Sadly, reality is always different from the big screen. The last five years have lifted biometrics out of “Mission Impossible” and dropped the authentication method into the lives of everyday consumers. From consumers logging into their telephone banking via their voices or signing into their smartphones via their fingerprints, biometrics is fast assuming a central role in digital identity management. But
Neither is biometric authentication toothless, however. Biometrics could give real punch to banks’ security mix and address an urgent need in authenticating users digitally. Indeed, the recent proliferation of digital services and cloud-based platforms — each requiring independent user verification — is making mincemeat of the username and password model. Ubiquity compels even a diligent person to reuse at least some login credentials, which dramatically increases the security implications of a hack. Already, many of the most popular cloud-based services automate this practice by enabling users to apply their “unique” logins to a variety of other accounts (a process known as
Two-factor or multifactor authentication solutions are far less penetrable than a single username and password. However, adoption rates remain comparatively low. That is because the multifactor approach fails to deliver a smooth and convenient user experience. Physical authentication tokens, often used in online banking, are easily lost or stolen. But more importantly, the authentication process itself is laborious. Typically, receipt or generation of a random key or number sequence occurs on one device (a smartphone). Then someone must combine that number with another unique piece of information that only a user knows before inputting the code into a second device (laptop, tablet, PC etc.). Replacing all usernames and passwords with this multistep model is no solution at all; today, we log in to so many different platforms that interruption and end-user frustration would dominate the digital experience.
Enter biometrics. There is little doubt that the future of digital identity lies in using multiple factors to verify a user’s authenticity. Banks will also deliver one or more of those factors biometrically to simplify the authentication process for their customers. Apple’s Touch ID is an excellent example of how a biometric can make an authentication process fast and convenient as well as secure. Indeed, with biometrics in play, a digital world in which the authentication process disappears entirely from the user’s experience could be right around the corner.
When appropriately deployed, behavioral biometrics such as typing styles, app navigation habits or the pressure someone applies to touchscreens leave a data trail almost as distinctive as a fingerprint or face. Banks can combine these behavioral data points with conventional biometric data to continually and automatically confirm and reconfirm the user’s identity without interrupting their user experience with off-putting challenge questions.
Adaptive and risk-based authentication solutions are also gathering momentum. These solutions monitor the user’s daily journey through their apps, platforms and devices to ensure that an authentication challenge is only issued when the system deems it absolutely necessary, according to predetermined policies set by the bank.
We need to do more work to identify and increase the reliability of behavioral biometrics. Capture technologies are still developing and banks integrating the technology must handle them with care to stay ahead of the hackers, for instance. Privacy issues also remain a key concern as does the storage and sharing of biometric data once it has been captured.
The best outcome from this process will involve a collaborative approach from the full spectrum of stakeholders, including academics, vendors, end users and privacy advocates.
The importance of this work cannot be overstated. Collaborative efforts are essential to ensure the true enabling power of biometrics can be realized in the digital space without putting the individual’s biometric data at risk.