Mastercard and Oxford University unveil framework for mobile biometric banking
Despite a strong consensus among consumers and banks that biometrics should replace passwords for access to financial accounts, knowledge gaps are slowing the transition, according to the report “Mobile Biometrics in Financial Services: A Five Factor Framework,” released Tuesday by researchers from Oxford University and Mastercard.
Since 93 percent of consumers prefer biometrics to passwords, according to researchers, and 92 percent of banks want to adopt biometric technology, its adoption should be advancing rapidly. Only 13 percent have deployed biometrics, and only 36 percent of the involved decision-makers say they have adequate experience to tackle the situation, however, and this shortfall motivated Oxford and Mastercard to release a “Five Factor Framework” for mobile biometrics.
The five factors are performance, usability, interoperability, security, and privacy. The criteria for performance is that the technology be frictionless, yet secured by a biometric with low algorithmic error rates and device ID as a second factor, and the usability criteria includes the security and lack of friction be understandable to “technophobes.” The interoperability criteria refer to future-proofing across devices, use cases and biometric methods, including face, iris, and voice. Mobile biometric systems must include defenses against specific threats, such as zero-effort attacks in which the attacker attempts to use their own biometrics to claim the victim’s identity, presentation attacks or spoofing, scalable malware attacks, and false enrollments, according to the security criteria. Privacy must be assured by means such as template protection, as outlined in ISO standards, or on-device keys, as in FIDO UAF and BOPS.
“There has been a lot of conflicting guidance about mobile biometrics coming from technology providers, industry influencers and the media,” Mastercard Executive Vice President for Identity Solutions Bob Reany told Biometric Update in an email. “We believe the potential of mobile biometrics in financial services is tremendous and will help us as an industry seamlessly blend optimal security with optimal customer experience, a critical win that has revolutionized other industries, like travel and media. That said, adoption is not without its challenges, and we need to proceed in a way that empowers banks to proceed confidently. That is why Mastercard and Oxford developed the Five Factor Framework, to cut through the noise and make sure banks focus on performance, usability, interoperability, security and privacy. Today, performance—or ensuring that the user experience is good with low false decline rates and high security—gets the most attention, but the research points to a need for equal focus. Solution providers can use this framework to help advise their customers on the technology, keeping in mind all the factors necessary for a successful deployment.”
Reputational damage is the primary concern among banks (75 percent) adopting biometric verification, followed by data leaks (72 percent). Opus Research notes the increased attractiveness of end devices and client applications to attackers from mobile banking apps and distributed biometric processing, and suggests malware and rooting detection capabilities are essential to any such system. Mobile app development which includes “code obfuscation, runtime measures, white-box crypto, and attack-aware security” is also important, according to Opus’ whitepaper on the Five Factor Framework, “Guidelines for Deploying Mobile Biometrics in Financial Services.”
The research from Oxford and Mastercard also reveals significant differences in perception between financial industry professionals with different levels of experience with biometrics, and from the technical and business sides of companies. Almost all inexperienced individuals (96 percent) believe biometrics will make mobile banking and payments more secure, compared to only 61 percent of those with biometrics experience. Those on the business side are much less likely to view a second factor as necessary, 35 to 67 percent, and to view phone theft as a serious threat, 37 to 76 percent.
Reany notes that mobile banking apps with biometric verification are already out there. “However,” he says, “deployments across the world have conflicting experiences and designs. What we set out to do with Oxford is give decision-makers the confidence to start moving forward by equipping them with knowledge and a common set of guidelines to successfully bring mobile biometrics to life.”
Researchers found that consumer perceptions of fingerprint and facial biometrics improved over the course of completing a three-month trial with them. While most consumers had positive or very positive attitudes towards using their fingerprints at the beginning of the trial period, the number of consumers with neutral attitudes declined from roughly ten percent to roughly three percent. A significant number of consumers converted from neutral to positive attitudes toward facial biometrics during the trial as well, though in contrast with fingerprints, roughly five percent retained negative attitudes towards it.
Asked about the biometric security capabilities of mobile devices currently on the market, Reany says that a holistic, multi-layer approach is necessary to provide convenience and security for financial accounts.
“In terms of widespread adoption, we are at an exciting crossroad where strong consumer demand is aligned with industry desire to respond and the technology is there, so the challenge now is how to execute.”
Earlier this week South Korea’s Internet & Security Agency announced it is developing a biometric authentication system for mobile banking.
The Mobile Biometrics in Financial Services: A Five Factor Framework report is available through Oxford University (PDF).