If you work in the payments space, you would need to have been behaving like an ostrich with its head in the sand to miss the increasingly large barrage of persuasive arguments from those with supposed expertise in the area proclaiming the new messiah of biometrics. David Parker writes
Biometrics, in one form or another – and they range from palm vein scanners and heart beat recognition to facial identification and brain wave pattering – are forecast to be the perfect security future.
Why are biometrics the perfect future?
They offer great security that cannot be beaten; after all, no two of us are the same.
This promises a future where, using our unique traits, we can log in and authenticate with financial institutions safe in the knowledge that they know it is the right person.
The most important question to ask is: What do consumers think of this nirvana? After all, the first question about anything new is: Will your customers use it? If you introduce it, will your customers switch to another service they find easier to use?
As ever with the research and analysis of potential consumer behaviour, not everyone agrees. But as one might expect, Visa and MasterCard have been strong supporters in their research:
- MasterCard: 90% of participants in a pilot indicated that they would like to replace their password with biometric identification definitively. Almost 75% of users were convinced that biometric payments will decrease fraud.
- Visa EU: 68% of consumers want to use biometrics as a method of payment authentication.
There have also been other supporters. Research by Telstra Global highlighted that the majority of US consumers using mobile banking applications prefer mobile devices to feature biometric authentication instead of passwords and usernames.
It also found that 66% of US consumers feel that biometric authentication would be more secure and help decrease the risks of fraud, while 25% stated that they would even consider sharing their DNA with their financial institution in exchange for a more simplified authentication process.
Socure also carried out research and found that 52% of customers would rather use biometrics as an alternative to traditional passwords.
So there we have it, a nice and simple slam-dunk: consumers want biometric authentication. However, there are always two sides to any research story.
GMX research found that more than 60% of the UK public would rather use passwords than biometric logins, while more than 40% do not want companies to have any access to their biometric data. In total, 41% of respondents said they are afraid that a malfunction in biometric technology will leave them locked out of their own accounts, while 33% of people said they are concerned that their biometric information could be compromised by criminals.
In the US the picture is similar. Research from Email.com found that 42% do not want companies to collect, save and use personal data. Some 42% were worried about not being able to access their online accounts in case of a malfunction, and 30% were concerned about online criminals thwarting biometric authentication methods. Finally, 9% said that they find the use of biometric data free of risk.
So do consumers want it?
Choose your answer and there is research to support it. However, picking up on the point of criminals and risk is key to the second issue. Does biometrics provide the security? Well, it took only days for the Apple 5S fingerprint scanner to be hacked.
If we look to voice biometrics, surely that is foolproof as we are continually told how unique each person’s voice is. Well yes and no. You see, those nice people that brought you picture editing software have announced they are working on a similar programme where you can edit people’s voices: Adobe has announced it is working on an audio version of Photoshop.
The software was announced at this year’s Adobe Max event, headed by developer Zeyu Jin. After analysing 20 minutes of speech from a given source, VoCo can accurately recreate the source’s voice, and configure that voice into new words and phrases that were not present in the original clip.
By using a simple text box, users can add new words into the speech, seamlessly recreating a voice to edit a given clip in any number of ways.
So voice biometrics, already launched by Barclays and HSBC, now starts to look rather less than 100% secure. After all, the point of this is to stop you having to go through some of the rigours of normal security questions, but if the person talking could be anyone, then you are back to square one and need full security and passwords.
Criminals are, in many ways, brilliant business people. They assess the effort required versus the potential reward, and make a simple business decision: Are the rewards greater than the effort? As was shown by the recent Tesco hack, where NFC-enabled phones were used for the transactional element, they will exploit any flaw.
The point that I think a lot of biometric solutions miss is: do you trust an organisation to collect and authenticate your information? Perhaps even more importantly: How do they know the biometric data they collect is actually for the person they say it is for?
Someone could steal my ID uses it to create biometric data on themselves. This then gets passed around to other parties; all of a sudden my biometric security is compromised.
The issue is how to ensure the biometric data captured in the first place really is attributable to the person whom it says it is for.
The hurdle the payments industry faces is that – with consumers in many respects still highly sceptical of biometrics – if any one solution is launched and significantly compromised, how far back will it set the whole process of creating new forms of biometric identification?