This article in Banking Technology discusses the need for standards as multiple factors are established and multiple implementations deployed across mobile devices:
“From face recognition, voice recognition to fingerprint scanners on one’s mobile device, today’s very real biometric solutions, were previously considered to be the stuff of science. We are far enough in our appreciation and acceptance in these technologies that, not only are we willing to provide our biometrics in exchange for the convenience of faster phone unlocking but we allow these same details stored on devices – thus, separating them from our physical person and immediate control.
Smartphone manufacturers may well continue to ease the acceptance and path to biometric adoption for other industries and verticals. A small stretch of the imagination sees biometrics potential use in education, financial services, smart homes and internet of things (IoT). The reason for this wide opportunity set is that they help resolve the all-important issue of a “unique identifier” that is difficult to steal, falsify or otherwise easily replicate.
For financial services, regulations such as the upcoming PSD2 have requirements for strong customer authentication (SCA). This will require what is called “two-factor authentication” to ensure the approvals are in place for electronic transactions. Two factor authentication means that authentication of a customer’s identity must be based on 2 or more independent elements:
- knowledge (something only the user knows) – this could be a password;
- possession (something only the user possesses) – this could be a mobile device;
- inherence (something the user is) – this is where the biometric comes in.
Further, fingerprints, voice authentication and face scans are becoming more ideal solutions for cutting down on customer identification costs, while simultaneously increasing the overall know your customer (KYC) criteria. This can go a long way to improving a customer’s experience during client onboarding.
HSBC, for example, is working with FacePhi on biometric projects whose aim is that clients can access to their banking accounts and restricted areas just taking a selfie. Selfie, a concept and word so young it was Oxford Dictionaries Word of the Year 2013.”
There is then the argument for standardization:
“A report by Oxford University and Mastercard – “Mobile Biometrics in Financial Services: A Five Factor Framework” – highlights performance, usability, interoperability, security and privacy as the major factors in accelerating the successful deployment and adoption of mobile biometrics.
The main challenges I see are inextricably linked to those factors. The first is in the need for a common standard for collection, management, and use of biometrics data. With potential use cases as far afield as health, payments and driverless cars the ability to correctly, securely identify an individual across platforms will be key. The Oxford and Mastercard study quotes a GlobalWebIndex statistics that “each a typical digital consumer owned 3.6 connected devices in 2016”. Without embellishing too much, I think this number can and will increase exponentially as we enter the world of IoT.
With so many different uses cases, I think biometric technologies standards are the best way to ensure interoperability and data interchange among applications and systems. While, at the same time, ensuring the requisite security and privacy required. In short, standards are the only way to create a world that we (today) can only imagine, one where your car can verify a payment or your desk verify you did the homework assignment. To arrive at that world, elements such as standard biometric APIs; standard biometric data formats; as well as standard application evaluation and testing criteria will be needed.”
The fact remains that standards take several years to establish and as a result are difficult, if not impossible, to implement when technological advancements occur annually. Identifying me only with one biometric factor puts all the eggs in that one basket, which then incents governments and organized crime to hack that biometric. Multifactor biometrics would be more robust and multifactor biometrics that includes behavioral biometrics would be even better. For the average citizen, keeping all identity keys on a device owned by the individual would likely make the cost associated with hacking the device higher than the value of the data. Living in the US where our government has already failed to protect consumer data several times, I would argue biometrics that are centrally stored and managed is a terrible idea. The FIDO alliance strikes me as an important implementation approach that would address the security needs for the majority of citizens, but it fails to offer the standards this article suggests we need.
Apple, Google, and Samsung are positioned to establish defacto standards, which places our security and trust in their hands. I would feel better about this if only these companies would indicate an interest and investment in identity management that was equal to that spent on emojis ?.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here