We don't like passwords. We want to access more online or mobile services without having to use combinations of letters, characters and numbers. Passwords are inconvenient and more dangerous than other authentication options available today because they can be guessed, stolen or cracked. For that reason, we have been reviewing advances in biometric authentication as a more robust and secure authentication factor.

An October 2019 report from Gartner, “Technology Insight for Biometric Authentication,” states that biometric authentication is generally adopted to “…achieve password-less authentication, thereby improving UX/CX (user experience/customer experience) and potentially improving trust and accountability.” This sounds like guaranteed success and a great advantage for financial services organizations when competing for customers.

Autenticación biométrica banca sin contraseña

Gartner report calls mobile banking the “killer app.
killer app
” (i.e., soon to be indispensable in mobile banking use cases) for biometric authentication. We believe now is the time for financial institutions to adopt biometric authentication for mobile banking use cases to increase trust and accountability and improve the customer experience, key components for increasing revenue for financial institutions.

Are consumers ready for biometrics in retail and banking?

A recent Visa survey of 1,000 US consumers, for example, says yes. The majority of respondents preferred biometric authentication to password-based authentication:

  • Respondents said biometrics are easier (70%) and faster (61%) than passwords.
  • 52% said they would switch banks if they did not offer biometric authentication in the future.
  • The most commonly cited benefits of biometric authentication among respondents were:
    • No need to remember multiple passwords / PINs (50%)
    • Better security than passwords / PINs (46%)
    • Not forgetting/missing an authentication method (33%)

When measuring the quality of the customer experience, transaction abandonment rates are an important metric. Almost 50 per cent of Visa respondents confirmed that they had abandoned an online purchase because they could not remember their password.

“The benefits in CX (
Customer Experience
) benefits of biometric authentication have driven an increase in mobile banking applications in recent years,” states the Gartner report. As they evaluate biometric authentication solutions, financial institutions should consider the differences between native device and third-party biometric authentication methods. One advantage of third-party biometric methods, which involve embedding an SDK into a mobile app (such as the one offered by OneSpan), is that banks can serve more customers. Not all users have devices that include native hardware and software for biometric devices. However, almost all mobile devices include a camera, which can be used to capture a user’s face for biometric authentication.

Is biometric authentication more reliable than other authentication methods?

It can be argued that yes, biometric authentication is indeed more secure than other authentication methods. The key to a reliable biometric authentication system is the ability to detect or prevent impersonation of the biometric feature of a living person. A fingerprint, “facial print” or whatever biometric modality you choose is not simply another form of password or token.

Without additional analysis, there is really no way to know who is providing a password. It is only known that the password was entered and that it matches the password registered in the database. On the other hand, a reliable biometric authentication system with effective liveness detection and spoofing mitigations provides an additional indicator of trust, as it validates the subject/person who is offering the biometric sample for verification. Because the fingerprint, face or [inserte aquí su modalidad biométrica favorita] is presented live and relates to the user in person.

Dispelling a misconception about biometric authentication

According to Gartner, “biometric authentication cannot and does not rely on the secrecy of biometric traits, but relies on the difficulty of impersonating the live person presenting the trait on a capture device (sensor). This last point is not widely known, which leads to some common misconceptions., reinforced by the detection of the rare presentation attacks (PAD or presentation attack detection) detected in consumer devices and advertising about attacks perpetrated against Apple Touch ID, Samsung swipe sensors, Android facial recognition, etc.”

You’ve probably heard the criticism that “you can’t change your fingerprint or face if these are ever compromised.” That’s right: you can’t change your biometric traits as if they were a password. However, the idea that if a cybercriminal steals your biometric data, he will successfully pass the corresponding authentication challenge at the biometric capture point is wrong.

  1. You can’t literally steal someone’s face/fingerprint/etc.
    – Horror movies aside, in reality cybercriminals are generally not looking to remove (i.e., “steal”) someone’s face or fingerprint from their body. Well-designed biometric systems do not literally “store” a user’s face or fingerprint. Instead, they store a mathematical representation of the biometric sample enrolled in the system (called a template). The mathematical representation alone has no value at the point of capture (see point number one highlighted in the image below).

  1. The live presentation of the biometric trait is the backbone – As the Gartner report argues, “in a robust fingerprinting method, it should not matter that an attacker can present an exact copy of a person’s fingerprint; anything other than the person’s actual finger (still attached to their living body) should not work.” A presentation attack consists of an enemy presenting a reproduction of a biometric feature (an “impersonation”) that resembles a stored reference for a legitimate user (e.g. 3D printed models, masks, images, video, etc.). Life detection identifies whether the biometric feature presented is of a living human or is a digital or fabricated representation (or again, an impersonation). Presentation Attack Detection (PAD) is a combination of counterfeit detection and liveness detection mechanisms. In some cases, the consumer’s native PAD system may need to be supplemented by biometric systems from a third party. The ISO/IEC 30107 standard establishes a methodology by which the PAD effectiveness of a biometric solution can be measured.

Of course, end-to-end end-to-end of a biometric authentication system does not stop at presentation attacks on the sensor where the biometric data is captured. Replay attacks are an example of another risk, but in many cases, technology that ensures application integrity, such as in-application protection and application shielding /RASP, helps mitigate these risks. But, financial institutions must be careful in the design, implementation, distribution and configuration of the biometric authentication solution.