What are the advantages of biometric authentication in replacing passwords?
Biometric technology has a number of different user cases in order to ease the customer journey.
It can be used as a replacement for the user-name and password as a convenient log-in, or as a simple alternative to password re-sets. It can also be deployed for enhancing on boarding and KYC (Know Your Customer) methods. It has a tremendous advantage in improving a brand’s user experience.
In today’s hi-tech world, solving the password problem has been the goal for many financial service providers and various online enterprises. Unfortunately their customers either use weak passwords or the same passwords time and again. Furthermore many of us should be changing the passwords regularly to avoid them being stolen or hacked by fraudsters.
This is becoming an issue for everyone to keep remembering old and new passwords. Not least because of the amount of times that we are requested to change them due to various high profile data breaches. Even then only around 25% bother to change the passwords after learning their accounts could have been compromised. If you don’t update your password, you risk losing your identity and possibly your money too. Fraudsters do not waste time using your identity for other things and sometimes recovering your stolen identity can take weeks. It is happening far too often as fraud levels and data breaches are still expected to keep rising this year.
So often, when we haven’t used a password for a long time, we request a password re-set. Some processes are automatic but for many people this involves being locked out of their account and having to call the contact centre. Then there is a round of security questions known as KBA (Knowledge Based Authentication) to go through to prove who you are. You know the ones; what’s mother’s maiden name etc! Yes, it is extremely frustrating for customers. All we want to do is have convenient access to our accounts. The password just gets in the way. Did you know that an average of 40% of calls to most contact centres are requesting password re-sets. Of course some of these are fraudulent, when fraudsters pretend to be you! Every organisation has their work cut out in dealing with who is genuine and who is not!
Just take a bank like the USAA based in the United States. They are seen as pioneers of new tech innovation and understanding the customer journey. They have addressed the password problem by offering existing customers a choice of biometric credentials; such as fingerprint, face and voice recognition as well as a non-biometric pin in their mobile banking app. They offered this new way of authentication to their customers in 2014. They called it “Quick Logon”. Their mobile customers can now choose to use biometrics instead of user names and passwords. The customer has become the password. Using a face, voice or fingerprint means customers may never need to remember a single password again. Just using a live selfie together with device recognition allows for a secure authentication process. Yes, this is me! It takes an average of just 2 seconds to verify them. What’s more it’s cool!
What are the advantages?
So there are many benefits. First, a reduction in calls to the contact centre. A reduction in account take-overs and charge-backs. No further requirements to re-set a password. There is a vast improvement in the customer experience leading to more acquisition of both new customers as well as more products being purchased. Customers feel more engaged with their brand. There is also another advantage, because when customers do want to speak with a call centre, they can be verified first using their biometric credentials through their mobile device even before reaching a customer services agent. The USAA offers this as part of their value added services replacing the process for KBA. Sounds easy, but it works! Less time spent proving who you are, means organisations save time and money and of course customers are more satisfied.
Offering a choice of different biometric options drives adoption allowing customers to use their preference depending on environmental conditions. The USAA found that both millennials as well as the baby boomers were the first early adopters. 15% were over the age of 65. Why? It stands to reason, they don’t need to remember a password. However, they also found in a response to a study is that 80% of their customers preferred a biometric option over a password and people were talking about it on social media. The perception of the brand went up and they started winning numerous awards. Significantly this caught the attention of many other banks.
Are there any disadvantages?
Using biometrics needs to be taken into prospective. Not all consumers are familiar with the technology. Education is a key factor in explaining how and why this technology is used. Also, we all know sometimes our fingers can be too greasy or sweaty just to open our own smartphones, so using a face, voice or iris is a simple, convenient and secure alternative. Noisy background areas can affect the voice recognition and you need good lighting conditions for face capture. Iris needs a strong close up image to be recognised which could mean if you wear glasses, you may have to remove them each time because of any lens glare. Other forms of biometrics such as palm, vein or heartbeat needs additional hardware. It’s not a perfect science and is based on probable measurements and risk scores, so consumers do need reassurance that it is safe and secure.
Also, there is far too much hype and misinformation which is confusing customers. For anyone trying to fraudulently access your accounts, they first need to steal your mobile device. You are soon going to notice if it is lost or stolen.
Multi-modal biometrics which are combined with liveness, real time data, device recognition, geolocation and other security measures keeps your credentials safe.
How has the technology improved?
Biometrics has moved beyond the gimmick phase because it has improved year after year. It’s no longer James Bond technology! Matching algorithms are getting more sophisticated, certainly with regard to facial recognition. The technology has greatly improved because mobile devices have also improved significantly. The latest smartphone cameras now have good quality pixilation which gives a much better definition of a face and has a higher performance as a result.
In addition, to prevent spoofing or fraudulent attacks and someone trying to impersonate you with photos or video playback, random liveness functionality and real-time data is playing a critical role as well. Such as with a selfie for example, you may need to blink or nod your head. More liveness functionality is being developed as devices become more sophisticated.
Will new regulations be a factor?
At the end of this year, new regulation is changing the payment landscape in the form of the revised EU Payment Services Directive (PSD2) and is quite specific when it comes to Secure Customer Authentication (SCA) regarding payments. It’s quite tricky for organisations to ensure they have a SCA process without using a biometric component. However, biometric modalities are an obvious choice to provide this, particularly as one of the conditions set out in the SCA guidelines regarding Two-Factor Authentication (2FA) is something that is inherent to you.
What does that mean? The element of inherence is something that is a unique human characteristic such as your face, voice, iris and fingerprint and that will be acceptable under SCA.
The European Banking Association (EBA) is still in a consultation period reviewing a large number of recommendations. We should hopefully know about the final technical standards over the next couple of months before the deadline for implementation by the 13th January 2018. Although SCA will possibly have an additional short time frame for implementation after this date.
Many existing customers will no doubt be familiar with using mobile banking and they are already using their fingerprint function on their smartphones. Some organisations have set up Touch ID for access, but it may not be enough in satisfying regulations regarding payments authentication. Furthermore a step-up authentication which combines more than one form of authentication method, such as a combination of face and finger or face and voice or another biometric and PIN, combined with your device may be more suitable to address the new regulations and related technical standards.
Although this might appear to create more friction in the customer journey, it is actually quite simple. It will be just a case of customers getting familiar in how they use their biometric credentials. The upside is once a customer biometric profile is created, it sort of becomes your passport. Customers can then verify themselves each and every time, replacing the simple task for verifying by a password or even an alternative to 3D secure methods.
As with everything, it comes down to security and risk. Low risk customers do not need to jump through so many hoops. Simple access should be acceptable in most cases with one biometric. However if customers want to do more, then step-up processes are likely to be required. It is a balance between being convenient and yet secure, removing the friction that so many customers have to endure.
Now with the rise in mobile banking and transactions, organisations are now starting to realise the importance of what the technology can bring in enhancing the user experience as well as in providing a more secure and convenient log in and payment authentication. Many companies are trying to solve the issues around friction in the user experience, so the world of biometrics is seen as one answer.