The Potential of Biometrics

Understand its uses for banking customers and employees

• By Bill Spence
• Aug 01, 2017

Many financial institutions are looking to biometrics to enhance customer trust and convenience, and for securing the bank enterprise and facilities. Proper implementation is critical. Geography and culture matter, there is no silver bullet, and there are multiple modalities available, from face to vein. When implementing biometrics solutions there are a number of issues to consider, choices to make, and implementation directions to take, each with their own implications for fulfilling the promise of biometrics authentication.

Security and Trust

One of the biggest challenges facing banks is how to provide secure and trusted services while substantially improving customer experience. We are reminded in headline after headline that fraud is an ever-present and increasing threat, but the value of consumer trust is no less important. Paramount to establishing complete trust in transactions is a focus on the customer experience, and bank customers are demanding a seamless and consistently satisfying experience across all service channels. Employees also want a better user experience while their employers demand security. These twin goals of security and convenience must be achieved without increasing cost or complicating the compliance process.

Biometrics solutions meet these needs, enabling banks to cultivate customer loyalty and boost acquisition. They can also be used to improve the employee experience and efficiency. Plus, biometric solutions can offer the simultaneous benefit of supporting multiple strong authentication methods. For instance, in the consumer space, as EMV enhanced the security of the card, so biometrics can enhance the security of the PIN—while creating a much more convenient experience for the bank customer (see Fig. 1). Other mix-and-match authentication options include card and biometric, phone and biometric, and “deviceless” solutions that combine an account number and biometric. Biometrics solutions also enhance productivity through faster transactions and the elimination of passwords.

When biometrics is used for customer authentication it improves convenience while reducing fraud. Solutions can be used across multiple channels, from online and mobile banking to transactions at the ATM, the teller, a call center and a safe deposit box. Key questions to ask include where the authentication will take place – at the teller and, if so, is the implementation fixed or mobile? When using biometric sensors on mobile applications, it is important to know that there are major variations in liveness detection—if it even exists today on the phone.

Biometrics also can be used for employee authentication. In these applications, solutions enhance productivity and security. Applications include logical access for networks, shared workstations, call centers and remote applications. Biometrics also can be used for transaction verification in applications including working with customer records and processing approvals. Finally, biometrics authentication is ideal for controlling physical access to ATMs, branches and safe boxes. Citibank is already using fingerprint biometrics for employee logon to ease password frustrations, which also enhances the customer impression that security is taken seriously.

There are many choices of biometric modalities, from face, iris and vein to voice and either conventional or multispectral fingerprint. Choosing between these and other options requires an evaluation of their comparative ease of use, ability to detect fakes, interoperability, and—if needed—the modality’s availability for mobile applications. Fingerprint is one of the most popular modalities, with Yole Développement forecasting that demand in consumer applications will push total volume shipments 19 percent through 2022 to $4.7 billion.

Realizing the Full Benefits of Fingerprint Biometrics

The most effective deployment of any biometric modality requires the right capabilities for image capture, liveness detection, and reliable template matching. A recent study by the research firm Novetta describes a new way to evaluate fingerprint technologies in user-focused commercial applications like banking, where security-focused biometric performance criteria have traditionally been used to certify, rank, and differentiate between fingerprint technologies. More important for these public-facing applications are ease of use, availability, and convenience, which depend on three key issues: the quality of the biometric data that is captured, the use of liveness detection to enhance trust, and the level of matching performance and interoperability across different devices.

Image is everything in any biometric. Bad images lead to bad decisions. Many customers choose sensors that use multispectral imaging because it collects information about the sub-surface fingerprint in order to augment available surface fingerprint data. The skin is illuminated at different depths to deliver much richer data about the surface and sub-surface features of the fingerprint. Additionally, the sensor is able to collect data from the finger even if the skin has poor contact with the sensor because of environmental conditions or finger contamination. Multispectral sensors also have an uncoated glass platen that resists damage from harsh cleaning products.

Equally important is liveness detection, or the ability to detect fake fingerprints. This capability influences both security and privacy protection. Security is sensor-dependent, with some modalities more resistant to spoofs than others. The most resistant sensors facilitate a realtime determination that the biometric characteristics presented are genuine and are being presented by the legitimate owner, rather than someone impersonating them. This requires the use of advanced machine learning algorithms so that the solution can adapt and respond to new threats and spoofs as they are identified. With this technology in place, privacy is also protected – if you can’t use a fake finger, then even if you did obtain someone’s fingerprint data, it is meaningless. Furthermore, if the data is useless, why would fraudsters try to capture it? Strong and updatable liveness protection is absolutely critical if biometrics are to eliminate the need to use PINs or passwords.

Systems must be implemented correctly with regards to data, encryption and the overall system architecture, with requirements dependent on multiple factors. For example, where does the biometric template reside? How and where is enrolment performed? Will the authentication point be fixed or must it be mobile? There are several backend implementation choices to consider, including match on ATM PC, match on phone, match on sensor and match on server. Each has its own pros and cons and the additional option of encrypting with tamper resistance.

For instance, the match-on-phone approach offers the advantages of a simplified backend. The user chooses the biometrics modality, is trained to use it, and controls the template. The phone’s biometric sensor does it all—captures the fingerprint, checks liveness, and generates the template. But, as mentioned earlier, “cons” include varying degrees of spoof protection, if it is even available. Plus, there is a consolidation of all authentication channels in one device that is beyond the control of the bank.

In comparison, by using a fingerprint sensor located on the ATM, banks can choose to do match-on-ATM, match-in-sensor, or match on a bank’s secure servers with an encrypted channel and tamper protection that is extremely secure and trusted, similar to the encrypted pin pad or EPP in use today. The fingerprint sensor in the ATM is responsible for capture, liveness checking and live template generation. There is central administration of enrolment templates that are held on the bank’s secure servers. If that match is done on the ATM PC or in the sensor itself, the template is only sent once, even if the user retries the process. This reduces network traffic. Cryptography prevents any man-in-the-middle attacks and also protects the biometric database.

Using multispectral fingerprint biometrics located on the ATM is particularly popular, especially in South America. It is used for fingerprint authentication at the ATM and can be deployed in PINreplacement or cardless implementations. In Brazil, this approach is responsible for 4 billion transactions a year at over 85,000 ATMs. Five of the six largest banks in Brazil use this approach.

Biometrics solutions are becoming increasingly important across all banking channels. Convenience can be as valuable as fraud reduction, but there is no silver bullet and customers need choice. Pilots must be large for institutions to understand the true performance of the planned biometrics solution. Ultimately, picking a biometric sensor designed for the task and a proper implementation will mean the difference between success and failure. Implemented correctly, today’s solutions enable institutions to fight financial fraud without forfeiting convenience, and deliver security while preserving trust in transactions.

This article originally appeared in the August 2017 issue of Security Today.