Online banking fraud is showing no signs of slowing down. In 2017, just typing ‘online banking fraud’ in a search engine returns at least five unique news articles for the previous month! Passwords have proven to be an unreliable form of authentication. Through cell phone number cloning, fraudsters can even circumvent two-factor authentication using One Time Password (OTP) over SMS for transactions. Identity fraud and theft alone accounted for $16 billion in 2016, with stolen login information being used to access customer accounts rising to 31% over 2015.

Both clients and banks need an easy, secure, fast and convenient way to ensure the security of transactions as passwords are not reliable or secure in practice (see inset – Passwords not secure!). Using biometrics addresses this problem, as it is now both cost effective to deploy as well as widely accepted by customers. The driving factor for adoption of biometrics in banking transactions is that it shortens authentication times across both channels and devices.

Passwords not secure!

Bank customers limit effectiveness of passwords as they:

• choose weak passwords
• reuse passwords
• forget passwords
• write them down

Types of biometrics

Biometrics is the science of recognizing an individual based on their inherent traits.

Biometric authentication methods are primarily of two types – physical and behavioral.

Physical biometrics typically need the user to actively do something for them to be captured.

• Fingerprint
  
• Face scan
  
• Voiceprint
  
• Iris scan
  
• Palm
  
• Heartbeat
  
• Gait
  

Behavioral biometrics, which have become increasingly accurate, are passive and seamlessly collecting information about the user. They are used to create an environment of continuous authentication.

• Keystroke
  
• Mouse movement
  
• Device usage
  
• Location
  
• Navigation
  

While an individual biometric method may be hacked or circumvented, using a combination of them will ensure a high confidence level that the user is being identified correctly.

However, providing numerous biometric authentication methods across devices, banking channels and user types will quickly become unmanageable, if done in silos. This is where creating an Authentication Hub is critical. A Hub has standards-based authentication-a plug-n-play platform supporting best-of-breed solutions that empower the bank’s customers through the device, authentication method and channel of their choice.

1. User enters username and requests authentication
   
2. Request sent to bank application
   
3. Bank application sends request to authentication hub
   
4. Authentication hub sends request with authentication challenge
   
5. User provides requested biometric (fingerprint, voiceprint, selfie, iris scan,etc.)
   
6. Authenticator verifies user and signs authentication response signed by user’s private key
   
7. Authentication hub validates response using user’s public key and sends result to bank application
   
8. Bank application permits user to execute transaction (login, fund transfer, change in information,etc.) if authentication is positive
   

Comparison of biometric authentication approaches

Our recommendations for biometrics in banking 

Do’s

• Disclose to customers the details of the capture and usage of their biometric information (it is mandatory in some jurisdictions)
• Offer multiple methods of biometric authentication. This allows the customer to use the right method for the circumstance/situation
• Handle biometric data (if stored in bank or third party servers) with the same rigor and privacy norms as other personally identifiable information (PII)
• Re-use biometric authentication methods across channels. For example, other channels can still leverage physical biometrics by issuing a challenge/response authentication request through the bank’s mobile app
• Use a stringent process for identity proofing and verification of customers during onboarding of their biometrics
• Inform the client out-of-band or through another channel when their biometric information is captured (similar policy to when PII is captured or changed)
• Use a national biometric database (where available) to verify customer identity through their biometrics
• Use multi-modal biometric authentication methods to increase the confidence of user identity
• Move towards continuous authentication by leveraging behavioral biometrics 
•  Start small, and gradually increase the coverage of biometric authentication. For example, employees first, limited customer/geographical segments next and then a complete roll-out when teething issues have been sorted out
• Use a plug-and-play authentication hub that can be used with multiple biometric authenticators
• Choose vendors and service integrators that provide high quality, transparent, flexible and scalable solutions
• Closely follow W3C Web Authentication Group activities and monitor the status of acceptance of FIDO 2.0 (Fast Identity Online) specifications as standard. Choose biometric vendors that are part of the FIDO Alliance and evaluate solutions that comply with FIDO 2.0 specifications
• Introduction of biometric authentication is a large change program and user onboarding, device management, policies, user self-service, etc. need to be explored in detail
• Service design, including mapping out customer experience journeys, user personas, digital architecture, system and third-party integration needs to be looked at from a strategic perspective

Don’ts

• Offer only password or OTP based authentication methods
• Do not rely on biometric information captured by a third-party. E.g., a shared handheld device might have biometric data registered from more than one person for same ‘ID’
• Provide limited number of methods or device/manufacturer specific methods
• Have channel specific biometric authentication methods

Conclusion

While biometric authentication can dramatically improve convenience and security for banking customers, banks need to be careful when devising their strategy for the implementation.

Our experience in implementing biometric authentication projects in banks and our banking-digital-channel transformation expertise has strengthened our view that a holistic approach that leverages strategic digital design and factors-in a dedicated security and risk solution is essential while banks embark on their journey of introducing biometric authentication for their digital channels

References

• 2017 Identity Fraud Study – Javelin Strategy and Research
• Biometrics: The time has come – Ben Knieff, Aite Group LLC.

Suvendu Chand, Practice Head for Wipro’s Digital Banking and Channels business - With over 15 years of diverse global experience and expertise in digital transformation, Suvendu has led multiple large scale digital banking consulting initiatives in North America, Europe, APAC and the Middle East. For more information, kindly write to Suvendu Chand on suvendu.chand1@wipro.com

Anoop Varughese Mathew, Managing Consultant with Wipro’s Digital Banking and Channels business - Anoop has worked with Tier 1 banks in APAC, India and the Middle East and has over 20 years of experience in delivering business solutions, primarily in Digital Channels.

He can be reached at anoop.mathew1@wipro.com