More banks are turning to facial recognition as a way of letting people verify their identity. They're responding to changing consumer habits during the pandemic and improvements in the technology.
Banks are more open to it because they need to be sure customers, who are increasingly interacting with them via smartphone or computer, are who they claim to be.
"In the real world, most people don't go to branches, so this is actually about banking on your couch" and keeping it safe with facial verification technology that helps banks, health care providers and government entities conduct business and move payments safely, said Andrew Bud, founder and CEO of iProov, a London-based biometric authentication technology provider.
Of the approximately 11,000 financial institutions in the United States, 15% to 20% use selfie photo imaging in combination with document verification to authenticate users, Aite-Novarica estimates based on research it conducted this year. The Boston-based research firm estimates 600 to 700 more financial institutions adopted facial recognition technology in the past year.
"As we see financial institutions invest more in their digital platforms, I would expect that this number will increase," said senior analyst David Mattei, a co-author along with Colin Whitmore of the Aite-Novarica research on the digital ID and verification market. "Financial institution usage is most common for online/mobile banking and for online applications. Some are using this technology in the branch as well, but at a lower rate than digital banking."
The market for services that pair biometrics with document authentication is growing. Aite-Novarica also did research on the topic in 2018, citing fewer than 20 vendors offering the technology. The consultancy's research for 2021 cited more than 50 providers.
Many digital ID providers have added some form of facial authentication, including Jumio, TransUnion, Thales, Socure, Equifax, Facepoint, LexisNexis and Blockpass.
A primary differentiator among them is technology to help combat spoofing, “which minimizes friction," said Julie Conroy, head of risk insights and advisory for Aite-Novarica.
"Capabilities include using 2D- and 3D-imaging for liveness detection, though that is dependent on the consumer device having the capability to pass along those signals," according to Conroy, who said companies are looking for more powerful technology than fingerprint scans.
Apple, which has included facial biometrics in its recent iPhones, has said it plans to aid financial services institutions'
"The big tech firms often pave the way with new customer experiences in biometrics, and now that smartphones default to facial recognition to unlock the phone it has made this a very intuitive experience for many consumers," Conroy said.
Establishing a 'live' identity
Facial ID technology generally calls for a bank, insurance firm or health care provider to require customers to take a selfie and also provide a document that displays their photo.
In conducting a "likeness" check of the image on the document, the technology analyzes eye placement, the distance of the eyes to the chin and other details. It also calls for a "liveness" check using advanced data analytics and machine learning that can detect if the selfie is a live person or a doctored photo. In these cases, customers often have to move their heads in different directions for the technology to get a complete scan.
iProov, which uses the cloud, says its one-time biometric technology addresses any concerns about potential fakes by using a photo of the person in which the authentication code consists of a series of colored lights on the person's face. The glow of the smartphone or computer screen is converted into a one-time print of colors when the face is illuminated.
The process also allows iProov to use a technique called light reflection analysis to determine if the image is from a live, skin-covered, three-dimensional human face — essentially confirming a real face as opposed to a mask or another digital image presented to the device sensor.
The one-time color-coding of the person's face on the screen is sent to iProov servers, making it a unique presentation of the person. Once the onboarding or transaction is complete, the biometric becomes obsolete and iProov stores it for as long as a bank or other client specifies, in keeping with privacy laws, before purging it from the server.
Conroy said she finds the light-illumination and one-time biometric use at iProov "to be very intriguing."
Allowing a customer to sign up for accounts using mobile and the one-time facial verification option, Bud estimates customers can apply for new products in minutes. As a way to speed up business transactions, some iProov clients are even setting up computer screens in their branches to make use of facial verification for those who prefer going to the bank in person but don't want to interact with a teller or bank executive.
The financial services provider USAA said it uses facial verification processes for authenticating customers seeking access to accounts. The San Antonio company never has a customer faceprint stored in any manner nor does it make faceprints available to other businesses or law enforcement agencies.
The market for biometrics technology in combination with document ID verification could pass $1 billion by 2024, Aite-Novarica estimated based on market growth reported by vendors. The market value for 2021 is projected to be $784 million.
Goodbye to older tech
The online bank Knab in Amsterdam has used iProov technology for customer identification during onboarding and to authenticate transactions. Before that, the bank was using username-password combinations and a card reader that generated one-time passwords.
The previous methods were not customer-friendly, it was expensive to provide all customers with a card reader, and the one-time passwords could be stolen through phishing websites, said Marcel Kalse, co-founder and head of mobile strategy at Knab.
"It was quite easy to get all customers enrolled in facial verification," Kalse said. "It works very easily for a customer to scan a passport photo and take a selfie, and it is all done within a few seconds."
In the past few months, Kalse said he has spoken with several financial institutions in the United States expressing an interest in the technology his bank is using. Knab began operation in 2012 and serves more than 300,000 customers. It’s a unit of Aegon Bank, which has assets of 445 billion euros.
As with any new technology, criminals advance their methods as well.
"You need to be ready for new kinds of attacks like deepfake technology, but companies like iProov are investing a lot of money to tackle this kind of fraud," Kalse said. iProov's solution, called Genuine Presence Assurance, also comes into play for situations in which most banks require two or three forms of authentication, such as requests to replace a lost debit or credit card or forgetting a PIN.
Still, even with advances in facial verification technology, many banks are likely to remain cautious and not rely on a single authentication method for any service that includes money movement, Aite-Novarica's Mattei said.
"While mobile phones support fingerprints and facial biometrics to access the device, I do not envision banks being comfortable relying upon them as the only means of user authentication into the banking app," Mattei said.
Banks would effectively delegate user authentication to a third party if they relied solely on facial biometrics, which would "cause them heartburn," Mattei added.
Instead, banks could go with facial recognition only for low-risk transactions like balance inquiries and other requests, but not for money movement. In those cases, customers could still expect to see passive authentication tools such as device fingerprinting and behavioral biometrics, Mattei said.