The Intersection of Financial Institutions and Technology Leaders

Are Biometrics All They’re Cracked Up To Be?

May 23, 2024

By Ted Goldwyn

Just a few years ago, biometric authentication was at the leading edge in the fight to combat identify theft, data breaches and other types of financial fraud. 

Today, the financial services industry is employing a range of security measures, including multifactor authentication, predictive analytics and artificial intelligence, transaction authentication and in some cases, blockchain. With financial fraud on the rise and criminals growing ever-more sophisticated, many banks and credit unions are continuously evaluating and enhancing their security protocols. 

While biometrics still is a major part of authentication methods, some have questioned their use and privacy protections. 

Verification Versus Authentication
The terms “authentication” and “verification” are thrown around a lot within security circles, and it’s worth revisiting what these security terms mean in practice.

“Identity verification refers to the process of figuring out who is in front of you,” says Allison Miller, cybersecurity expert and founder of Cartomancy Labs, a technical and strategic advisory firm. “In banking, we typically describe that process as ‘know your customer,’ or ‘KYC.’ We’re trying to associate the entity on our website who’s attempting to create an account with a real-world identity. In those cases, we may ask for information like the individual’s driver’s license information, birth date or Social Security number, and then we verify that those details match.” 

In contrast, authentication is the process of confirming the identity of an individual attempting to perform a transaction on an account already established.

“Authentication happens after you have some level of confidence that you have verified the person’s identity,” Miller says. “Authentication is decoupled from verification, and it answers a simpler question: Is the person who’s logging in the one who created the account?”

Authentication methods that include biometric elements — such as fingerprints, iris and retinal scans, facial recognition, and even video-based “liveness” checks — have shown promise in recent years, particularly with the advent of smartphones and other mobile devices that have embedded biometric security features into their native software. But how effective are these methods at authenticating account holders within the financial domain?

A Layered Security Approach
Many security experts cite multifactor authentication (MFA) as the gold standard for account security. MFA employs several layers of security, combining something the users know (like a password), with something they have (like a mobile device or security token) and possibly, something they are (such as a biometric identifier). Like a series of moats around a castle, these concentric layers of security are designed to make it more challenging for criminals to access a user’s accounts.

“The best and most effective use of biometrics is with multifactor authentication or MFA,” says Pete Winninger, director, product manager at Velera, which offers IDCheck, a biometric technology solution credit unions can use to authenticate their members. “The benefit of that layered approach is that if any one of those factors are compromised, unauthorized access can still be prevented because you’re not relying on only one thing.”

“A multilayered approach to authentication increases security while enabling organizations to approve good customers seamlessly,” adds Dennis Gamiello, executive vice president, identity products and innovation at Mastercard. 

“Yet To Reach Its Full Potential”
Whereas industry experts agree that biometrics are an effective method of authentication when used as part of a multipronged security approach, opinions diverge on whether biometrics has reached its full potential.

“Biometric technology remains a significant trend in authentication, and its adoption continues to grow across various industries and with consumers,” Gamiello says. “Biometrics offer a high level of security while fostering seamless user experiences. We also find that biometrics help organizations comply with regulatory requirements like [the European Union’s] PSD2 and the California Consumer Privacy Act.”

In Bank Director’s 2023 Technology Survey, 44% of survey respondents say their bank currently uses biometrics to detect or prevent fraud. That figure is smaller than the percentage that report not using it: Half haven’t adopted it. Most of the respondents were from banks below $10 billion in assets.

Winninger cautions that biometrics has yet to reach its full potential, citing not only concerns around privacy and regulatory oversight, but also the high cost of implementation and questions about the technology’s accuracy. But many of those barriers have been addressed in recent years.

“There’s been some stumbling blocks along the way,’’ he says. “But I think continuous advancements in the technology are helping to overcome those challenges and will help gradually fulfill that initial promise of biometrics. It may not be as buzzworthy as it was a few years ago, but it remains a crucial tool for enhancing security and user experience.”

According to Miller, biometrics are now part of the standard suite of mechanisms large banks use when designing login options for their members. “The technology is mature and available—it’s not bleeding edge anymore,” Miller says. She notes that financial institutions are most commonly using it within the context of the technology that is already built into consumers’ devices, such as the facial recognition and fingerprint scanning functionality that come embedded with modern smartphones, tablets and laptops.

Biometrics in call centers is another matter, Miller adds. “There was a wave of institutions experimenting with voice biometrics, and there are still a few that have authentication workflows using voice printing [a form of biometric data analysis that detects a customer’s unique vocal signature]. A few of these financial institutions were subject to reputational blowback because their customers didn’t like being voice printed.”

Privacy Risks Elicit Concern
Security experts are concerned with some of biometrics’ inherent risks in the areas of privacy, consent and the misuse of biometric data.

“The primary risk with biometrics when it comes to data breaches is the fact that biometric data can’t be changed,” Winninger says. “You can change a PIN or a password, but you can’t change your biometric data.”

But according to Gamiello, this risk may be overblown.“Because an individual’s face, fingerprint or iris is inherently unique, biometrics are hard to replicate, thus making them more secure than passwords that are easily forgotten, lost or stolen,” Gamiello says. “Biometrics can be integrated into and utilized by financial institutions to help mitigate risks, providing an additional layer of authentication beyond traditional methods. And biometrics remain local, meaning your data never leaves your personal device, enhancing both security and privacy. Not only is this safer and more secure, but it is also more convenient for consumers.”

Miller acknowledges the inherent risks with biometric technology but compares it to a “boutique” versus “retail” threat to overall security, as the larger threat remains more prosaic. People, for example, often reuse passwords for multiple sites, making them vulnerable to “credential stuffing” attacks, where a fraudster collects account credentials that may have been stolen years prior and uses them to gain access to all a victim’s accounts.

“From a bank and credit union perspective, the biggest risk — and threat — is that customers reuse their passwords,” Miller says. “Credit unions are seeing a rise in credential stuffing attacks, and if consumers didn’t reuse passwords across sites, that would cut out a lot of the risk. The fat part of the bell curve is really about phishing and password reuse, as opposed to persistent, deep fake empowered, high-tech campaigns. That said, the technology and the threats are evolving rapidly, so smart financial institutions are watching the trends both inside and outside their firm.”

Alternatives to passwords might provide a better option. “While multifactor authentication is a powerful tool,” says Gamiello, “its effectiveness can be enhanced with the use of FIDO (Fast Identity Online) authentication standards, which use public key cryptography to provide secure and seamless authentication experiences.” Leading financial institutions such as PNC Financial Services Group and Bank of America Corp. currently support FIDO Authentication protocols to enhance security and improve customer experience.

The Future Remains Bright
Despite potential privacy concerns, consumers seem to appreciate the convenience and speed of biometric authentication. According to a PYMNTS study, 52% of consumers who have used biometrics prefer the method, making it the most popular authentication method. 

Experts believe that even if the technology isn’t as buzz worthy as it was a few years ago — biometrics will continue to serve an important role as a component of a multilayered security posture. 

“Biometrics will play an increasingly prominent role in identity and authentication as well as shape the future of authentication in banking,” Gamiello says. “Driven by technological advancements, evolving customer expectations, and regulatory requirements, biometric authentication will continue to provide enhanced security and mitigate risk without sacrificing user experience.”

Ted Goldwyn is a contributing writer for Bank Director.