Britons are placing their trust in banks over government agencies, according to new research from Visa to protect their biometric data such as fingerprints and iris scans. Consumers are nearly twice as likely to trust banks to store and keep their biometric information safe (60%), than they are to trust government agencies (33%).
When asked who they would trust to offer biometrics authentication as a service to confirm identity, the largest percentage selected banks (85%) and payment networks (81%) ahead of global online brands (70%), and smartphone companies (64%). This level of trust has grown significantly in the past two years, up by 20 percentage points from 65% in 2014, when the Visa Biometric Payments study was first conducted.
Nearly two-thirds of consumers (64%) want to use biometrics as a method of payment authentication and familiarity is increasing the comfort level of British consumers. The growth in fingerprint authentication for mobile payments is bringing to life the benefits of biometric authentication, which is why 80% of the people surveyed said they were the most comfortable with fingerprint recognition. Fingerprint authentication (88%) is also viewed as the most secure form of payment, ranking higher than other biometric authentication options such as iris-scanning (83%) and facial recognition (65%).
Commenting on the Biometric Payments research, Kevin Jenkins, UK & Ireland Managing Director at Visa said “Banks have a tremendous opportunity in this payment revolution. From trialling voice recognition to behavioural biometrics for authentication, we’re already seeing banks – both high street and challenger banks, alike – making positive steps to adopt this technology in a variety of use cases. This consumer confidence in both authentication as well as the storage of their biometric data gives banks the perfect win-win scenario, enabling them to provide a service that the public wants which will also benefit the banks, themselves.
“Visa is already supporting a number of institutions in the development of emerging forms of authentication. We will continue our role as an enabler of payments and will remain tech agnostic when working with banking partners to ensure that new and emerging forms of payment authentication take place securely, conveniently and discreetly.”
Commenting on this, Robert Capps, VP of business development at NuData Security said “This study establishes that there is a strong desire on the part of consumers to have a secure user experience when interacting and transacting online. The desire, may not align with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication aren’t fool proof, and there are challenges that may block widespread adoption in non-face-to-face interactions.
The fact that 85% of respondents see banks as the most trusted institution in the provision of biometric authentication isn’t surprising, given that they are part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering outstanding user experience.
Physical biometrics can be part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints, voice and retinal scans can be spoofed. And, unlike passwords, physical biometrics can’t be changed. It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse. As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud. Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place). Beyond social and cultural issues, there are concerns how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day-to-day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The true strength of behavioural biometrics is in providing trust. While the consumer trusts the fingerprint, or the voice print, retinal scan or any other visible security the bank may choose, that is what they see and how they feel – it’s the guard at the door, if you will. Using passive and invisible behavioural biometrics (BB), the bank can also have full trust in their key objectives, protecting the user account and providing a good customer experience. In this way BB solutions can draw a straight line to a trust-trust relationship between banks and customers.
Another advantage of BB solutions is that they use non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation. It can therefore provide a high degree of confidence in the identity of the user. Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.
Additionally, with BB, users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving banks and e commerce companies the unheard of potential to actually improve their brand experience with their security layer.”