The federal Office of Personnel Management (OPM) recently disclosed that the personal information compromised in last month’s data breach included 1.1 million fingerprints. This is cause for sobering consideration about using biometrics for authenticating into secure systems such as online and mobile banking services.
The appeal of biometrics is compelling. They’re stronger than passwords, they’re unique to each user, they’re easy, and cannot be lost or forgotten. However, there are limited biometric options (fingerprints, retina scan, face recognition, voice print, heartbeat), they’re dependent upon users having the needed technology (such as fingerprint scanners on smartphones), and they can’t protect against romance scams or unauthorized activity by friends and family.
As financial institutions debate adopting biometrics as a compelling replacement for simple, multi-factor, or knowledgebase authentication, this latest breach highlights very clearly that despite its benefits, using biometrics is insufficient by itself.
For biometrics to work for account authentication, there must be an image of the user’s fingerprint (or retina or facial image) digitized and stored somewhere. Each subsequent access compares the current fingerprint against the stored image to validate that the user is indeed who he says he is. And once a fingerprint is digitized and added to a database, it simply becomes part of one’s PII along with a phone number, mother’s maiden name, and zip code. Furthermore, a fingerprint can never be modified. Perhaps the article in National Journal put it best: “unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good.”
According to Goode Intelligence, over 1 billion people worldwide will be using biometrics to access financial accounts by 2017, and it will be the predominant authentication mechanism by 2020. If all of these financial institutions are thinking that all they have to do is replace MFA with biometrics and their accounts will be protected, we encourage them to rethink their strategy. We believe that the OPM data breach offers sufficient reason to believe that replacing MFA with biometrics simply amounts to swapping out one vulnerable authentication mechanism for another.
Behavior, on the other hand, is equally as unique as a fingerprint, but is not a simple, singular piece of data that must be stored and is therefore vulnerable to being compromised. While criminals probably have richer, more in-depth dossiers on FIs’ clients, the FIs have much richer data than fraudsters will ever have on each account holder’s banking behavior.
FIs can model each client’s unique behavioral patterns and then compare new activity – in online banking, mobile banking, debit card use, and various types of payments – to detect anomalies that indicate possible account compromise or fraudulent transactions. And it’s invisible to the account holder so it doesn’t involve any changes to the user experience.
Blending biometrics with behavior will provide a much higher level of confidence that individuals accessing accounts are indeed who they say they are, lowering fraud risk while also improving the user experience and decreasing friction.