The Potential of Biometrics
Understand its uses for banking customers and employees
- By Bill Spence
- Aug 01, 2017
Many financial institutions
are looking to biometrics
to enhance customer trust
and convenience, and for
securing the bank enterprise
and facilities. Proper implementation
is critical. Geography and culture matter,
there is no silver bullet, and there are multiple
modalities available, from face to vein.
When implementing biometrics solutions
there are a number of issues to consider,
choices to make, and implementation directions
to take, each with their own implications
for fulfilling the promise of biometrics
Security and Trust
One of the biggest challenges facing banks
is how to provide secure and trusted services
while substantially improving customer experience.
We are reminded in headline after
headline that fraud is an ever-present and
increasing threat, but the value of consumer
trust is no less important. Paramount to establishing
complete trust in transactions is a
focus on the customer experience, and bank
customers are demanding a seamless and
consistently satisfying experience across all
service channels. Employees also want a better
user experience while their employers demand
security. These twin goals of security
and convenience must be achieved without
increasing cost or complicating the compliance
Biometrics solutions meet these needs, enabling
banks to cultivate customer loyalty and
boost acquisition. They can also be used to improve
the employee experience and efficiency.
Plus, biometric solutions can offer the
simultaneous benefit of supporting multiple
strong authentication methods. For
instance, in the consumer space, as EMV
enhanced the security of the card, so biometrics
can enhance the security of the
PIN—while creating a much more convenient
experience for the bank customer (see
Fig. 1). Other mix-and-match authentication
options include card and biometric,
phone and biometric, and “deviceless” solutions
that combine an account number
and biometric. Biometrics solutions also
enhance productivity through faster transactions
and the elimination of passwords.
When biometrics is used for customer
authentication it improves convenience while
reducing fraud. Solutions can be used across
multiple channels, from online and mobile
banking to transactions at the ATM, the teller,
a call center and a safe deposit box. Key
questions to ask include where the authentication
will take place – at the teller and, if so,
is the implementation fixed or mobile? When
using biometric sensors on mobile applications,
it is important to know that there are
major variations in liveness detection—if it
even exists today on the phone.
Biometrics also can be used for employee authentication. In these
applications, solutions enhance productivity and security. Applications
include logical access for networks, shared workstations, call
centers and remote applications. Biometrics also can be used for
transaction verification in applications including working with customer
records and processing approvals. Finally, biometrics authentication
is ideal for controlling physical access to ATMs, branches
and safe boxes. Citibank is already using fingerprint biometrics for
employee logon to ease password frustrations, which also enhances
the customer impression that security is taken seriously.
There are many choices of biometric modalities, from face, iris
and vein to voice and either conventional or multispectral fingerprint.
Choosing between these and other options requires an evaluation of
their comparative ease of use, ability to detect fakes, interoperability,
and—if needed—the modality’s availability for mobile applications.
Fingerprint is one of the most popular modalities, with Yole Développement
forecasting that demand in consumer applications will
push total volume shipments 19 percent through 2022 to $4.7 billion.
Realizing the Full Benefits
of Fingerprint Biometrics
The most effective deployment of any biometric modality requires
the right capabilities for image capture, liveness detection, and reliable
template matching. A recent study by the research firm Novetta
describes a new way to evaluate fingerprint technologies in user-focused
commercial applications like banking, where security-focused
biometric performance criteria have traditionally been used to certify,
rank, and differentiate between fingerprint technologies. More important
for these public-facing applications are ease of use, availability,
and convenience, which depend on three key issues: the quality
of the biometric data that is captured, the use of liveness detection to
enhance trust, and the level of matching performance and interoperability
across different devices.
Image is everything in any biometric. Bad images lead to bad decisions.
Many customers choose sensors that use multispectral imaging
because it collects information about the sub-surface fingerprint in
order to augment available surface fingerprint data. The skin is illuminated
at different depths to deliver much richer data about the
surface and sub-surface features of the fingerprint. Additionally, the
sensor is able to collect data from the finger even if the skin has poor
contact with the sensor because of environmental conditions or finger
contamination. Multispectral sensors also have an uncoated glass
platen that resists damage from harsh cleaning products.
Equally important is liveness detection, or the ability to detect fake
fingerprints. This capability influences both security and privacy protection.
Security is sensor-dependent, with some modalities more resistant
to spoofs than others. The most resistant sensors facilitate a realtime
determination that the biometric characteristics presented are
genuine and are being presented by the legitimate owner, rather than
someone impersonating them. This requires the use of advanced machine
learning algorithms so that the solution can adapt and respond
to new threats and spoofs as they are identified. With this technology
in place, privacy is also protected – if you can’t use a fake finger, then
even if you did obtain someone’s fingerprint data, it is meaningless.
Furthermore, if the data is useless, why would fraudsters try to capture
it? Strong and updatable liveness protection is absolutely critical if
biometrics are to eliminate the need to use PINs or passwords.
Systems must be implemented correctly with regards to data, encryption
and the overall system architecture, with requirements dependent
on multiple factors. For example, where does the biometric
template reside? How and where is enrolment performed? Will the
authentication point be fixed or must it be mobile? There are several
backend implementation choices to consider, including match on
ATM PC, match on phone, match on sensor and match on server.
Each has its own pros and cons and the additional option of encrypting
with tamper resistance.
For instance, the match-on-phone approach offers the advantages
of a simplified backend. The user chooses the biometrics modality,
is trained to use it, and controls the template. The phone’s biometric
sensor does it all—captures the fingerprint, checks liveness, and generates
the template. But, as mentioned earlier, “cons” include varying
degrees of spoof protection, if it is even available. Plus, there is a consolidation
of all authentication channels in one device that is beyond
the control of the bank.
In comparison, by using a fingerprint sensor located on the ATM,
banks can choose to do match-on-ATM, match-in-sensor, or match
on a bank’s secure servers with an encrypted channel and tamper protection
that is extremely secure and trusted, similar to the encrypted
pin pad or EPP in use today. The fingerprint sensor in the ATM is
responsible for capture, liveness checking and live template generation.
There is central administration of enrolment templates that are
held on the bank’s secure servers. If that match is done on the ATM
PC or in the sensor itself, the template is only sent once, even if the
user retries the process. This reduces network traffic. Cryptography
prevents any man-in-the-middle attacks and also protects the biometric
Using multispectral fingerprint biometrics located on the ATM
is particularly popular, especially in South America. It is used for
fingerprint authentication at the ATM and can be deployed in PINreplacement
or cardless implementations. In Brazil, this approach is
responsible for 4 billion transactions a year at over 85,000 ATMs.
Five of the six largest banks in Brazil use this approach.
Biometrics solutions are becoming increasingly important across
all banking channels. Convenience can be as valuable as fraud reduction,
but there is no silver bullet and customers need choice. Pilots
must be large for institutions to understand the true performance of
the planned biometrics solution. Ultimately, picking a biometric sensor
designed for the task and a proper implementation will mean the
difference between success and failure. Implemented
correctly, today’s solutions enable institutions
to fight financial fraud without forfeiting
convenience, and deliver security while preserving
trust in transactions.
This article originally appeared in the August 2017 issue of Security Today.