The rise of biometrics in banking

Digital transformation Security
Biometrics in banking
Ever forgotten your PIN number? What about forgetting which password goes with which account? Generally, the problem isn’t the password itself, but the number of username and password combinations we need to remember. It has been estimated that we have, on average, over 200 accounts for which we need to remember passwords, so it’s not surprising that 37% of people forget a password at least once a week!

It’s simply become too much. For financial institutions (FIs) that want to improve the simplicity of digital banking without compromising on security, it has become a huge problem. Not only has the username/password login method become too cumbersome, it has been proven time and again to be highly susceptible to fraud. This is a situation that is likely to get a lot worse considering that about 1.4 billion consumer records – and that’s just the number from 2018 – are available for sale on the black market.

To better balance ease of use and strong security, many FIs are turning to biometrics. Biometric authentication is a quicker and easier way for customers to verify their identity when making transactions or otherwise interacting with their bank. You don’t, after all, have to remember your fingerprint or type in your voice!

Use of biometric authentication in the industry

Typical implementations of biometrics in financial services include authentication at login, digital payment, or cash withdrawal. Fingerprint scanning is the most commonly used biometric method in the banking industry, according to Biztech magazine. Since Apple introduced Touch ID in 2013, using fingerprints to identify yourself has become far more mainstream. Bank of America, for example, introduced fingerprint authentication and Touch ID in 2015; American Banker reports that more than half of the bank’s customers had used the biometric for mobile access by mid-2017

Global Market Insights says that fingerprint technology will see the most growth by 2024 and that other authentication technologies will soon follow. In particular, the iris recognition market will experience double-digit growth between 2017 and 2024. According to Fortune magazine, dozens of regional banks and credit unions already enable customers to sign into their apps using eye recognition. Wells Fargo, for example, offers an eye-scan option to corporate clients, and in 2019, The Royal Bank of Scotland announced a pilot of payment cards featuring biometric fingerprint technology.

Facial recognition is also set to grow, especially after the roll-out of Apple’s Face ID system. Banking customers can use Face ID to log into mobile apps from U.S. Bank and Citibank, among others.

For more on the strengths and weaknesses of biometric authentication, read our white paper,Biometrics and strong authentication

Growing consumer confidence

Bank customers were once wary of biometric authentication, but their circumspection has been replaced with wholesale acceptance, at least in some countries. A study by the Department of Computer Science at the University of Oxford and Mastercard showed that 93% of consumers in the finance sector are interested in using biometric authentication methods. Moreover, a 2017 EyeVerify survey indicated that 86% of banking customers had used fingerprint recognition at least once within the last year, and 87% of respondents considered the method to be the most secure form of authentication. The same survey further found that 86% of banking customers agree that biometrics make logging into mobile banking apps easier than traditional password entry.

The industry itself, though, is less quick on the draw. The same Oxford and Mastercard study found that while 92% of industry respondents say that they are interested in deploying mobile biometrics, only 13% have already done so.

Risks and drawbacks with adopting biometrics

The financial sector’s reluctance to push forward with biometrics chimes with its time-honored reputation for prudence; the technology is not foolproof. While biometrics are more secure than passwords – it is much harder to replicate a fingerprint or voice than it is to guess a password – hackers’ ingenuity should never be underestimated. Hackers can make dummy fingerprints, using your selfies that they can easily find online. In 2015, the fingerprints of 5.6 million workers were stolen from the Federal Government Office of Personnel Management in the U.S. So, what do you do if your fingerprints are compromised – you can change your password, but you can’t change your fingerprints.

Entersekt uses FIDO technology to enable passwordless authentication. Download The ultimate guide to FIDO for everything you need to know about FIDO and FIDO2.

Moreover, mass market biometrics solutions are device-dependent – consumers must use a specific device to access their biometric information. What happens if your device is stolen? Your device contains your identity, meaning that the thief can now access your accounts. There are server-based models of biometric authentication, but one breach of the central storage area can expose thousands of individuals’ personally identifiable information.

A multi-factor authentication approach

For now, the best authentication approach is to use biometrics (“something you are”) in combination with at least one other factor: “something you have,” such as a smart phone, or “something you know,” such as a PIN or password. At Entersekt, we strongly believe that the first of these second factors is the way to address both usability and security concerns. But whether you agree, or not, a multi-factor authentication strategy is still the most effective approach in the ongoing industry war against fraudsters and hackers.

This post has been updated from its original version published on 22 January 2019. 

Read more about Entersekt's approach to passwordless authentication, which enables biometric and browser authentication use cases.