October 9, 2015 -
In a recent blog post, EyeVerify CEO and founder Toby Rush proposes that the biometrics industry needs to define standards around Payment Grade biometrics to determine the strength of a given biometric solution.
“Payment grade is an effort to help financial institutions gain confidence and move towards biometrics faster,” Rush writes. “As they begin to engage the biometric world, many financial institutions don’t have the bandwidth, depth or resources to thoroughly investigate how every biometric technology works.”
Rush explains that this lack of resources causes to a sense of uncertainty among financial companies because there is no consistent set of requirements for a biometric solution.
A Payment Grade would provide a set of industry-defined standards that measure biometric requirements, which will instill greater confidence in financial institutions and other industry players and help them to transition to biometrics faster, said Rush.
Rush outlines what he considers the three primary cornerstones that the payment industry needs to consider when assessing different biometric solutions: accuracy, liveness and privacy.
In terms of accuracy in biometric authentication for mobile payments, Rush explains that there is no definite consensus on what is considered “good enough”.
However, establishing a Payment Grade accuracy requirement would ultimately help banks and other payment players eliminate an extra layer of uncertainty.
Rush proposes a 1 in 50,000 False Accept Rate (FAR) as a requirement since Apple and several large OEMs have previously stated this FAR as a requirement for biometrics in their own devices or applications.
The liveness cornerstone, which prevents spoofing, is more difficult to standardize as there are currently no metrics for liveness or standards for how to assess it, writes Rush.
Liveness needs to be specific to each of the three primary sensors for mobile biometrics — the microphone (voice), the camera (face and eye), and the fingerprint sensor.
Rush proposes that a series of tests should be set up with users to determine how successful the technology is at blocking specific threats, such as whether it is possible for the solution to authenticate using an image of a face or a voice recording found online.
In terms of the privacy cornerstone, Rush said three essential questions must be answered: “Is the biometric revocable, do you store it locally or on the server, and if you do store it on the device – do you ever unencrypt the template, and do you have a method to calculate a high entropy key?”
Rush concludes by stressing the need for an equivalent to the VeriSign logo in the early days of ecommerce, which would serve as a trustworthy indicator for financial institutions in assessing biometric technologies.
To create such a Payment Grade mark, key industry stakeholders (banks, payment networks and device manufacturers) could develop specifics for standards, which could then be validated through various tests by third party groups, said Rush.