The Potential of Biometrics

The Potential of Biometrics

Understand its uses for banking customers and employees

Many financial institutions are looking to biometrics to enhance customer trust and convenience, and for securing the bank enterprise and facilities. Proper implementation is critical. Geography and culture matter, there is no silver bullet, and there are multiple modalities available, from face to vein. When implementing biometrics solutions there are a number of issues to consider, choices to make, and implementation directions to take, each with their own implications for fulfilling the promise of biometrics authentication.

Security and Trust

One of the biggest challenges facing banks is how to provide secure and trusted services while substantially improving customer experience. We are reminded in headline after headline that fraud is an ever-present and increasing threat, but the value of consumer trust is no less important. Paramount to establishing complete trust in transactions is a focus on the customer experience, and bank customers are demanding a seamless and consistently satisfying experience across all service channels. Employees also want a better user experience while their employers demand security. These twin goals of security and convenience must be achieved without increasing cost or complicating the compliance process.

Biometrics solutions meet these needs, enabling banks to cultivate customer loyalty and boost acquisition. They can also be used to improve the employee experience and efficiency. Plus, biometric solutions can offer the simultaneous benefit of supporting multiple strong authentication methods. For instance, in the consumer space, as EMV enhanced the security of the card, so biometrics can enhance the security of the PIN—while creating a much more convenient experience for the bank customer (see Fig. 1). Other mix-and-match authentication options include card and biometric, phone and biometric, and “deviceless” solutions that combine an account number and biometric. Biometrics solutions also enhance productivity through faster transactions and the elimination of passwords.

When biometrics is used for customer authentication it improves convenience while reducing fraud. Solutions can be used across multiple channels, from online and mobile banking to transactions at the ATM, the teller, a call center and a safe deposit box. Key questions to ask include where the authentication will take place – at the teller and, if so, is the implementation fixed or mobile? When using biometric sensors on mobile applications, it is important to know that there are major variations in liveness detection—if it even exists today on the phone.

Biometrics also can be used for employee authentication. In these applications, solutions enhance productivity and security. Applications include logical access for networks, shared workstations, call centers and remote applications. Biometrics also can be used for transaction verification in applications including working with customer records and processing approvals. Finally, biometrics authentication is ideal for controlling physical access to ATMs, branches and safe boxes. Citibank is already using fingerprint biometrics for employee logon to ease password frustrations, which also enhances the customer impression that security is taken seriously.

There are many choices of biometric modalities, from face, iris and vein to voice and either conventional or multispectral fingerprint. Choosing between these and other options requires an evaluation of their comparative ease of use, ability to detect fakes, interoperability, and—if needed—the modality’s availability for mobile applications. Fingerprint is one of the most popular modalities, with Yole Développement forecasting that demand in consumer applications will push total volume shipments 19 percent through 2022 to $4.7 billion.

Realizing the Full Benefits of Fingerprint Biometrics

The most effective deployment of any biometric modality requires the right capabilities for image capture, liveness detection, and reliable template matching. A recent study by the research firm Novetta describes a new way to evaluate fingerprint technologies in user-focused commercial applications like banking, where security-focused biometric performance criteria have traditionally been used to certify, rank, and differentiate between fingerprint technologies. More important for these public-facing applications are ease of use, availability, and convenience, which depend on three key issues: the quality of the biometric data that is captured, the use of liveness detection to enhance trust, and the level of matching performance and interoperability across different devices.

Image is everything in any biometric. Bad images lead to bad decisions. Many customers choose sensors that use multispectral imaging because it collects information about the sub-surface fingerprint in order to augment available surface fingerprint data. The skin is illuminated at different depths to deliver much richer data about the surface and sub-surface features of the fingerprint. Additionally, the sensor is able to collect data from the finger even if the skin has poor contact with the sensor because of environmental conditions or finger contamination. Multispectral sensors also have an uncoated glass platen that resists damage from harsh cleaning products.

Equally important is liveness detection, or the ability to detect fake fingerprints. This capability influences both security and privacy protection. Security is sensor-dependent, with some modalities more resistant to spoofs than others. The most resistant sensors facilitate a realtime determination that the biometric characteristics presented are genuine and are being presented by the legitimate owner, rather than someone impersonating them. This requires the use of advanced machine learning algorithms so that the solution can adapt and respond to new threats and spoofs as they are identified. With this technology in place, privacy is also protected – if you can’t use a fake finger, then even if you did obtain someone’s fingerprint data, it is meaningless. Furthermore, if the data is useless, why would fraudsters try to capture it? Strong and updatable liveness protection is absolutely critical if biometrics are to eliminate the need to use PINs or passwords.

Systems must be implemented correctly with regards to data, encryption and the overall system architecture, with requirements dependent on multiple factors. For example, where does the biometric template reside? How and where is enrolment performed? Will the authentication point be fixed or must it be mobile? There are several backend implementation choices to consider, including match on ATM PC, match on phone, match on sensor and match on server. Each has its own pros and cons and the additional option of encrypting with tamper resistance.

For instance, the match-on-phone approach offers the advantages of a simplified backend. The user chooses the biometrics modality, is trained to use it, and controls the template. The phone’s biometric sensor does it all—captures the fingerprint, checks liveness, and generates the template. But, as mentioned earlier, “cons” include varying degrees of spoof protection, if it is even available. Plus, there is a consolidation of all authentication channels in one device that is beyond the control of the bank.

In comparison, by using a fingerprint sensor located on the ATM, banks can choose to do match-on-ATM, match-in-sensor, or match on a bank’s secure servers with an encrypted channel and tamper protection that is extremely secure and trusted, similar to the encrypted pin pad or EPP in use today. The fingerprint sensor in the ATM is responsible for capture, liveness checking and live template generation. There is central administration of enrolment templates that are held on the bank’s secure servers. If that match is done on the ATM PC or in the sensor itself, the template is only sent once, even if the user retries the process. This reduces network traffic. Cryptography prevents any man-in-the-middle attacks and also protects the biometric database.

Using multispectral fingerprint biometrics located on the ATM is particularly popular, especially in South America. It is used for fingerprint authentication at the ATM and can be deployed in PINreplacement or cardless implementations. In Brazil, this approach is responsible for 4 billion transactions a year at over 85,000 ATMs. Five of the six largest banks in Brazil use this approach.

Biometrics solutions are becoming increasingly important across all banking channels. Convenience can be as valuable as fraud reduction, but there is no silver bullet and customers need choice. Pilots must be large for institutions to understand the true performance of the planned biometrics solution. Ultimately, picking a biometric sensor designed for the task and a proper implementation will mean the difference between success and failure. Implemented correctly, today’s solutions enable institutions to fight financial fraud without forfeiting convenience, and deliver security while preserving trust in transactions.

This article originally appeared in the August 2017 issue of Security Today.


  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3