication method.
Barclays, Visa and Mastercard are all offering the technology when it comes to authenticating financial transactions. The Mastercard system went live in the UK earlier this year. Barclays was just a month ago. Consumers are able to complete an online purchase without the need for PIN codes, passwords of confirmation codes. Instead, they can opt to download an application to their PC, tablet or smartphone and opt to take a ‘selfie' picture (Mastercard) which is mapped against a stored image on file to allow payment or use voice recognition (Barclays).
These are the first of a number of biometric services designed to improve identify verification for mobile phone payments and other wearable devices. Iris scanning will also be coming to a Samsung Galaxy near you pretty soon, too. Samsung Pay says users will be able to use it as a means to authenticate credit card transactions and eliminate fraud.
I can understand the appeal. Speed, simplicity and security for consumers wanting to take advantage of the convenience of mobile payments. For Visa and Mastercard, it has the potential to reduce the number of false declines that cost them dearly: in the past year, the value of false declines has hit US$ 118 billion per annum – more than 13 times the total amount lost annually to card fraud. Removing barriers to purchase increases conversion rates. What's more, every time a user loses their password or PIN, it's a cumbersome process for card issuers to manage.
However, whilst the benefits are obvious, the question still remains, are we too trusting of new biometric technologies? After all, there's no margin for error here. A password can be changed. A face, fingerprint or voice isn't so easy to change if that data is breached and replicated. This technology needs to be completely secure before rolling it out. Security experts have already expressed concerns that it might be easy to spoof the systems – which after all – are delivered to consumers via an app. Others have highlighted that facial scans and fingerprint sensors can be compromised.
As an industry we need watertight methods of storing this data securely before we play with people's identities. User devices are notoriously prone to penetration by cyber-criminals - whether that's as a result of users adapting their devices or overriding device security parameters, or using non-secure public WiFi when transacting online. Which means biometric data will need to be encrypted to ensure it cannot be stolen – otherwise we open a whole new vector for identity theft.
What's more, rigorous PCI standards already exist to protect users and merchants, especially where liability is concerned should things go wrong. What's not clear in this scenario is whether liability will shift – and to whom. Quite simply, we're in new territory.
In May 2017, just around the corner, the EU's new General Data Protection Regulation (GDPR) brings with it punishing requirements when it comes to sensitive personal data like biometric data - fingerprints, facial recognition, retinal scans and so forth – which must be afforded ‘enhanced' protection. And that has significant implications for organisations, triggering the need for an organisational Data Protection Impact Assessment if biometric data is processed on a large scale.
Consumer appetite for the simplicity of biometric authentication is here. We just need to ensure that the security technologies it is based on are bulletproof. If handled right, biometric data could pave the way for a more secure, easier way for consumers to transact online. It could hopefully, eventually eliminate fraud for all. But who wants their personal finances put to the testing ground for these new technologies when simple issues like liability have not yet been fully established? Not me. I'll be watching this space closely over the coming year, but won't be staring into an iris scanner in the process. Not just yet.
Contributed by André Malinowski, head of international business, Computop