In Tuesday's New York Times, the Room for Debate blog took on concerns surrounding the growing use of biometric authentication in the banking sector. Typically these arguments are more polarizing, with a traditional "A IS GOOD vs. A IS TERRIBLE!" style of debate. But when it came to Biometrics, something interesting happened: both sides agreed that Biometric Authentication is an imperfect, and sometimes deeply flawed, science. They merely disagreed on the implications of that for banking security.
Look, Biometric Authentication is LIGHT YEARS ahead of static passwords and easily-researchable security questions. It's here to stay. The debate isn't whether or not banks should utilize biometric authentication - the debate is whether these financial behemoths should be relying on biometrics as their sole, or even their main, first-stage fraud solution. To make a football analogy, the Carolina Panthers would never say to their quarterback "Hey, Cam, you're revolutionizing the quarterback position and doing things we never thought possible - we can just rely on you and don't need to have an offensive line, or receivers, or running backs - I'm sure you can do it all and won't fail." No coach would ever say that. Of course not. After all, that's the Chicago Bears' patented offensive strategy.
So let's take a deeper dive into the challenges presented by Biometric Authentication:
1. Just Because It's Biometric Doesn't Mean It's Not Data
Target. Snapchat. Ashley Madison. Data breaches that have exposed the personal information, home addresses, credit card information, or even Social Security Numbers of customers and employees have made front page news on dozens of occasions. As Claire Gartland of the Electronic Privacy Information Center points out, citizens have action steps they can take when this type of information is released. They can cancel cards or apply for new SSNs. But what recourse do people have when biometric information is leaked? The Office of Personnel Management has already admitted that 5.6 million fingerprints were stolen in a recent data breach, and hackers have already shown their ability to replicate fingerprints and iris scans to game security systems. Voice biometrics has similar flaws. If your customer data can be breached, so too can your biometric data (regardless of the encryption or tokenization).
2. Do Your Customers Trust You?
Just because I'd let my friend hold $100 for me doesn't mean I'd trust him to hold onto my fingerprints and DNA. I've seen enough Law & Order to know better. Biometric authentication brings about very real Orwellian concerns on behalf of consumers. What are you going to do with this information? What assurance do I have that this will only be used for authentication? While James Lewis of the Center for Strategic and International Studies writes these concerns off as "nervous dystopian projections" and "irrational" (ouch!), the comments show a very different perception of this development in technology.
3. Impact on Customer Experience
The number one concern for Fraud Analysts is "Catching and Stopping Fraud." However, "Limiting False Positives" and "Ensuring a Seamless Customer Experience" finish a close second and third. Biometric Authentication can have serious impacts on both of those exceedingly important CX metrics. Will MasterCard spring for me to become better looking if my face is consistently judged not to be my actual face? Voice biometrics necessitate 15-30 seconds of analysis at the time of connection on a call - increasing average handle time and also increasing customer frustration at the outset. Biometric authentication also requires certain technologies that can serve as a barriers-to-entry for customers that may not be able to purchase smart phones. Are banks going to be in the business of only offering security to those who can afford it?
So What Now?
While the debate in the Times cast a significant amount of doubt on the viability of Biometric Authentication as the sole solution for banks, we should refrain from throwing out the baby with the bathwater. Biometric Authentication is an enormously promising development in the world of security, but it is a mistake to view this development as a panacea, or a reliable sole method for thwarting fraudsters. Banks who are looking to increase first-stage fraud prevention at the payment and call center level would be wise to combine known fraudster block lists, Biometric Authentication, and carrier and transaction level metadata to best defend against nefarious attacks and protect their customers' assets...and peace of mind.
By: Tim Prugar (firstname.lastname@example.org)