With increase in mobile banking and transactions, banks are increasingly looking at new ways of providing a secure and yet convenient way of authenticating its customers. Fintechs, banks and vendors are also working towards providing the customers a seamless
and user friendly experience while providing them the security and comfort that they can transact in peace. Protecting the customer from the different means of online threats has assumed greater significance from a bank's perspective. So banks are looking
at ways and means by which a secure and simple user experience can be achieved without burdening the customer with layers of authentication measures.
Authentication methods
The conventional method of authentication is by a combination of user id and password. With so many user ids and passwords being used across various websites and applications, remembering the password is a big issue. Add to that the forced change of passwords
at periodic intervals, not being able to use the old passwords, different password rules and the issue becomes much more complex. And then there is the overlying problem of cyber criminals who can initiate a brute force attacks and crack the password. So banks
have introduced other methods to overcome this problem.
There are other alternatives to the password problem like two factor authentication, passphrase, PINs, biometrics etc that are in practice today. The idea behind using more than one means of authentication is that even if one factor is compromised or breached
by some means, the other one can still act as a gateway to protect again unauthorised access.
Passphrases : The idea is to ask a personal question to validate the identity e.g. mother's maiden name, first school attended, pet's name etc. This is used typically when the password is forgotten or needs to be reset. But the problem is most of the information
can be found on the Internet, in social networking sites like Facebook without much effort.
Two factor authentication : In this method, in addition to the username-password combination a token is required to complete a transaction. The token could be an email or a text message sent to the customer's phone. So even if a hacker manages to crack the
password, the token may not be known to proceed with the transaction. This is considered to be more secure than the passphrase but the assumption is that the customer's phone is accessible nearby.
PINs : A Personal Identification Number (PIN) is pretty much like the password except that it is numerical in format commonly used in ATMs. This number has to be memorized to prevent misuse.
Biometrics : Biometric authentication typically means using the face,iris / retina scans, fingerprint or voice recognition instead of using the user id and password. So biometrics can be used as an effective replacement for the user id and password method
of authenticating the customer and can be seen as a more secure solution to the authentication problem.
What are the advantages
The advantages of biometrics can be summarized as:
Improved security: Biometric data like fingerprint, voices, eyes etc are unique to a user. They are hard to mimic. Passwords, PINs can be shared but fingerprints or retina scans cannot be shared.
Improved customer experience: It saves the customers the hassle of remembering passwords and PIN numbers.
Cannot be forgotten or lost: The means of authentication is with the user always. No extra effort involved in remembering and reproducing the authentication information.
Reduced operational costs: Banks do not have to rely on different systems for password / PIN generation, maintenance, reset. Other costs in running a contact center and employing personnel to help customers in the process of resetting the passwords can also
be saved.
Is biometrics the best option
However biometrics are not foolproof. Biometric authentication technology has vastly improved over the last few years but is still evolving and hence susceptible to errors however small percentage they may be.
Some of the disadvantages include:
External factors: The surrounding environment and usage can affect the success rate of matching biometric information. E.g in the case of voice recognition, noisy background can alter results. The lighting conditions or wearing glasses can affect facial
recognition.
Alternate options: If, even by a wild figment of imagination, James Bond or Mission Impossible technology were to become reality one day in future and technology evolves to a stage where biometric information becomes easily reproducible, then unfortunately
there is no reset button. Biometrics cannot be reset once compromised.
Accuracy: Biometric matching algorithms are complex but not 100% accurate.
Additional costs: Banks will have to invest more in obtaining and storing the information in a secured way. Investments may have to be in the form of additional devices, encryption mechanisms, storage etc. Else customers will not be forthcoming to share
biometric details with the bank.
Different bank accounts: A customer having accounts in 2 banks may opt for different authentication mechanisms in both places e.g Fingerprint authentication in Bank 1 and Iris scan in Bank 2. If the customer has multiple accounts in the same bank or accounts
in more number of banks, then again remembering which method to use for which account in which bank becomes an issue.
Beyond simple biometrics
While biometrics seems to be a far more secure way of authentication because of some of the issues listed, there is always the chance that the biometric matching may throw up some false results wherein a genuine customer is denied access or hacker is provided
with access. To avoid that multifactor biometrics may have to be considered. So a combination of face and fingerprint or voice and iris will definitely provide the banks and customers with the comfort that the accounts and transactions are well protected.
However face, eyes, fingerprint are all physical biometrics and they have their shortcomings. What if the mobile that was used for accessing accounts is stolen. How can banks be assured that it is the same customer using the phone for the next transaction.
The next logical step in the biometric journey is to think beyond physical or static biometrics and extend it to behavioural biometrics. Behavioural biometrics provide a continuous way of authenticating the customer and not just at the time of login. Behavioural
biometrics involves analyzing many parameters like gait, typing speed, style, facial expressions, location etc. Together these factors create a far safer method of verifying the customer and also provide a frictionless banking experience.
Biometrics is here to stay as an integral part of the digital banking experience and customer is becoming the password.
Disclaimer: The views expressed in this blog are those of the author and do not in any way represent the views of Infosys