How Biometric Authentication Could Revolutionize Cyber Security in the Financial Industry

16 July 2020

Passwords are the most compromised authentication credential. Even data from Verizon shows that up to 80% of all hacking breaches involve passwordsSo, what interventions are financial institutions supposed to implement when nearly all their customers use passwords as the primary (and sometimes only) authentication credential? How do these institutions keep their customers’ personally identifiable information (PII), including bank account numbers, and the accounts themselves safe?

Authentication by facial recognition concept. Biometric. Security system.

Until recently, you’d say multifactor authentication (MFA). Well, it compensates for the weaknesses of passwords by introducing an additional security layer. Unfortunately, it’s not as effective as it sounds. While multifactor authentication has proved to be a much-needed advancement in online security, it still comes with a few sticking points.

Shortcomings of Multifactor Authentication

Aside from cost which is perhaps the biggest challenge in implementing multifactor authentication, financial services providers face three key MFA impediments;

  • Usability issues 

Having an MFA means that you’ll be redirecting users to a separate service for authentication. Even with an SMS OTP (One Time Pin), the user must get out of the flow and check their SMS inbox. Or, they may have to open their email or receive a computer-generated call.

All these actions significantly hinder user experience, to the point where if it’s voluntary, most users avoid MFA.

Gmail by Google is a classic example. For almost seven years, Gmail has provided users with the option of two-factor authentication (2FA). But, according to Google software engineer, Grzegorz Milka, only about 10% of their customers use 2FA.

  • Inherent security vulnerabilities of MFA

The easiest way to demonstrate these inherent vulnerabilities is to imagine using an SMS OTP, which is by far the most common MFA strategy. Surprisingly, determined hackers can still gain access to and even hijack OTP messages. It happened during political campaigns in the US, Iran, and Russia.

Additionally, OTP-based authentication is also vulnerable to man-in-the-middle attacks. Hackers have developed advanced tools to thwart out-of-band two-factor authentication by tricking users into visiting counterfeit websites. Once the user provides their credentials at the fake site, the hackers forward the information to the legitimate site, which then sends the real OTP.  

  • Setting up and running MFA is a complex process

First off, to set up multifactor authentication in an industry as sensitive as finance, you need the best MFA technologies. And, if you decide to outsource, then you must find a reputable MFA solutions provider. Of course, in the finance industry, trusting outsiders is a big deal.

So, assuming that you decide to do it in-house, the next headache becomes integrating the MFA system with the rest of your business system. Depending on your current system, you may need additional drivers, experts, and a means to check the environment for threats continuously.

And, that’s before you consider factors such as support, maintenance, and backup. For instance, what happens if the user loses their mobile device? Or if there is a way for them to gain emergency access? Or they are locked out for good?

Advantages of Biometric Authentication

Biometrics is taking center stage as a means to strengthen security in the finance sector, without merely adding more PINs and passwords. 

From open-banking apps and digital wallets to mobile commerce and in-purchase apps, financial institutions are finding that layering existing security protocols with biometrics improves fraud while significantly boosting user experience. 

Four biometric authentication approaches that are especially making a difference are; 

  • Fingerprint authentication 

In fingerprint scanning, the user presses a selected finger against a fingerprint scanner, often located on the back of their phone, to verify identity. As such, the user doesn’t need to break from the transaction or scroll to another different phone application.

More importantly, fingerprints are near-impossible to forge or duplicate. Thus effectively rules out the possibility of unauthorized access even if the device is lost.

MasterCard is one of the companies currently using fingerprint scanning for authentication. The company issues payment cards with an embedded sensor that swiftly and reliably scans the user’s fingerprints for identity verification. Google Pay and many biometric ATMs also use fingerprint scanners.

  • Voice recognition 

Voice, just like fingerprints, is unique to the individual. Our respiration and soft-tissue cavities are matchless. Our jaw movements and mouth structures are also unique. As such, the voice patterns we produce are distinctive in not only pitch but also dynamics and intensity.

Therefore, voice biometrics are impossible to impersonate. What’s more, voice recognition systems work in a way that they can’t confuse natural speech with a recording. Besides, background noise also can’t compromise the authentication process.

Several banks around the world now use voice authentication, including HSBC in the UK. The benefits?  It’s contactless, convenient, user-friendly, and cost-effective.

  • Facial recognition 

Facial recognition utilizes two key technologies; geometric recognition and statistical photometry. In geometric recognition, artificial intelligence algorithms scan the user’s facial features to determine if they match the data in the database. The statistical photometry approach, meanwhile, involves scanning the face and distributing the image data into values. The values are then compared to templates stored in a database.

Facial recognition stands out for being simple to implement and near-impossible to duplicate. 3D facial recognition is particularly reliable because it’s not affected by makeup or changes in lighting.

Some of the best examples of facial recognition at work are in Thailand, where more than six banks, including Siam Commercial, Bank of Ayudhya, CIMB Thai Bank, and TMB Bank, use it for Know Your Customer verifications.  

  • Eye print scanning 

Finally, eye-print scanning involves scanning different eye parts such as the iris, sclera, or retina to establish an individual’s authenticity.

Scanning the retina and sclera, in particular, is one of the most reliable authentication methods as it involves scanning the person’s unique blood vessel patterns. It’s impossible to false-match blood vessel patterns. Unfortunately, these two methods entail examining the eye at very close range – something most users can’t stand.  

As a result, iris scanning is the most preferred eye-scanning method. Even better, iris scanning can identify a user wearing contact lenses or eyeglasses. Wells Fargo is one of the best-known banks that currently uses iris scanning to authenticate customers.

How to Get Started

There are a few other biometric authentication approaches, including behavioral biometrics and hand geometry. NIX Solutions can help you assess these options to determine which would best suit your operations. Contact us today to learn more.