The rise of biometrics in banking: The death of the password?

Entersekt Editor|22 November 2018
The rise of biometrics in banking: The death of the password?

Ever forgotten your PIN number? What about forgetting which password goes with which account? Generally, the problem isn’t the password itself, but the number of username and password combinations we need to remember. It has been estimated that within the next few years, we will have, on average, over 200 accounts for which we need to remember passwords!

It’s simply become too much. For financial institutions (FIs) that want to improve the simplicity of digital banking without compromising on security, it has become a huge problem. Not only has the username/password login method become too cumbersome, it has been proven time and again to be highly susceptible to fraud and hacking. This is a situation that is likely to get a lot worse considering that about 1.4 billion consumer records – and that’s just the number from last year – are available for sale on the black market.

To better balance digital ease of use and strong security, many FIs are turning to biometrics. Biometric authentication is a quicker and easier way for customers to verify their identity when making transactions or otherwise interacting with their bank. You don’t, after all, have to remember your fingerprint or type in your voice!

Use of biometrics in the industry

Typical implementations of biometrics in financial services include authentication at login, digital payment, or cash withdrawal. Fingerprint scanning is the most commonly used biometric method in the banking industry, according to Biztech magazine. Since Apple introduced Touch ID in 2013, using fingerprints to identify yourself has become far more mainstream. Bank of America, for example, introduced fingerprint authentication and Touch ID in 2015; American Banker reports that more than half of the bank’s customers had used the biometric for mobile access by mid-2017.

Global Market Insights says that fingerprint technology will see the most growth by 2024 and that other authentication technologies will soon follow. In particular, the iris recognition market will experience double-digit growth between 2017 and 2024. According to Fortune magazine, dozens of regional banks and credit unions already enable customers to sign into their apps using eye recognition. Wells Fargo, for example, offers an eye-scan option to corporate clients, and last summer, Bank of America partnered with Samsung to begin testing the technology.

Facial recognition is also set to grow, especially after the roll-out of Apple’s Face ID system. Banking customers with an iPhone X can use Face ID to log into mobile apps from U.S. Bank and Citibank, among others.

Growing consumer confidence

Bank customers were once wary of biometric authentication, but their circumspection has been replaced with wholesale acceptance, at least in some countries. A study by the Department of Computer Science at the University of Oxford and Mastercard showed that 93% of consumers in the finance sector are interested in using biometric authentication methods. Moreover, a 2017 EyeVerify survey indicated that 86% of banking customers had used fingerprint recognition at least once within the last year, and 87% of respondents considered the method to be the most secure form of authentication. The same survey further found that 86% of banking customers agree that biometrics make logging into mobile banking apps easier than traditional password entry.

The industry itself, though, is less quick on the draw. The same Oxford and Mastercard study found that while 92% of industry respondents say that they are interested in deploying mobile biometrics, only 13% have already done so.

Risks and drawbacks

The financial sector’s reluctance to push forward with biometrics chimes with its time-honored reputation for prudence; the technology is not foolproof. While biometrics are more secure than passwords – it is much harder to replicate a fingerprint or voice than it is to guess a password – hackers’ ingenuity should never be underestimated. Hackers can make dummy fingerprints, using your selfies that they can easily find online. In 2015, the fingerprints of 5.6 million workers were stolen from the Federal Government Office of Personnel Management in the U.S. Now what do you do if your fingerprints are compromised – you can change your password, but you can’t change your fingerprint.

Moreover, mass market biometrics solutions are device-dependent – consumers must use a specific device to access their biometric information. What happens if your device is stolen? Your device contains your identity, meaning that the thief can now access your accounts. There are server-based models of biometric authentication, but one breach of the central storage area can expose thousands of individuals’ personally identifiable information.

A multi-factor approach

For now, the best authentication approach is to use biometrics (“something you are”) in combination with at least one other factor: “something you have,” such as a smart phone, or “something you know,” such as a PIN or password. At Entersekt, we strongly believe that the first of these second factors is the way to address both usability and security concerns, but whether or not you agree, a multi-factor authentication strategy is still the most effective approach in the ongoing industry war against fraudsters and hackers.

About the author

Entersekt Editor

Entersekt Editor

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.