According to the new Visa Biometric Payments study, consumers across Europe are interested in using biometrics when making a payment – especially when integrated with other security measures. Nearly three-quarters see two-factor authentication, where a biometric is used in conjunction with a payment device, as a secure way to confirm an account holder.
Robert Capps, VP at NuData Security, an award winning behavioural biometrics company shared the following comments with @DFMag
“This study proves that there is a strong desire on the part of consumers to have secure AND frictionless user experiences when interacting and transacting online. The desire, however, might not match up with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication are seen by some as the ‘holy grail’ in user authentication, but they aren’t fool proof, and there are other challenges that may block their widespread adoption in non-face-to-face interactions.
The fact that 53% of respondents see fingerprints as a viable security solution isn’t surprising, given that they are already part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering an outstanding user experience. Such solutions have a central place in the overall security mix, part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints can be spoofed and unlike passwords, fingerprints last a lifetime. The lasting and permanent nature of fingerprint data may actually have more negative impacts than passwords which can at least be changed.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en masse. As stolen data is often traded and consolidated into larger, more accurate consumer profiles that can be used for a number of nefarious purposes from espionage, to identity theft, and financial fraud.
Selfies and voice biometrics also have contextual issues in that it may not always be appropriate to take a selfie or provide a voice sample to authorize an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place).
Beyond the social and cultural issues, there are concerns about how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day to day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The way forward is to balance the need for a frictionless customer experience and actual security that focuses on the use of non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation.
Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.
Users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving bands and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”