Barclays has announced the arrival of personal biometric scanners for its corporate clients to combat banking fraud. Finger vein scanners are to be available in 2015, followed by voice recognition technology in phone calls to replace passwords or security questions. It remains to be seen how effective this is with widespread use.
Biometrics is the science of recognising an individual based on his or her physical and behavioural traits. Biometric-based authentication systems are widely considered to be more reliable than established password systems for verifying individuals and ensuring they are who they say they are. Other examples include palm print, face and vein recognition, iris and retina scanning, DNA matching and even odour recognition.
Although not yet commonplace, biometrics are expected to become so over the next three to five years. Currently, the biggest users are governments which have already implemented biometrics into citizen identity documents (such as passports and national ID cards) and it is estimated that by 2015 biometric citizen IDs will outnumber non-biometrics by 4:1. In 2006, the UK joined 40 other countries in introducing e-passports that use facial recognition technology to authenticate citizens.
Biometrics are firmly embedded in the public psyche through science fiction and adventure films such as Minority Report and James Bond. Images of secret agents and heroes using an array of biometric technologies to circumvent or secure systems are familiar. So, although many have limited real-life experience of biometrics, studies have shown that there is already a relatively high degree of acceptance of the idea of biometrics among potential users (more than 70% in the UK).
But there is no blanket acceptance of all biometrics – users have a preference for which types are used and how they are used. One study found the most acceptable application of biometrics was for passports (75%) or ID verification (53%) in official contexts, with credit card verification around 56%. Users were most accepting of fingerprint, hand, voice and keystroke/signature recognition (over 90%), with one third considering iris and retina recognition as potentially risky to their health.
Our research investigated the potential use of biometric authentication systems for online banking. We found that users identified fingerprint scanning as the most suitable method, followed by iris scanning, voice and face recognition.
We also found that the majority of our respondents considered fingerprint biometrics to be more secure than password-based authentication. Interestingly, respondents’ perception or belief that biometric banking was more secure was highly correlated with their understanding of the security risks of online banking. Thus, those potential users that had a good understanding of online security, were more likely to believe that biometric banking was more secure.
Other findings from this study showed that the biometric technology also had to be easy to use and perceived as more secure than traditional security systems to be popular. On this basis, our research suggests that people are ready and willing to adopt fingerprint-based biometric technology for online banking.
There are a number of reasons why biometric authentication technology hasn’t been implemented more widely.
Biometric technologies need to achieve the required 99.9% standard of reliability and accuracy. Biometric authentication currently stands at between 40-95% in real world use. For example, government systems failed to recognise the Boston bombers and those carrying false passports on board the doomed Malaysian flight MH370.
Then there is the issue of proving the biometric “liveness”. So, for example, in films we see eyeballs being removed and fingers getting chopped off to circumvent biometric systems. In real life – somewhat less sensationally – gummy bears and dough have been used to lift fingerprints onto latex moulds of simulated fingers. Barclays is using Hitachi’s finger vein system, which is harder to copy.
But, perhaps most importantly for enterprises, the costs and complexity of designing and deploying a biometric infrastructure are behind the slow uptake of this technology to prevent banking fraud. The costs of hardware, software and processes for verification, validation and authentication can be prohibitive, especially when the technology still provides less than the required 99.9% reliability.
There is also, as yet, no universally-accepted technical and legal standard for the interoperability of systems and consumer biometric data protection. This can lead many organisations to avoid the risks of biometric technology until it is established, proven and less costly.
Another, more general concern with the security of biometric technology is that biometrics are hard to conceal. We leave fingerprints when we touch anything, our eyes and faces are easily captured. Unlike passwords, if your account is breached, you simply change the password, if your biometric is compromised, it remains compromised all your life.
But, ultimately, our research suggests that a large proportion of potential users are willing to adopt biometric banking and the projections indicate that biometrics will be the next big thing in security.