Biometrics: Time to take it seriously?

Fingerprints. Irises. Facial recognition. Voice recognition. Keyboard key depression characteristics. Even body odor. All these have or are being considered as means to authenticate individuals as they try to access their secure accounts.

The thing is, most of these (body odor is new; more in a moment) have been studied and refined for years and still have not yet really broken through to the mainstream. However, as mobile channels have become more popular, consumers not only have come to expect their ease and functionality, but also the level of security they’ve had on computers. The problem is, what’s acceptable on the desktop isn’t all that convenient on the handheld device.

Recently,  in a report Gartner issued on consumers’ mobile preferences, it predicts that by 2016, 30% of organizations will use biometric authentication on mobile devices, up from 5% today.

“Mobile users staunchly resist authentication methods that were tolerable on PCs and are still needed to bolster secure access on mobile devices,” says Ant Allan, research vice president at Gartner. “Security leaders must manage users’ expectations and take into account the user experience without compromising security.”

Tellingly, it gives the example that for PCs, a standalone device may be used to provide a hardware token for additional authentication. “Traditional authentication of this kind is often spurned in mobile use cases, because of the poor user experience with most kinds of hardware tokens,” says Allan. “Juggling the token in one hand, the phone in another, and a latte in the third is increasingly resisted by mobile device users.”

U.S. Bank certainly recognizes this. It just announced that its employees are piloting voice biometrics software that lets customers speak a simple passphrase, such as “My voice is my password,” to access a credit card account on a mobile device. The feature allows select credit card customers to use their voice to login with a spoken passphrase so they can access their account balances, search transactions, and make a payment on their account in the mobile app.

“Voice biometrics is a unique identifier that will help us improve the customer experience,” says Dominic Venturo, chief innovation officer for U.S. Bank Payment Services. “Customers are becoming accustomed to using their voice to interact with their smartphones and can become frustrated with key entering passwords. Exploring a spoken passphrase login through this technology is a logical next step in our work in biometrics.”

Such sentiments are starting to resonate in the banking industry, Aite Group predicts that the “time is ripe for biometrics to work their way into remote-channel authentication strategies.” In a recent report it says the industry is experimenting with various use cases, including biometrics as an additional layer for online and mobile authentication, voice biometrics in concert with esignatures, iPads secured by facial recognition, and fingerprint recognition.

Still, Aite concludes, “The importance of the consumer experience cannot be underestimated. Consumer and cultural norms and values will dictate the success of the solutions, and consumers are willing to change their behavior if there is enough incentive to do so and the experience is relatively painless.”

The Members Group similarly sees an emergence of biometric authentication in the payments space. In a recent white paper it documents various advances in various contexts, such as at casinos and ATMs. It also notes that some consumers actually are interested in the potential of biometric authentication. “Whether they are ready or not, whether they understand it or not, many early-adopter consumers will be intrigued by the promise of biometric security solutions. For financial institutions, the question becomes: Will our customers lead us or will we lead our customers?”

Speaking of early adoption—while at the same time trying to stay away from too-obvious terms like “smell test”—it’s been reported that researchers at the Polytechnic University of Madrid are looking at detecting body odor as a biometric form of authentication.

John Fontana, a blogger for ZDNET, gives a straightforward description of what this is all about. It seems that each person’s personal smell is unique, and is why bloodhounds can track people by following their scent. Technology is being developed that can recognize the unique patterns of each person’s body odor, and can reach an accuracy rate of about 85%, which is seen as on a par with more traditional biometrics.

Fontana says capturing body odor can be as easy as someone walking past a sensor and would be less intrusive than fingerprint readers or iris scanners. Still, he points out, privacy issues would have to be worked out, plus there’s the fact that bloodhounds are much more reliable than the technology so far.

Sniff test aside, for banks what matters—in addition to consumer acceptance—is regulatory acceptance. The FFIEC has issued some guidance in this area. Its IT Handbook provides a fairly good look at the pros and cons of biometrics in their various forms.

For example, on the positive side, it says: “Unlike other authentication mechanisms, a biometric authenticator does not rely on a user’s memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.”

On the negative side it says: “Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system.”

We’ve all seen movies and TV shows where some secret agent deftly lifts the thumb print from some bad guy and uses it to gain access to the laboratory where some nefarious thing is in the works. FFIEC, in its own governmental language, says the same thing: “An attacker might submit to a thumbprint recognition system a copy of a valid user’s thumbprint.” The solution, the agency suggests, is to make sure a “live thumb” is used for the submission; to do this would require having a guard at the reader—which kind of makes the print reader superfluous.

Furthermore, the FFIEC Handbook goes into detail about the practicalities of how precise a given biometric system can or should be. A too-precise system results in high numbers of false negatives. A less-precise system results in high numbers of false positives. The objective is to tune such systems so that the “equal error rate” is as low as possible.

Elsewhere in the FFIEC IT Handbook—in the area for payment initiation and authentication—the agency puts it this way: “A biometric identifier alone is only a single factor, and it may need to be combined with other technologies or factors for proper authentication of high-risk banking transactions. As new payment systems emerge, industry demands for antifraud measures may result in greater use of biometrics.”

Looking ahead, Aite’s Julie Conroy, research director in Retail Banking, says: “Though not a silver bullet, biometrics do have the potential to add a valuable additional layer of security and convenience to remote-channel and payment transactions, particularly when deployed in combination with other technologies such as device fingerprinting or out-of-band authentication.”

Sources used in this story include:

The race to stem cybercrime using biometrics is on

IT Booklets>>Information Security>>Security Controls Implementation>>Access Control>>Authentication

Biometrics for Payment Initiation and Authentication

Gartner Says 30 Percent of Organizations Will Use Biometric Authentication for Mobile Devices by 2016

TMG Issues White Paper Exploring Biometric Authentication in Payments

Body odor passes smell test as biometric

U.S. Bank Expands Mobile App Pilot Using Voice Biometrics to Access Credit Card Account