Author: Penny Webb, PWebb@profitstars.com
There has been a lot of talk (and some actual movement) in the financial service industry around the increased use of biometrics. The use of biometrics as a layer of security has long been an option for authentication efforts initiated from a personal computer, but there was lackluster acceptance in most segments of the payments industry. Thanks to rapid expansion in the mobile space, however, expanded use of biometric security is now one of the fastest growing means of authentication, while reliance on traditional passwords as a primary source of identification is becoming obsolete.
Apple’s incorporation of a fingerprint scanner in its latest smartphone models is one primary factor in bringing biometrics to the forefront for mobile and alternative payment security. The iPhone fingerprint sensor is clearly a front runner and the most widely recognized biometric security feature in use today. Many companies have jumped on Apple’s Touch ID bandwagon as a means of handling payment authentication.
Not all smartphones have a fingerprint scanning device, but they all have a camera and voice recorder. Enter the selfie as a biometric screening option. While talk of facial pattern recognition as a means of authentication started in earnest in 2013, institutions such as USAA, MasterCard and Barclays are a few of the companies leading the charge by including it in product releases in 2015. This year, USAA will offer its customers face recognition and voice recognition as authentication options. MasterCard and Barclays have face recognition pilot programs underway with the expectation of deployment later in the year.
How face recognition and voice recognition work
The facial recognition feature uses the smartphone or PC’s camera to view the customer’s face. It also requires the user to blink on demand in order to verify that what it’s seeing is an actual person rather than a photo. The phone or PC captures a photo to complete the payment authentication.
In the case of voice recognition, the institution securely stores a recording of a customer’s voiceprint. When initiating a payment, the user is required to read a randomly generated phrase on queue in order to verify their speech patterns by comparing it against stored patterns.
Although some institutions’ solutions store an actual photo, fingerprint or voice recording, in most cases the solution stores a unique code generated by an algorithm based on data derived from those original sources. For each new authentication attempt, the device uses the same algorithm to extract a new code from the fresh fingerprint, picture or voice recording, then compares the new code against the stored one to determine if they are similar enough to warrant authentication. This method restricts the user’s (or the financial institution’s) ability to recreate the original source data and reuse it to thwart the authentication system.
Other emerging biometric security methods
A few other biometric options that are in their infancy are Vein Pattern Scanning and the Digital Tattoo. In Vein Pattern Scanning, the palm of the hand is scanned in a manner similar to the techniques used in a fingerprint scan. The individual patterns are used as payment confirmation. Google’s Advanced Technology and Products group in partnership with VivaLnk developed the Digital Tattoo. It consists of a nickel sized, paper thin adhesive which is worn on the skin. This product’s initial application provides electronic authentication to unlock the user’s smartphone. It remains to be seen whether this technology can transition to the payment space.
Microsoft is also jumping in the mix with a new product called Hello, which is designed for use with the Windows 10 operating system. MS Hello uses face recognition for its layered authentication approach. The Microsoft solution will not use the PC standard camera, but will require an infrared camera, reporting that they didn’t feel the standard camera approach was secure enough. In a statement from Microsoft, “Windows Hello has a 1 in 100,000 false accept rate, which is very high. It’s a lot safer than a password, which we know, can easily be forgotten, lost, stolen or hacked.”
A true multifactor approach to authentication has long been a requirement for financial institutions. Relying on passwords or other currently available sources for authentication will no longer be enough to authenticate customers and make payments secure. As they mature, the expanded use of biometric options as part of the payment and authentication process may substantially strengthen authentication efforts in the future, potentially making the online environment much safer for us all.