Featured

23rd February 2019 | Mansfield Thomas | Head of Security and Fraud Prevention

Biometrics in Banking: A Hard Look into Iris Scanners and other Authentication Technology

With cybercrime on the rise and corporate data breaches occurring on a near-daily basis, financial institutions around the globe are looking for new and more secure ways of safeguarding their systems and their data. Biometric authentication offers the solution that more and more industries are turning to thanks to the unique passwords stored within our DNA. 

The Problem with Passwords

Passwords have been used as a method of individual authentication since ancient times, and in computing, since 1961 with the development of the Compatible Time-Sharing System (CTSS) operating system by the Massachusetts Institute of Technology (MIT)1. Since then, we have developed levels of technology which require individuals now to use multiple usernames and passwords (user credentials) to keep their accounts safe across a wide variety of platforms including everything from social media to online banking. In modern times, however, the security technology behind user credentials is not without its pitfalls.

Firstly, user credentials can be used by any individual with knowledge of them, regardless of whether the user is the actual owner of the account and, unfortunately, there exist a wide variety of methods by which user credentials can be compromised. From users simply writing down their login credentials on a scrap of paper and leaving it unsecured or even losing it, to phishing attacks and keylogging malware delivered via network vectors, it is becoming more and more difficult to keep user credentials secure while limiting availability to only the appropriate persons. 

Additionally, depending on the platform, users are forced to create account passwords with minimum character lengths and incorporating uppercase and lowercase letters, numbers, symbols, and that may even require changing at regular short intervals. These password formats and rules are necessary in order to help secure the user’s accounts against cyber attacks such as brute force and dictionary attacks2, however, when coupled with the large number of accounts the average user possesses, has the potential to create lapses in security. In a 2016 study conducted by Intel, the average user had 27 sets of user credentials for accounts ranging from emails, online shopping, and social media, to accounts used for their work or business purposes3. Unfortunately, this commonly results in users creating passwords which fulfil the requirements, but which are either easy to guess or difficult to remember. This frustration with password security practices can also lead users into the bad habit of utilizing the same password across multiple accounts which places all the accounts at risk should just one of them become compromised4

Finally, with IBM’s unveiling of their Q System One, the world’s first commercially-available quantum computer5 on the 8th of January this year, certain security and encryption technologies will soon become obsolete as quantum computing technology propagates across the globe. Quantum algorithms such as Shor’s Algorithm now move into the realm of possibility as the computational hardware required to run it becomes reality6. Common cryptographic systems that rely on prime factorization, such as RSA keys used in Secure Socket Layer (SSL) and newer Transport Layer Security (TLS) protocols, now become open to compromisation7. While there currently exist encryption and multi-factor authentication (MFA) technologies that have been developed, in part, to protect user credentials and mitigate this risk, there also exists a completely separate solution which is incredibly easy to use, and provides a high level of individual authentication. 

Biometrics Technologies

The study of human biological characteristics and even the use of our individual characteristics as a means of authentication is not a new technology. Fingerprints were used as signatures on clay tablets in ancient Babylon from as early as 500 B.C. In early China, merchants used inked fingerprints as proof of agreement on business transactions and to identify their children8. More recently, as technology has grown to facilitate its ease-of-use, biometrics have been used in a wide variety of applications from law enforcement to data protection, and even banking. From facial recognition scanners found in airports and other ports of entry, to the iris recognition technology now used in modern smartphones, biometric authentication is rapidly spreading to multiple industries. 

With modern Android and iOS devices employing more and more biometrics security features over time, mobile application developers have been racing to integrate these features with their applications. Motorola’s launch of the Atrix model smartphone in 2011 was the first time a mobile device integrated fingerprint scanning technology9 and while it was a bit buggy, it proved that a smartphone could be secured in a manner not requiring a PIN, password, or swipe pattern to unlock the device. Since then, the technology has improved and nearly all modern smartphones include a fingerprint reader as a feature. Google and Apple, the developers of the Android and iOS mobile operating systems have added fingerprint support as part of their operating systems’ platforms since 201510 and 201311 respectively and as a result, many mobile device applications now use fingerprints for a variety of authorizations such as user logins or payments.  

In addition to fingerprint readers, subdermal vein recognition technology is rapidly catching on due to its simplicity and high-security. Much like with fingerprint biometrics, all the user has to do is place a finger on the device’s scanner, however, instead of scanning the ridges and whorls of the user’s fingerprint, near-infrared LEDs shine light through the finger which is picked up on the other side by a monochrome charge-coupled device (CCD) camera. The haemoglobin in the user’s finger veins absorbs the light and displays as a dark vascular pattern unique to the user and detectable only to the device’s camera12. Due to the subdermal nature of our veins, this is a more secure technique as unlike fingerprints which can be left on public surfaces or retinal patterns which are publicly displayed and more easily captured with high-powered telephoto equipment, the vein pattern is not easily compromised as it is not visible without digital augmentation13. Already we are seeing banks in Europe and abroad begin to implement this technology with Poland’s Bank BPH being one of the first to adopt it within the EU14. Vein recognition technology, however, is not only restricted to our fingertips. As of last year, Apple Inc. was granted a US patent for an infrared vein recognition system which can map out subdermal facial veins, thus making user authentication as simple as facing the mobile device equipped with this feature15.

Another recent development in the integration of biometrics security in mobile devices includes facial recognition and eye scanning technologies. During the unveiling of Apple’s iPhone X in 2017, Apple’s “Face ID” technology was showcased as a new method for mobile devices to authenticate users and allow access to devices as well as Face ID-enabled applications. The Face ID facial recognition system works by projecting a pattern of more than 30,000 infrared dots onto the device user’s face and then using an infrared camera to read the pattern and create a facial map of the user which allows the device to recognize the user from different angles or in various levels of lighting16. Similar systems such as Samsung’s Intelligent Scan utilize a combination of facial scanning systems along with iris recognition to provide a form of biometric multifactor authentication. The human iris, much like the fingerprint, is something unique to all individuals with the incidence of two people having the same iris pattern being 1*10^78. Additionally, our irises also offer more than 200 points of reference which is more than three times that of our fingerprints17. Iris recognition is achieved by scanning the the boundaries of the pupil and the iris, and then recording the pattern coloration and position of colours which is then encoded via a phase demodulation process and stored for future user authentication18.

Biometrics, however, are not just limited to our external physical features. Voiceprint biometrics technology is rapidly being integrated by modern financial institutions and used as a means of user authentication19. Human voices, much like fingerprints or iris patterns, are unique as a result of the differences in vocal-tract length, glottal-pulse rate, and the other bits of anatomy that make up our vocal systems20. With advances in biometrics technology, we are now able to take unique acoustic frequency spectrums and through discretization, create a unique acoustic signal that can be be processed and stored by computers for user authentication purposes21. Additionally, through analysis of a voiceprint signal, computers can determine if the user at the time of speaking is under stress or duress which can offer an additional layer of security to voiceprint authentication22.

So with all of these biometrics security technologies available, how can financial institutions, along with other industries, integrate them into their businesses for the betterment of their organisations and their clients?

Biometrics in Banking

As we have already seen, biometric security features are becoming standard on nearly all modern electronic devices such as smartphones and tablets and when coupled with existing features such as front-facing cameras, offer a powerful solution to financial institutions looking to increase its user platform security. 

For banks which offer video-onboarding as a method of opening an account, biometrics data in the forms of facial mapping data and voiceprints are collected for the purposes of helping to verify the client during the time of the application and user authentication afterwards. The video feed can be run through software filters and compared against scanned documents such as passports and national identity cards submitted by the applicant to accurately verify their identity from anywhere around the globe. Additionally, the voiceprint data obtained during the onboarding process can be used by the bank’s call centre to verify a client’s identity when they call instead of verification by answering secret questions which a client might not remember after long periods of inactivity. 

Modern banks have also realised the usefulness of biometrics in user authentication for their mobile device applications and many have begun integrating these technologies. Depending on the financial institution, users may have the option of logging into their banking application via their smartphone’s fingerprint scanner, through some form of facial recognition or iris scan, or even just by repeating a certain passphrase into the smartphone’s mic. Some financial institutions even implement two or more of these biometrics technologies as a form of dual-factor/multifactor authentication (2FA/MFA) which is a vast improvement over previous user credentialing methods requiring username and password memorisation. Depending on the security level of the application or set by the user, biometrics data might even be needed to authorise payments and other transactions carried out by the application, such as in the case of   Samsung’s Pay app. 

Financial institutions, alongside other industries, are also finding uses for biometrics technologies which are not solely applied on the client’s end of banking. Many banks now use forms of access control which integrate technologies such as fingerprint or palm scanners to gain entry to premises or offices containing sensitive data. Some banks take security even further requiring biometrics scans to log into workstations or core-banking softwares which is in part facilitated by hardware production giants such as Dell, Asus, and others which offer a variety of computer models with integrated fingerprint readers or other biometrics scanning technologies. These technologies, when combined with existing forms of access control such as RFID fobs, PIN input panels, PKI tokens, and other security technologies form a nearly impenetrable multifactor authentication system which can be integrated into a security strategy to ensure the confidentiality, integrity, and availability of sensitive data to the appropriate persons, much for the betterment of the organisation and its clients.

The Future of Biometrics

With the proliferation of IoT devices integrating biometric readers, it is believed that in less than a generation the average person’s every day carry (EDC) will take on a minimalistic approach. Instead of needing to carry around a ring of keys, we’ll be able to unlock our homes23 and cars24 with just a touch or a glance in the right direction. Instead of needing to carry a wallet full of debit and credit cards we’ll need to merely press our thumbs against the scanner at the cash register or even glance at a scanner as we exit the shop and our accounts will automatically be debited25. When travelling, we won’t need passports or national identity cards as we’ll just be able to scan our physical features when checking in for a flight or boarding a train26. Biometrics technology will become so pervasive that what was once written as science fiction will soon become part of the daily routine of our lives27.

The reverse side to these technological improvements, however, lies in the level of safeguarding our biometric data will require. Unlike user credentials, we are as yet unable to change our physical traits as easily as passwords. While modern biometrics authentication technologies have thus far shown their imperviousness to spoofing attempts or other means of “tricking” them, it remains a future possibility that should be given much consideration. Additionally, with new regulation on the processing and storing of personal data such as the EU’s GDPR, the question has arisen how biometric data should be handled due to its unchangeable nature28. Regardless of these considerations, however, biometrics technologies will continue to increase their pervasiveness in our daily lives.

References

1 Walden, D. & Van Vleck, T. (2011). Compatible Time-Sharing System (1961-1973) Fiftieth Anniversary Commemorative Overview [White Paper].  

2 AuthAnvil. (2018). 3 Types of Password Security Attacks and How to Avoid Them.

3 Jones, B. (2016). Intel hates passwords, even on World Password Day.

4 Rutgers University. (2018). Forgetting of Passwords: Ecological Theory and Data [White Paper].

5 Chan, R. (2019). IBM unveils the world’s first quantum computer that businesses can actually use to solve impossible problems.

6 Chu, J. (2016). The beginning of the end for encryption schemes? 

7 Hui, J. (2018). QC – Cracking RSA with Shor’s Algorithm.

8 Mayhew, S. (2012). History of Biometrics.

9 Poulter, S. (2011). A gadget James Bond would be proud of: Motorola mobile is the first smartphone to operate using fingerprint recognition.

10 Raphael, JR. (2015). Android 6.0, Marshmallow: The complete FAQ.

11 Velazco, C. (2013). Apple’s Touch ID Is A 500ppi Fingerprint Sensor Built Into The iPhone 5S Home Button. 

12 Miura, N. (2013) United States Patent US8582831B2 Personal indentification device and method [US Patent]. 

13 FindBiometrics. (2016). Vein Recognition. 

14 Hudson, A. (2012). Hitachi Europe delivers finger vein biometric solution for Poland’s bank BPH. 

15 Burt, C. (2018). Apple patents infrared vein recognition system. 

16 Apple Inc. (2017). Face ID Security [White Paper].

17 Wilson, T. (2005). How Biometrics Works. 

18 Daugman, J. (2004). How Iris Recognition Works [White Paper].

19 Hansen, D. (2018). Voiceprint: A Security Game-Changer for Banks and Credit Unions of All Sizes.

20 Mathias, S. & von Kreigstein, K. (2014). How do we recognise who is speaking? [White Paper].

21 Aliyun. (2017). Voiceprint Recognition System – Not Just a Powerful Authentication Tool. 

22 Matsuo, N. et al. (2015). Technology to Detect Levels of Stress Based on Voice Information [White Paper]. 

23 Thakkar, D. (2017). Top 5 Reasons to Adopt Fingerprint Based Home Security. 

24 Shibli, M. (2018). Nissan Concept Car Features Fingerprint Identification.

25 Andolf-Orup, L. (2018). Fingerprint on the Pulse: The Biometric Payment News You Need to Know. 

26 Patterson, T. (2018). US airport opens first fully biometric terminal.

27 Muller, I. (2018). What Does the Future of Biometrics Hold? 

28 Thakkar, D. (2018). What are Risks of Storing Biometric Data and Why Do We Need Laws to Protect It?

Similar topics

Security

23rd January 2019 | Mansfield Thomas

Steady As A Rock. Banking Security During Turbulent Times

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 101: Avoiding the Pitfalls of the Information Age

Security

4th July 2019 | Mansfield Thomas

Cyber Awareness 102: Password Hygiene