Behavioral biometrics: The password you can’t forget
This year’s Mobile World Congress featured more biometrics technology than ever before, with the launch of Google’s Android Pay and Samsung Pay both unveiling technology that enables payments through fingerprint verification. There can be no doubt that biometrics is creeping into the consumer conscience, but are biometrics ready for the enterprise?
The boundaries of what defines a bank or payment provider are blurring, with innovators such as Apple and PayPal now competing in this space. These companies, which excel in customer service, are forcing the banks to consider how they can deliver the frictionless user experience that consumers now demand. That is, how they can balance the all-important triangle of privacy, convenience, and security.
The majority of the biometric technology with which consumers are familiar is static biometrics. For example, unlocking a smartphone with your fingerprint, or standing in line for the iris scanners at airports. Each time a new provider embeds a biometric authentication technique into a device or service, we see a flood of headlines wondering whether this will – finally – prove a death knell for the password. Although this forecast is a perennial favorite, the fact is that most people aren’t as uncomfortable with passwords as some security experts would like to predict. The “password problem’ isn’t that the security mechanism is broken, it’s that we can only remember a certain number of passwords, so we repeat them, irrespective of whether in a personal or business context. This is where passwords fall down. Static biometrics seeks to replace the password, something you know, with a physical attribute – something you are.
Behavioral biometrics takes this authentication one step further, requiring the user to not only have the right fingerprint to logon, but to prove that they are who they say they are throughout the duration of the session. This takes into account the way in which a person interacts with a device, such as the force with which they hit a key, the angle they use to swipe a touchscreen, or their typing speed. Tracking and analyzing these areas allows users to safely use the same “password’ – their behavior – for every login. In this way, the user becomes part of the security solution, rather than the problem.
We need to change the way we think about security – across passwords, static and behavioral biometrics. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but adopt a layered approach to security, combining the various available authentication technologies to improve both accuracy and user experience.
There is a time and a place for sharing sensitive static biometric information. While people may feel comfortable sharing data such as iris authentication in official government documentation, they are often far more cautious when it comes to consumer devices. Practicality is also a major factor – the key is finding the right balance between security and usability.
As such, corporations have to take this into careful consideration when implementing biometric authentication – this is particularly true for online banking. In an age when high street branches are shutting, online and mobile access to banking is crucial for consumers. Bank customers want instant access to their accounts on the go, and if this process is complicated by disruptive additional authentication processes, it’s easier than ever for customers to seek another provider.
Supplementary technology devices, such as card readers for verification, already provide a pain-point for customers. For this reason innovative new technology, such as biometric security should be looking to reduce the hardware burden, rather than increasing it. Additional wearable devices designed to authenticate the user are simply a further barrier to entry for consumers and yet another investment for the bank. Building technology into existing systems and considering security as a series of layers, depending on the level of risk associated ensures that consumers aren’t inconvenienced with unnecessary authentication barriers.
Alongside minimising customer disruption, it is crucial that banks avoid any unnecessary business disturbance when introducing new technology. Disruptive technology and innovation for innovation’s sake may appeal to a small community of early adopters, but for businesses and banks, it is about taking on a technology that fits seamlessly into its business model, without causing any unnecessary interruption – either to business operations or user experience.
Biometrics – where next?
Banks need to understand that security is not a competition point – it is a basic fundamental of running a reliable service and looking after clients. Nordic banks in particular already take a forward looking stance on fraud, pooling their resources to come up with solutions. Banks in the UK would benefit from taking on this collaborative approach, as customers simply expect that their trusted bank provider will look after their money and their sensitive data.
Usability, however is a major factor in determining client satisfaction and clients will be quick to jump ship if they are inconvenienced when trying to complete simple processes. Negotiating the balance between security that suits the situation and a process that avoids disrupting customer usage is key to the development of security that suits the modern consumer.