Biometric multifactor authentication (MFA)—the use of human physical attributes instead of passwords and personal identification numbers (PINs) to prove that people are who they say they are—is only one aspect of the rapidly growing and diversifying field of financial technology (FinTech). It is one of the most important aspects because of the need in the financial business to know exactly who is engaging in a transaction, entering a secure area of a building, or accessing a crucial database. All other aspects of FinTech depend on it. Here we will look at how banks and financial institutions are using both traditional and new biometric technology to provide a modern solution to a timeless problem.
MFA, based on the realization that more than one way is needed to prove identity or authority because signatures can be forged, is not a new concept. In widely separated cultures such as ancient Egypt and early China, archaeologists have found that fingerprints were used to prove an official’s or ruler’s authority to declare an edict or make a treaty. The use of large clay or wax seals on official documents, impressed with signet rings kept on a person’s finger, or large ceremonial devices kept in official custody, persisted into the medieval period and beyond. Ancient writings in the Hebrew Bible such as the story of Esther, read every year at the Jewish festival of Purim, refer to a ruler handing over custody of a signet ring to a subordinate to show that they had complete authority.
What Drives Financial Institutions’ Need for Biometrics?
Early use of computers by financial institutions required the use of passwords. PINs became common because numeric keypads were easier to install in early ATM devices than full keyboards and because they could be used on touch-tone telephones. But passwords and PIN numbers are no longer trusted to be safe or useful. A password can be either a hindrance to the rightful owner—too easily forgotten or confused among accounts—or a convenience for a thief, whether by tricking owners to reveal them through phishing or social engineering, cracking them through high speed, high-volume computer algorithms, or simply guessing and exploiting laziness (unfortunately some people still need a reminder not to use “password”). With biometrics, something that the person cannot forget or leave behind that is difficult or nearly impossible for someone else to have is used to prove their authenticity.
Progress in technology has led to many different biometric methods—not only progress in developing automated techniques for recognizing facial features, voices, and fingerprints but also “progress” in devising ways to fool them. (What people can invent; they can circumvent.) Because a static form of data can be spoofed (copied well enough to fool the sensing device), whether the data is a fingerprint or a facial image, a new emphasis has focused on proving liveness when it is presented.
Voice recognition is not completely immune to spoofing either. Spoken words can be recorded, but using it during a live conversation with a bank representative makes it more difficult to substitute a dead recording. Use of a person’s voice—sound frequencies and speech patterns—is now a popular form of MFA that banks use on their customer service phone lines.
Fingerprint recognition, which gained momentum among financial institutions for transactions from smartphones when Apple’s iPhones added Touch-ID, is being replaced in mobile applications by facial recognition, again partly because Apple’s iPhones (beginning with version X) no longer have the Touch-ID device. Facial recognition has its own technical shortcomings: poor lighting, complex backgrounds, and unpredictable changes in appearance such as haircuts, growing beards and mustaches, and changing eyebrow styles. Artificial intelligence (AI) and DeepFake methods are becoming more adept at fooling liveness tests in facial recognition; thus, new detection methods and tests to prove reliability are constantly introduced.
Finger-vein and palm-vein scans use near-infrared light to cause red blood cells in the veins, which have delivered oxygen and are returning to the heart, to absorb heat and display the person’s unique vein pattern for scanner interpretation. Here again, this is a liveness test to counteract techniques of lifting fingerprints a person may have left behind on a surface or object and spoofing the detector.
How Financial Institutions Use Biometrics
Banks and other institutions use biometric MFA in two main ways: to protect their customers and to protect themselves. Requiring biometrics to establish customer identity and permission to access an account, whether in person or through a telephone or ATM, keeps accounts secure and protects the customer from losing money. Using fingerprint scanners or finger-vein or palm-vein scanners to admit employees to the building or to grant them intranet access protects the bank from theft of its financial assets or its data. The repeated announcements of massive data breaches from various financial institutions show that this is a continual battle between legitimate and illegitimate ingenuity.
Especially in Asia (for example in Singapore and China), financial institutions are employing facial recognition to identify as well as to authenticate. Authentication occurs when an automated teller machine scans your face, converts it into binary information, and matches it to what is stored about you in a database, determining that you are authorized to withdraw from your account. Identification serves a more general purpose, such as a camera scanning faces of persons coming through a bank door and alerting the manager that the chief financial officer of XYZ Corporation has just arrived so that he or she can be warmly greeted as soon as possible. Facial recognition—and a good deal of AI software as well—is involved in both, but a mistake in identification may only interrupt the bank manager’s coffee break, while mistaken authentication could result in a substantial loss of assets for XYZ Corporation or the bank, or both.
Where will biometrics lead banks and other financial institutions in the future?
I have identified three main trends. Each will cause and be affected by conflicting influences: technological development, political and social policies, and legislative and judicial adaptation.
In the field of technology, competition and innovation drive the formation and expansion of new companies and developments that offer digitization of fingerprints, palm- or finger-vein scans that detect unique internal blood vessel patterns, facial recognition, and handwriting traits such as the speed of writing or the pen angle. These developments cause companies to emerge that specialize in tracking biometric start-ups.
However, political and social policies tend toward standardization and limiting the variety of biometric methods: if a company is operating in a region where the government is favoring fingerprints or iris (eye) scans for developing a national identification database, that company needs to have the right technology to interact with what is being offered. The most outstanding example of this is the 12-digit “Aadhaar“ identification number that India is urging upon its residents. The goal of the Unique Identification Agency of India (UIDAI) is for every legal resident of India to have a personal number, basing authentication on a photograph, ten fingerprints, and two iris scans stored in its central database. When something is in use by more than 1.2 billion people, it cannot be ignored.
For now, this method affects mostly Indian firms and those operating in that country. If Indian residents and citizens resume the global emigration and travel that they practiced before the coronavirus lockdowns, they will increasingly expect major global banks to accept their Aadhaar identification when they need their funds from banks at home. This will mean banks will need to have the right equipment to send compatible data to the UIDAI facilities.
Clearly, the more extensively and efficiently a financial institution aims to serve both regional and global customers, the more it needs to offer methods of authentication that are convenient and effective for its customers. It will also need to meet such market forces as standardization and requirements to comply with regional, national, or even transnational legislation and regulation regarding what biometric data it may gather from its customers and how it may use that data.
FinTech use of biometric MFA is an ongoing effort to meet the demands of banking customers, from individuals to global enterprises, while keeping their assets and the assets of the bank itself safe from the never-ending illegitimate ingenuity of dishonest actors, whether acting in person or through the internet, or working independently or on behalf of governments or anti-government movements. When looking for a technological partner to introduce or enhance MFA, those in charge of a financial institution must consider not only their biometric scanning hardware or AI software but also their ability to take their firm in the right direction for the goals it wants to meet.