The current implementations of biometrics for personal authentication are likely to be less accurate than thought. Even if they are hard to escape. They are ubiquitous with modern personal technology such as smartphones. Evan Schuman shares some thoughts on the topic in Computerworld:
“Biometrics is supposed to be one of the underpinnings of a modern authentication system. But many biometric implementations (whether that be fingerprint scans or face recognition) can be wildly inaccurate, and the only universally positive thing to say about them is they’re better than nothing.
Also — and this may prove critical — the fact that biometrics are falsely seen as being very accurate may be sufficient to dissuade some fraud attempts.”
Biometrics: One-to-One Use Case
The current broad scale implementations generally revolve around personal use of mobile phones. These are transitioning from fingerprint authentication to facial recognition. In these cases, the use of biometrics is authenticated at a one-to-one opportunity. The user authenticates themselves on their own device. This gives the user a potentially false sense of security. This is especially true with the growing group of users that actively pay for items using their mobile wallet. This is covered in Mercator’s report published this summer on wallets. Most users pay using near-field communications (NFC) tap-to-pay technology. But the most common method of unlocking the phone remains biometric authentication. What the user in a personal use case does not understand is the error rate in biometrics. Schuman adds details to highlight the inconsistencies in actual use:
“’Roger Grimes, a defense evangelist at KnowBe4, wrote on LinkedIn about the National Institute of Standards and Technology (NIST) evaluation ratings. As he explained: ‘Any biometric vendor or algorithm creator can submit their algorithm for review. NIST received 733 submissions for its fingerprint review and more than 450 submissions for its facial recognition reviews. NIST accuracy goals depend on the review and scenario being tested, but NIST is looking for an accuracy goal around 1:100,000, meaning one error per 100,000 tests. So far, none of the submitted candidates come anywhere close,’ Grimes wrote, summarizing the NIST findings. ‘The best solutions have an error rate of 1.9%, meaning almost two mistakes for every 100 tests.’”
Biometrics: Many-to-One Use Case
The challenges remain for a many-to-one implementation at point-of-sale. This is where error rates must be close to zero to give both merchants and consumers trust in the transactions. These challenges are being met head-on through pilots and trials. As I wrote last week, biometrics with payments transactions, such as facial recognition are still on the early side of emerging. Visa is using events like the World Cup to do small scale trials, in this case testing facial recognition at just three coffee shops in Doha during the World Cup. These trials, led by large-scale legacy providers, are critical to help advance technology while the error rate is still too high for broad acceptance. The only way to reduce errors is to have acceptance that there are imperfections while continuing to have real-world testing in these small, but meaningful pilot programs.
Other payment industries that are more widely using biometrics should also be aware of the potential for errors and be upfront with its merchants and consumers on the current state of accuracy. One example that can lead both development and transparency would be the application with campus cards that are becoming more widely adapted to utilize both fingerprint and facial recognition technology for both access control and payments at campus locations. In the quest to get to more accurate authentication, the campus card environment provides an opportunity for large sale testing within a tight community.
Overview by Jordan Hirschfield, Director of the Prepaid Advisory Service at Mercator Advisory Group.