Biometrics and banking – is being yourself enough?
It’s a neat idea. Instead of going by what you know (a username or password – easily forgotten) or what you have (a card reader – easily lost, broken, or forgotten), authenticating yourself should be done in a way that cannot be stolen, altered, left at home or forgotten – based on who you are. Enter biometric security.
Trying to find the magic…
There have been some big movements on this recently. Using facial recognition technology, HSBC now allows (business) customers to open a bank account with a ‘selfie’ – a picture of your face that basically needs to move around a little so the bank knows that you are really there. They match it with ID documents that have been previously uploaded, in a similar style to Airbnb. MasterCard plans something similar, as does Atom Bank.
However, a ‘live’ (moving) photo on iPhone or video could be enough to fox the technology… as could a photograph and a pencil. Researchers in Berlin found that when a pencil was covering the eyes of a user (in a photograph) this was accepted as a ‘blink’ and the scanner authorised them. Oops.
As for using selfies as a payment method a la MasterCard, the word on the street is that it just isn’t very cool.
These words are my own…
Like Atom, Barclays launched voice authentication for certain customers recently. This ‘new generation’ of voice-based authentication matches the customer’s voice against stored ‘voiceprints’, allowing call centre employees to verify the customer and perform the relevant transactions.
Barclays describes the service as ‘passive’ – the authentication happens as you chat, not as a separate step – and it is ‘text-independent and freeform’, meaning you don’t need to say specific words or phrases to be verified. Content, language and accent don’t matter.
While it is still early days, it is thought that telephone banking fraud can be better prevented (a voice recording won’t work, surely?), reducing the losses suffered last year of £32.3m.
It’s who I am, it’s what I do…
Static biometrics – something we are – could soon be usurped by behavioural biometrics: stuff we do. Machine learning can be put to work establishing the patterns of HOW we use, for example, our phones and apps, and build a unique profile. If someone who doesn’t bash the keys in the same way we do, or swipes the screen at a different angle, starts using your phone they could be flagged as an intruder and blocked access to sensitive apps.
For customers, it means having to do very little to get into their apps. As City AM reported, ‘Without disrupting the user, behavioural biometrics analyses whether the user is who they say they are throughout their interaction with the device, rather than just at point of log-in… Once behavioural biometrics is implemented directly into next generation mobile handsets, authentication will involve ongoing, real-time analysis of whole phone interactions – including playing games, messaging friends and taking photos.’
Try to focus my attention…
Of course, biometric innovation also relies on that other aspect of ourselves that nearly half of us can’t imagine our lives without – our smartphone.
As much as we may be totally addicted to our phones, with brands clamouring to find ways to reach us there, it may be handy to have ways to pay that don’t rely on a card, a phone – on any extraneous tools. And yes, FinTechs are now using biometrics to cut out the middlemen altogether: Fingopay allows you to pay with your finger – no smartphone necessary. Trialled at festivals, it could be handy for when we perhaps eventually eschew hand-held technology and demand useful, informative, entertaining tech that we don’t even have to charge or carry around with us.
I need some help, some inspiration…
As we have said before, one of the ways to balance security with customer experience is to offer some degree of choice. Customers have differing security needs and concerns and these change depending on the context. This is why we have seen an increase in the use of risk based authentication where the likes of Barclays, for example, allow customers to use a relatively simple form of authentication, such as fingerprint, to initially access the app but require a second level of authentication (such as PINsentry) to conduct actions with a higher level of risk associated. Increasing the range of options in this manner (as long as they are all made to work properly), along with good advice coming from banks, customers can select an approach to logging in and performing banking tasks that works perfectly for them – and hopefully nobody else.