As more and more services go digital, authentication has become a crucial concern for securing transactions (payments, subscriptions, etc.) and access (to homes, offices, IT systems and more). Biometrics has emerged as a particularly effective solution, since it uses characteristics that cannot be forged and are unique to each individual, such as fingerprints.
Although it can be difficult to implement these systems, the banking world is taking a strong interest in biometric authentication technologies.
The human body: where security applications abound
New biometric authentication technologies are released on a regular basis. From Iris recognition to face and handprint recognition, voice analysis, handwriting or keystroke dynamics and, even more strikingly, heartbeat scanning, many different physiological and behavioral characteristics can be used to reliably identify individuals by recording and storing any of these unique human characteristics.
For users, these technologies constitute an ideal alternative to using secret codes or passwords, which can quickly multiply and become difficult to memorize for many people.
Biometrics is currently being used across a variety of different applications, and available to the general public, serving simultaneously as a validation code, ID card and super access key.
Smartphones and PCs are now protected with fingerprint scanners. Biometric recognition is also integrated into Windows 10, via Windows Hello. To take advantage of the feature, all you need is a fingerprint scanner, or a camera for iris recognition.
In Sweden, facial recognition tools are used to validate payments at a major retailer. Elsewhere, heartbeat analytics have recently been tried out in Canada to validate payments by credit card and identity checks using iris recognition are currently in testing phase at the Port of Cherbourg customs office and Charles de Gaulle Airport, near Paris.
Obstacles to overcome
Before rolling out this technology on a wider scale, several technical challenges must first be overcome. Most important is learning how to “code” and store the characteristics of an individual while also developing an adapted and reliable scanner that will not break down over time.
Certain legal and regulatory obstacles have also slowed the development of biometrics. Specifically, the main problem is the absence of any clear legal framework. The CNIL, a French regulatory body, has stated that it sees biometric identification falling under the purview of the “IT and Freedom of Information” law, along with non-biometric details like a person’s name and address. This means that data protection law would govern the collection and storage of biometric information – to constitute a biometric database, organizations would need to respect principles of finality and proportionality.
Furthermore, the CNIL has stated its preference for biometric data sources that are not used by law enforcement. For example, it has approved a school cafeteria access control system that works with user handprints, but it has issued an unfavorable opinion of a similar system that uses fingerprints.
When it comes to security, biometrics cannot solve every problem. First of all, for passwords, fingerprints and iris characteristics alike, the goal is always to make sure pirate and hackers cannot access the data. In fact, not only is it possible to extract passwords, in some cases it is also possible to produce a fake iris or fake fingers.
Protecting the confidentiality of stored data will remain a crucial challenge to prevent pirates from accessing the data they need to make counterfeit biometrics. Biometric data storage must remain secure, both when it is performed locally (in a mobile phone or computer to protect access and use) and especially when it is centralized (in a database).
Synthetic devices that copy human characteristics
Researchers from the Biometric Recognition Group at the Autonomous University of Madrid have developed an algorithm capable of producing a fake iris using data about the characteristics of the real eye that are coded and stored in recognition systems. The algorithm can already trick security systems in 80% of cases.
Similarly, it is theoretically possible to create a “forged” finger using a thin sheet of silicon to reproduce a person’s fingerprint. These fakes can fool scanners into recognizing the finger as human (identical body temperature, heartbeat simulation, same conductivity as skin, etc.).
Though the cost remains extremely high, producing these systems is technically possible.
Ideal technologies for banking
Finally, another obstacle to using biometrics is reluctance on the part of users who prefer systems based on handprints or iris scans, instead of fingerprints or DNA, which can fall into the wrong hands. In addition, users more readily adopt systems that protect access to personal devices (PCs, tablets, smartphones, cars), rather than to public spaces or services, which would require “databasing” all potential users.
Despite this, biometric authentication is currently a reliable process – the technologies that can circumvent it are still in research labs – that offers particularly interesting applications in banking. Whether that be validating payments by card, granting access at ATMs or performing remote transactions, biometrics can provide secure and reliable authentication.
Biometrics guarantees the identity of the person performing each action. In this way, it provides a solution to credit card fraud, phishing and identity theft. It also has its limitations, with customers unable to lend biometric credit or debit card to spouses or children – which some will likely see as an advantage!
BNP Paribas tests biometric authentication
BNP Paribas has teamed up with Banque Accord, Crédit Agricole and Crédit Mutuel Arkéa to test a payment system based on Natural Security fingerprint authentication technology.
In the future, the goal is to offer payment systems that function through biometric scanners on mobile phones and through fingerprints.
Integrating this system tackles several objectives providing easier and more secure payments, while preserving the pivotal role of banks as a trusted third-party to transactions.
The Group believes that biometrics will become a standard practice on the mass market within the next five years.
However, the use of biometric authentication is still under debate within the CNIL. Today, the challenge is to demonstrate that personal data are sufficiently protected, that individual rights will be respected and that the system provides ample security.