Biometric authentication has gone from zero to mass consumer adoption in a very short space of time. My own forecast for the adoption of mobile biometric authentication for financial services suggests that over 120 million people used biometrics on their phones to access bank services and to initiate payments during 2015. We are only at the start of the adoption curve and much of this initial wave has been dominated by mobile device manufacturers who have integrated biometric sensors (largely fingerprint) into their smart mobile devices. However, there are limitations in this device-centric biometric authentication model.
The First Wave of Biometric Authentication
The financial services sector has been at the vanguard of biometric authentication adoption. Biometrics have spread across almost all of the financial services industry, with the smartphone as the biometric authenticator of choice to support consumer authentication in an omni-channel financial services strategy. From allowing customers to log in to their mobile banking apps to verifying identity for mobile payments, mobile-based fingerprint recognition is quickly becoming the new authentication standard. Banks and payment services providers are able to leverage device-based biometric authentication by deploying simple-to-use APIs that have been created by the likes of Apple, Samsung, and Google.
These APIs have allowed financial institutions to leverage the built-in biometric authentication capabilities of millions of smartphones and provide a convenient alternative to passwords and clunky one time password generators. In what I call biometric authentication 1.0, this model has created a seismic shift in the attitudes of financial institutions who have previously considered biometrics difficult to deploy and inaccurate. Firms now appreciate how biometrics is the perfect solution to reduce friction and to improve the authentication user experience.
But this one-size fits all approach to biometrics currently available via Touch ID and Android is not appropriate for all applications, especially those that require a higher level of assurance. A financial institution doesn’t own or control the biometric system, and credentials aren’t always available on every smartphone. This is proving to be a stumbling block for enabling biometrics to be used more extensively.
The need for Biometric Authentication 2.0
There is a pressing need for mobile biometric authentication solutions that service providers and financial institutions can own and control without relying on device-based systems that are fragmented between different devices and mobile platforms. A bank will often use Touch ID to allow its customers to gain access to information-only services such as balance enquiry but this doesn’t provide the level of assurance needed for higher-risk transactions.
A lack of a more robust and secure mobile biometric authentication platform is also restricting adoption in other sectors, especially those that are heavily regulated like government, or healthcare. These sectors cannot rely on an authentication technology that has proven to be easy to spoof, despite the temptation to leverage something that is so readily available.
Building on the success and user experience advantages of services such as Touch ID, Biometric Authentication 2.0 has to meet the needs of a robust and agile biometric authentication strategy that supports enterprise-grade identity and access management features, while meeting strict industry regulation.
Such a platform must also provide a complete end-to-end authentication and identity management solution that allows service providers to manage their customers and employee’s biometric credentials without having to rely on a third party to collect and manage them.
I believe that there are positive signs that Biometric Authentication 2.0 is fast becoming a reality, enabling organizations to roll-out new digital services that support robust and convenient user authentication. Industry standards, such as the IEEE 2410 Biometrics Open Protocol Standard, provide a common biometric authentication framework that is user-centric and robust enough to meet the rigorous demands of today’s heavily regulated organizations.