By Emilie Casteran, Head of Digital Strategy, Banking and Payment, Gemalto
In the past, technology that could identify us by our biometric data was something we only saw in science-fiction:from facial recognition technology used in Star Trek, to Marty McFly using his fingerprint to authenticate payments in Back to the Future. But over the last few years, developments in technology have demonstrated a world in which our face, voice, eyes and fingerprints can be used to identify and authenticate us.
With huge strides being made in biometric technologies, the end of the PIN and password could soon become a reality.Fingerprint authentication is already very common when unlocking our smartphones, while services like ApplePay and SamsungPay have allowed early adopters to pay for things just by tapping their thumb on their phone. But soon biometrics could be the way to secure other proximity payment methods, online/eCommerce payments and a wide range of financial applications.What’s more, the latest open banking initiatives and new regulatory frameworks, such as PSD2, are set to increase the pressure on financial institutions to ensure robust protection of customer data and funds. In addressing these challenges, biometrics can play a central role in the quest to combine security with usability.
Since Apple introduced the fingerprint sensor into the iPhone, some consumers have been enjoying the convenience and security of using their fingerprint to authenticate their payments. Now steps are already being taken to trial biometrics in card payments. One such development is the recent introduction of the biometric EMV card with fingerprint recognition technology. This replaces the traditional PIN code which, along with passwords,could become an outdated form of verification in the next few years.
Passwords are frustrating for the consumer; they’re easily forgotten, and we have too many to keep track of. Having your fingerprint linked to your bank card is not only convenient, but it provides a feeling of personal security that’s embedded into the payment method. As user data is stored on the card, not on a central database, customer details are protected if the bank was to suffer a cyber-attack. Likewise, if the card was to become lost or stolen, users can be safe in the knowledge that their fingerprint cannot be replicated. While the card is currently in trial stages, this is an indication of how biometrics can transform our financial services in the years to come.
But it’s not just about making payments. Biometric technology will have a major role to play in verifying user’s identities, enabling a new era of Open Banking and helping to prevent fraud.
PSD2 and Open Banking
Multifactor authentication will soon be a requirement of industry regulation. A crucial element of the impending PSD2 regulation, and something that’s critical to the Open Banking scheme that’s just launched in the UK,is the need for banks to provide ‘Strong Customer Authentication’ (SCA) to protect users against external threats whilst not compromising their experience. Banks will need to verify an identity using at least two different authenticators. The regulation states this as ‘something you have’, ‘something you know’ and ‘something you are’, which could be translated as your device, your PIN number and a biometric feature.
Since the introduction of fingerprint readers into phones, several leading banks integrated the technology into their apps. Now, the multifactor authentication requirements of PSD2 mean that all remaining European banks should at least be considering doing the same. By supporting the use of biometric authentication via a mobile device – whether fingerprint or other methods such as facial recognition – banks can provide a solution that combines security with usability, creating a better user experience. Most two factor (2FA) techniques currently send a special code to the user’s mobile phone to use in conjunction with a password. But just as someone could steal their password, a hacker could intercept a text, or spy on the phone. In comparison, a request to provide biometric information on a mobile device is much more secure.It’s also a much more convenient, seamless process when compared to the card readers and hardware tokens many banks still use to provide an additional security layer – where customers not only have to carry another device with them, but also end up manually copying one-time passwords to gain access.
There is also a role for biometrics in fraud prevention, but rather than use physiological characteristics like a fingerprint, banks can look at how consumers behave on a mobile app or website. These patterns include the way the user moves a mouse, types on a keyboard or swipesa mobile screen. We all have distinctive ways of interacting with our devices, clearly distinguishable from the behaviour of a bot.By combining machine learning, artificial intelligence, and behavioural biometric authentication it’s possible to intelligently and automatically identify any unusual behaviour, requesting an additional layer of authentication if necessary.
Banks must acknowledge that implementing biometrics as part of a wider authentication process is the key to balancing security and convenience. Once they do, this is where the opportunity for further innovation lies. It provides banks with the differentiator which they need to maintain a competitive edge and deliver on the promises of open banking in a convenient way. And while fingerprint recognition is the most common use today, we’re already seeing major strides in other biometric identifiers, from facial recognition in the new generation of iPhones, to voice or eye analysis.
Clearly, biometric technology is no longer out-of-reach and represents a new reality for security in banking. The revolution was kick-started by the introduction of fingerprint recognition into our phones and is moving into a new stage with the development of biometric EMV cards. Banks must be brave and disassociate themselves with legacy systems of authentication, as well as recognise that biometric technology helps construct the perfect balance between improved security and an uncompromising user experience.