Recent data breaches at Flipboard and Evite are shocking in magnitude and yet should come as no surprise. Both involve hackers stealing vast stores of account data including usernames, email addresses and, of course, users’ passwords. The latter hacking attack culminated in perhaps the most sinister invitation that Evite has ever been associated with: one to purchase the records of ten million Evite users on the dark web. In response to the breaches, each company has naturally prompted its users to reset their passwords.
The fact that hacks such as these have become routine points to a deeper issue: trust in the simple password is woefully misplaced. Roughly 8.2M passwords are stolen every day – or approximately 95 passwords every second. Companies have long recognized the weakness of password-based systems; 81% of hacking-related breaches are due to stolen and/or weak passwords and many large organizations spend up to $1M annually just in password-reset support.
Personal authentication systems can function by verifying one of three different types of credentials. The first includes things users “know”: a password, as well as password reset clues such as our pet’s name, our first elementary school, where we got married, etc. The second includes things we “have”, such as a separate email account, or a mobile phone to receive a code for two-factor authentication. The problem is that enterprising criminals consistently find ways to obtain the data we “know”, whether by hacks, simple-to-guess passwords, or security question answers that can be found through online research. More concerning is that these criminals can access the data that we “have” through spoofing mobile numbers or phished email accounts. The most secure and hardest-to-spoof authentication requires a third kind of data: that which we “are.” Far from just a fingerprint or facial scan, biometric authentication can identify people through unique factors including their voice, the way they type, how they walk, or even how their eyes move.
However, users are wary about new security measures. A recent Paysafe report found that over 80% of consumers favor passwords over biometrics due to security concerns and that 66% worry about being able to pay for goods or services without being asked for a password. Irrationally, 56% of consumers worry that shifting to biometrics to authenticate online payments will lead to large increases in identity fraud.
Overcoming these fears and misconceptions for users should be a consideration for any organization as biometrics offer two key benefits for any fintech customer.
1) Identification and account access is simpler. Whereas passwords place the responsibility for security on the users – and can be tremendously frustrating when forgotten – biometrics remove that responsibility entirely. Analyzing a fingerprint, face, or voice is fast and easy, and doesn’t require a sophisticated password management system or an extraordinary memory. Some biometric systems are so unobtrusive as to be entirely imperceptible, and can verify a user’s identity passively as soon as a user begins interacting with an application. This shifts the responsibility and effort of authentication from the user to the technology. In this case, the best user experience is no user experience, and the strong incentive of seamless access stands to lead to increased demand for, and adoption of, biometrics.
2) Account security can be stronger. Contrary to some users’ concerns, tying authentication to one’s unique biology makes unauthorized access extremely difficult for attackers, since attempts to impersonate users can be flagged and stopped immediately. Biometrics can authenticate continuously – if someone leaves a public computer while logged in or loses a cell phone with no screen lock, biometrics can determine that the authorized user is no longer present and deny access instantly, in real-time. Biometrics can also detect if a bad actor is attempting to fool the system using a voice recording, a high-resolution image or video, or synthesized speech. Whereas a stolen cell phone can give fraudsters access to an account and allow them to receive the text message or email confirmation of a two-factor authentication system, biometrics protect users even when devices have been compromised. And combining biometric modalities – like confirming a face while simultaneously analyzing a user’s swiping behavior or voice, offers heightened security far beyond what passwords and security questions can offer. Given the profoundly negative experience when security measures fail, biometrics will earn its rightful reputation as a superior security strategy and win over users as the technology becomes more commonplace.
Indeed, there is increased user exposure to, and familiarity with biometrics. One driver is governmental regulation mandating stronger data security measures like Europe’sRevised Payment Service Directive (PSD2) and its requirement of Strong Customer Authentication (SCA) for ecommerce and mobile commerce. Under it, European businesses and organizations will have to integrate authentication that includes two of the three following types: something the user “knows” (such as a password), “has” (such as a device), or “is” (such as biometrics). As regulatory pressure leads businesses to strongly consider biometrics, companies leveraging this trend will benefit from consumers regularly encountering and engaging with the convenience and ease of biometric systems.
Just as consumers were once reluctant to adapt to ecommerce, only to embrace it once realizing the convenience and improvements it brought, biometric security is undergoing a similar evolution. There are positive signs in this regard. PaySafe’s research found mobile commerce – especially among the younger set – to be a major driver of biometrics adoption, with 69% of 18-to-24-year-olds using biometrics for online payments compared to just over 10% of those over 65. As young adults and digital natives embrace biometrics as part of their online habits, they’re simultaneously shaping a future in which personal data is far more secure.
Alexey Khitrov is president and CEO at ID R&D, a biometric solutions provider offering proprietary AI-based behavioral, voice, and anti-spoofing user authentication capabilities.