December 6, 2016 -
The tipping point for biometric authentication for mobile banking may have already arrived, EyeVerify CEO and founder Toby Rush says. Further, that position is not one of optimism, he says, but observation of financial institutions currently achieving their user experience and security goals with biometric implementations.
When it was acquired by Ant Financial in September, EyeVerify already had dozens of clients in production, and was moving more through the procoess.
The company announced last week that Poland-based Comarch will use its EyePrintID to verify end users for its financial services clients.
Interest in adopting a biometric authentication solution has been strong for a while, but in the financial industry, companies are now quickly moving beyond that.
“You got a lot of tire kickers, you get people who want to talk about it and want to learn,” Rush told Biometric Update in an interview. “Now we’re saying a fairly mass adoption of people doing both full pilots and full blown roll outs, and it’s happening on a much faster basis.”
Rollout times are compressing, as just a couple of years ago pilots commonly took six months, with completed roll-outs dragging on for years. Rush says increased confidence in the convenience and security of biometrics is one of the big reasons why. The technology that has stabilized, and deployments have been tested and become “tried-and-true.”
With EyeVerify adding more than a bank each month, on average, and over 50 current completed deployments, the company is gaining valuable experience and data. It’s brand recognition and reputation are also benefiting as it provides authentication for millions of users from its growing portfolio of clients.
“You’ve got a number of data points from really big companies like Wells Fargo, and Ant Financial, and AliPay, all the way down to small community banks, and seeing success across the board. That is boding well for the vast majority who have been looking, and looking at the leaders.”
The experience of those leaders has also revealed further challenges for biometrics providers. One of the things the company learned was the looming importance of liveness detection and spoofing prevention.
While spoofing has long been a theoretical concern for providers, it is now a growing practical problem with enormous potentially enormous consequences.
How fast is it growing? “We’ve seen the numbers,” Rush says. “There are a lot of people out there trying to spoof. It is not a small problem. It’s a surprisingly large problem.”
Rush is frustrated with some biometric authentication vendors downplaying the problem, or their role in it. He believes, however, that with an increase in articles and reports in the second half of 2016, the dangers are becoming as apparent to other companies as they are to EyeVerify.
“We were fortunate in that because we had some early deployments, we saw this issue a full year ago. We’ve made a significant effort, and had a significant portion of the R&D team really focussed on liveness and spoof detection for over 12 months, and it’s really paying off for us now. It’s a far more difficult problem than you might think.”
The consequences of failing to adequately address that problem are not necessarily confined to the cost of a succesful spoof, or even to the company it is carried out against.
“The public perception is, if they see a YouTube video of a system being easily spoofed, their confidence and comfort level goes way down.”
Traditionally, companies have attempted to detect liveness and prevent spoofing by asking the authenticating user to do something specific, like blink, or something more unusual and unnatural. This approach not only adds friction, Rush says, but does so without providing adequate protection against spoofing.
EyeVerify built the technology it uses for liveness detection and spoof prevention to satisfy two criteria; no active user cooperation, and a result in less than a second. “If we can maintain these two things, you’ve got a good user experience.”
Interest in biometric authentication in Asia has been particularly strong, Rush says, which Ant Fiancial responded to by acquiring EyeVerify. That interest has come from from the payments industry, more than banks, while the reverse is the case in North America.
In the coming year, EyeVerify is looking to work with AliPay and other portfolio companies, and leverage its new parent’s reach and name to continue its rapid expansion in Asia. The benefits of the deal should be increasingly obvious in 2017, as Rush says the company’s opportunities are now significantly different. “A small company in Kansas City trying to enter into India, or Indonesia, or Thailand on its own is very difficult.”
The company will also focus in the coming year on advocating for security beyond passords with the FIDO alliance, and pushing for wider understanding of biometrics spoofing.
All the while EyeVerify, with the help of Ant and AliPay’s troves of data being analyzed with machine learning and advanced neural networks, will be improving its selfie authentication technology.
“So much of this stuff is about getting that operational feedback to make your product better.”