Friday 17 April 2015

Biometrics for Banking Gets Going

I was talking with a senior manager responsible for authentication strategy at a leading retail bank recently about their views on biometrics for user authentication and whether they were thinking of adopting it. I remember a similar conversation with the same person in 2013 and remember them declaring that biometrics was simply not a possible solution for them; a combination of hardware and software OTP tokens was still the favoured solution. 

Moving forward two years and there has been quite a turn-around in their perception of biometrics for providing authentication to bank customers when accessing digital banking services. Biometrics is definitely on the agenda for them and they have a number of live and pilot projects that are leveraging biometrics on mobile devices including the support of Apple Touch ID for mobile app authentication. 

So what has changed in two years for them? 

I think the fundamental reason is the need for convenient privacy-aware authentication across a number of banking channels with the emergence of mobile as the prime banking channel (not forgetting the start of a wearable banking strategy). A hardware OTP token works well enough when a bank customer is accessing banking services from a desktop computer at home but simply does not cut it when that same customer is using their mobile phone or calling up their bank using a telephone-based service. These 1980s two-factor authentication technologies are also susceptible to Man-in-the-Middle (MitM) and Phishing/Malware attacks.

This has led banking security professionals to look for alternatives that meet the needs to strongly authenticate across a wide range of existing banking channels. The explosion of FinTech-led financial services has also meant that challenger banks are looking at other innovative ways that customers can interact with their banks; biometric authentication gives them the potential to offer their customers a usable and secure method to protect their financial assets when accessing financial services from a range of endpoints.

The use of integrated fingerprint sensors is just one method of providing convenient banking user authentication and will continue to grow as more devices become available. However, I believe that the solutions will evolve and increasingly incorporate other authentication factors and biometric modalities to provide strong security and convenience. For instance, by combining face and voice in a multi-modal biometric authentication solution that can work across a range of banking channels. USAA's recent deployment of Daon's IdentityX multi-modal mobile authentication platform is a great example of this. 

Depending on the context of the transaction/interaction then you can either use a single modality - voice in an IVR interaction - or a combination of modalities - face and voice for mobile or desktop banking services. The combination of context and security risk will dictate the most-appropriate modality or factor to use.

There has also been a lot of debate as to the choice of biometric architecture that a bank should adopt; device-centric, where the biometric data never leaves the device, or server-centric, where the user enrols their biometric and then is stored by the financial institution. For verification; the matching is performed on the device for the device-centric model and against a stored template within a network database (Cloud) for the server-centric model. I think that both models have their merits. I believe that the decision to adopt one over the other (and there will be scenarios where a mixture of both will be adopted) will be driven by a combination of privacy/trust requirements and specific business drivers (some of which will be moulded by culture decisions, i.e. availability of national biometric database). 

For on-device biometric authentication services, I believe that the best approach that meets privacy and trust requirements is to utilise embedded security within mobile devices; Secure Enclave for iOS and TrustZone in ARM-based devices. A great example of this is voice biometric specialist AGNITiO's KIVOX Mobile solution that leverages TrustZone embedded hardware security using a FIDO-Ready implementation developed by Nok Nok Labs. In this model, the bank customer would enrol their biometric voice print on their smart mobile device and then be able to access mobile banking services securely using their voice for authentication. AGNITiO also support the server-centric and IVR-based models ticking the boxes to support multi-channel banking. 

Apple's Touch ID has certainly changed the perceptions of the decision makers in banking security, allowing biometrics to be a serious contender in providing authentication for banking services. There is also a role that biometrics could play in reducing the amount of fraud that is occurring for Apple Pay. There seems to be no problem with Apple's biometric authentication services itself, rather a problem with the card activation (provisioning) process that allows fraudsters to enrol stolen credit cards into Apple Pay and then cash out by purchasing thousands of Dollars worth of Apple kit in-store. Biometrics could close this loophole by allowing the card issuer to validate a legitimate card and its owner using an enrolled voice biometric. Tied in with the card issuer's fraud management system, a customer who was attempting to enrol a credit card into Apple Pay would receive an automated voice call that could verify the legitimacy of the card holder by verifying an enrolled biometric voice print. I don't feel that it would add much friction to the process and have the positive result of reducing this type of credit card fraud. 

I expect to see a lot of innovation in this space where bank-controlled multi-modal biometrics will compliment integrated mobile biometric solutions that have been deployed by the mobile OEM to enable customers to securely access full-banking services from a wide variety of end points.