The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.
Twenty years is a long time for any technology to be ‘nearly there’. Yet over this time the promise of biometrics - to use an individual’s physical or behavioural characteristics to verify their identity - has remained enduringly popular. An appealing idea, however, is not a formula for mass market adoption. Until recently biometrics’ quest to ‘break through’ had been thwarted by a range of factors, from accuracy and reliability (too many false rejections/acceptances for commercial acceptability1), to the lack of industry standardisation and the high costs of deployment. There were widespread concerns too about security, from both the user and the service provider perspectives; after all, biometrics are only as secure as their storage mechanism and fears were often raised about the security, particularly relating to the channel used to connect the biometric reader to the system verifying the data2.
The right ingredients enable rapid progress
More recently, however, real progress has been enabled via the combination of smart device-centric biometrics tech, like Apple’s Touch ID, and the market ‘pull’ created by consumer demand for mobile banking and mobile payment services. In both of these cases, biometric solution development has been driven by the desire to raise the level of user convenience. The resulting solutions are now laying to rest many of the old concerns and, as a result, are giving biometrics a much needed spring board to mainstream adoption.
To track these developments, Mobey Forum’s Biometrics working group has conducted a survey amongst its international membership, resulting in 235 respondents from Europe, North America and the Middle East, 59% of which were from banks and other financial institutions and 32% were from solution providers. The study focused on the applicability of biometrics as a method of identification, authentication and authorisation for services in mobile banking and payments and explored current attitudes to biometrics within the banking industry, the key use cases, industry drivers and obstacles standing in the way of progress.
The results gave us some great insights into the recent state of biometric services in the banking and payments ecosystem globally.
Biometrics are a banking priority
To begin with, the study revealed that biometric services are a clear priority for banks around the world. Of the respondents, some 22% of banks already offer biometrics to their customers and 65% are planning to offer services in the ‘near future’. More than half plan to launch fingerprint biometrics for their end users, with an additional 21% focusing on voice recognition.
Authenticating the user during the login process and during payment or transaction confirmation was cited by 70% as the most important use-case for biometrics in financial services.
Indeed, amongst the key drivers explored in the study, nearly half of all respondents stated that it is the convenience for their customers, together with the desire to be viewed as an innovative and advanced bank, which makes biometrics so appealing.
Where are we now?
There are, however, a number of obstacles that still need to be overcome.
Accuracy in biometrics technology continues to vary by type and by technology; for example, swipe fingerprint sensors are cheaper but less accurate than static fingerprint sensors3. Iris recognition is generally considered one of the most accurate biometric modalities but is difficult to deploy at scale since it requires infrared illumination, which may explain why only 3% of our respondents have plans to use it, compared to 31% for fingerprint and 14% for voice recognition.
Security also remains a concern, not least because there are so many links in the biometric confirmation chain. Apple’s Touch ID was hacked by German security researchers shortly after launch using latex glue to copy a fingerprint, although the attack is not viewed as easily scalable. Hackers have also demonstrated the ability to bypass fingerprint scanners on Android phones and remotely harvest fingerprints4 before they reach a secure processor. But while theft and spoofing of biometrics is frequently demonstrated to be possible, doing so in order to successfully commit identity fraud continues to be rare.
Mobile handset security is important and is already a huge area of independent development, championed by secure technologies like GlobalPlatform’s Trusted Execution Environment, together with the use of the Secure Element (embedded or removable) for the secure storage of cryptographic keys, biometric templates and certificates, for example.
The development of security evaluation and certification for biometric systems will enable banks to assess risks and provide reassurances to customers. Work here is well underway. Biometrics Testing and Evaluation (BEAT), a programme funded by the European Commission, is developing a Common Criteria framework, together with an open evaluation and validation platform complete with tools and standardisation documents. When development is complete, we expect BEAT to significantly contribute to the development of a European identification certification system.
Standardisation of mobile biometric verification remains at an early stage, although there are efforts underway to make faster progress with Visa and MasterCard now in the process of issuing biometric specifications. While 6% of the banks surveyed remain concerned about the lack of handset standardisation, the concept of an open interface, rather than a proprietary one such as Apple’s, is viewed by 83% as interesting. This viewpoint is further supported by the fact that one in five cited the ‘dependence on technology providers’ as a key issue for concern.
Forecasters are optimistic
None of these obstacles is insurmountable, however, and the future for biometrics in mobile banking and payments is looking bright. Goode Intelligence5 forecasts that by 2017 there will be over one billion users accessing banking services through biometric systems.
Tractica6 predicts that shipments of biometrics devices for the financial sector will rise from 4.7 million units in 2015 to 43.7 million annually by 2024, producing cumulative shipments of 212.4 million devices. At the same time, Tractica anticipates that financial biometrics hardware and software revenue will increase from $126 million in 2015 to $2.2 billion in 2024. Goode Intelligence, by contrast, forecasts that by 2020 banking use of biometrics will contribute US$5.5 billion in revenue for companies involved in delivering biometric systems to the banking industry alone.
Key factors to consider
In order to move forward successfully with biometrics, banks and payment service providers must carefully consider a number of strategic questions, each of which brings forth its own set of advantages and drawbacks. Chief among these are their choice of systems architecture (device or server-based) and their preferred modality of biometric (fingerprint, voice, iris etc.). A thorough exploration of these questions remains beyond the scope of this article, but can be reviewed in Mobey Forum’s latest biometrics report, ‘Biometrics in Payments: Touching Convenience’, freely available here.
What do consumers want?
Respondents to our survey cited ‘customer convenience’ as the most important reason for banks to engage with mobile biometric services. This came ahead of ‘wanting to be seen as innovative’ and was more than twice as important as ‘being perceived to be secure’, implying that banks do indeed believe that consumers view convenience as more important than security.
That said, it is worth noting that consumer opinion in this area may yet change, particularly given that biometric data defines the individual in a way that passwords and other credentials do not. With this in mind, privacy, correct protection of user data and the analysis and further use of data are areas that banks should treat with great sensitivity.
What does the future hold?
Current commercially available biometrics solutions really are just the tip of the iceberg, and need not be limited to physiology. Behavioural ID, which analyses the unique traits of each device user, has the potential to remove friction from the authentication process entirely. Keystroke patterns, mouse movements, key locations and a range of other identifiers are being explored, both for identification and fraud prevention, some of which have delivered 97% accuracy in trials7. Even then, is a 3% margin of error acceptable? Certainly not for the mass deployment of mobile financial services.
The future lies in combining biometric forms. A layered approach should drive long-term adoption by delivering the right blend of convenience and security. It’s easy to envision a mobile banking and payments world where a behavioural metric may grant user access to an account statement, for example, but a physiological validation, like a fingerprint, is needed to authenticate a payment or permit deeper access to account information.
Collaboration is the key
Over the last three years, huge progress has been made in steering mobile biometrics into the hands of mobile banking and payment customers. Use cases are now well defined and the enhancements to the user authentication experience have been welcomed a result. The challenges that now lie ahead should be addressable with relative speed, but only if the myriad stakeholders in this complex ecosystem are prepared to collaborate in support of the development of an open and interoperable ecosystem. Mobey Forum’s Biometrics working group is already engaged with vendors, banks, standards and regulatory bodies in a bid to accelerate this work and welcomes additional input from other stakeholders across the industry.
Mobey Forum, an independent non-profit organisation, is a global industry association empowering banks and other financial institutions to lead in the future of financial services.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.