Biometrics in Payment & Banking – an Uneasy Partnership

No form of single factor authentication has ever provided an optimal level of security. As technology moves forward, biometrics has been introduced into the world of payments to enhance security and convenience. Rightfully so, as a form of authentication, biometrics is here to stay.

Traditionally we talk about three types of authentication:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. an physical token)
  3. Something you are (i.e. biometrics)

But if we want to solve the challenges in a meaningful and sustainable way we must also think about identity management in terms of static and dynamic authenticators as well as multi-multi-factor authentication.

Static Authenticators – something that once known must either be changed, or can never be changed. e.g. a password can be changed, but security information like your mother’s maiden name, once known, cannot be used again. Biometrics fall into this category: you cannot change your fingerprints or your retina.

Dynamic Authenticators – something that changes every time you use it (e.g like the numbers on RSA tokens), or at least fairly frequently (e.g. like a salt in a one-way hash).

Multi-Multi-Factor – an extension of 2-factor authentication (2FA) (e.g. a password / PIN and token of some sort) – with multiple inputs of each factor into 3FA. This can often be the only way to provide sufficient identity assurance when large sums of money are at stake (for example).

The biggest challenge for biometrics is how do you make multi-multi-factor authentication simple enough for the end-user so that it’s actually adopted? How do you satisfy privacy concerns? Furthermore, how do you get this technology down to the end-users? Innovation without practical application is meaningless.

The complexity involved with preserving existing infrastructure and investment adds to the challenge. Just because the password is far from ideal and biometrics can offer some significant advance in convenience, does not mean the financial industry is going to throw away millions of pounds in infrastructure investment overnight.

Finally, the inability of almost all biometric technologies to address the issues of users with related disabilities, as well as the unacceptable instances of false positives, really leaves one logical conclusion. The predicted explosion in the use of biometrics has not happened because biometrics, by itself, cannot resolve the financial industry’s authentication problem.

The solution lies in creating a ‘bridge’ linking the past to the future through a combination of authentication factors triggered by a universally adopted authenticator (the Consumer PIN) with multiple other ‘invisible’ authenticators including biometrics.

The only device that can bring all of this together seamlessly and globally is the smartphone. Everything from PINs, to fingerprints, to voice recognition, to geo-location, to device registration and data encryption can all be handled by the smartphones of today.

It will take time for the financial ecosystem to catch up and actually be capable of integrating these technologies (and regulation / legislation may delay some necessary innovation), but the future of authentication is already here …ready and waiting.