All forms of biometric authentication are not created equal
This is a guest post by Enacomm CMO David Anderson.
Fingerprint scanning, facial recognition and voice biometrics are moving beyond the experimentation phase to broader implementation at financial institutions across the globe — but there’s one form of authentication that stands out from the crowd.
The graduation to next-generation identity verification has been made possible by the proliferation of smartphones with high-quality microphones and cameras that make the process easy. Thanks to advancements in technology, biometric authentication can be completed anytime, anywhere, in a matter of moments. But just as important as convenience is effectiveness.
Only select Android phones have fingerprint readers, and while newer iPhones offer iTouch, the technology was reportedly hacked the first day it was released … using Scotch brand tape to “steal and simulate” a fingerprint.
TouchID users also report that temperature, such as extremely cold weather, and humidity affect the accuracy of the readers and that hand creams, lotions, dirt and other contaminants cause false negatives, requiring them to make multiple authentication attempts.
Most touch scanners store just one fingerprint per user in the system and many record only three special points of a print. For the pros, making fingerprint dummies is relatively easy. Tsutomu Matsumoto, a security researcher at Yokohama National University, created a way to fool biometric scanners 80 percent of the time by taking a photograph of a fingerprint left on a wine glass, for example, and re-casting it in molded gelatin. Nine out of 10 fingerprint readers can even by tricked by manipulated Play-Doh from your local department store, as proven by hackers. What’s more, it’s possible for cyber-criminals to intercept fingerprint data from Internet-enabled biometric scanners as it’s sent to the computer server for processing.
Fingerprints are permanent identification markers, and unlike passwords, they can’t be changed. That’s a problem when they are so easily replicated. Until 3D fingerprinting becomes readily available, financial institutions should opt for more secure methods of authentication for significant transactions.
In recent years, facial recognition technology has greatly improved its accuracy and is nearing a 98 percent success rate. Discovered methods of deception, user error and the fact that facial scanning can be faulty in direct sunlight make up the two percent gap. Hackers have been able to reverse engineer the biometric information stored in (not-so-)secure databases to print photos that dupe most face scanners. Security researchers at companies like MasterCard and USAA believe blinking is the best way to prevent a fraudster from holding up a picture of the individual being impersonated to fool the system.
Facial recognition can also require advanced enrollment techniques using specialized cameras. When using photos from smartphones, accuracy is device dependent and may not provide a fast and easy way to authenticate. Many consumers report that it is difficult to use and requires “self-training” to make it work properly with a moving head and a moving phone. Customers may also feel awkward taking a “selfie” in public to authenticate.
By mapping the unique voiceprints of consumers and storing them in recorded-voice databases, organizations can use this form of biometric identification in perpetuity to ensure the caller on the line matches the biometric vocal print originally taken. Today, voice biometric technology is even being employed for eSignature, allowing clients to speak on the dotted line for phone and smart device transactions.
According to Opus Research, 41 percent of all voice biometrics installations across the globe are attributable to financial institutions. When voice biometric authentication is properly implemented, even voice recordings or “replays” cannot be used to gain unauthorized account access, as smart security systems can ask for words, numbers and phrases in random order. Recordings or even stolen voice prints are useless.
A voice print is a sophisticated model against which future voice utterances are compared, using complex algorithmic processing. There is no physical “voice” or sound recorded on the computer. One cannot reverse engineer a voice biometric template or print to create a spoken voice.
Sophisticated voice authentication technology can identify a customer’s voice in noisy environments, such as airports or industrial settings, by separating the background noise from the voiceprint in real-time. The method of authentication is even reliable if the user has a cold or is speaking in a muffled voice. Voice authentication works in every language and with every regional accent. If the voices don’t match, callers are asked further verification questions.
It’s widely touted that matching fingerprints, facial features, and voiceprints is more secure than pin and password systems when it comes to identity verification, but this only holds true if the biometrics authentication is implemented in a more secure way. Because there is no single, perfect solution, it is recommended that multiple verification methods be employed by financial institutions. Voice authentication should be one of those methods, because it’s convenient and natural to use, in addition to being more reliable than touch and face scanning with a 99.99 percent success rate. Even Thomas Jefferson would agree that all forms of biometric authentication are not created equal.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.