Are European banks prepared to provide strong customer authentication (SCA)? How can biometrics be stored securely? What two-factor authentication methods do banks prefer to use to provide strong customer authentication? These are just a few of the questions we received after our webinar on PSD2 and how payment providers can provide strong customer authentication without impeding a customer’s ecommerce experience.
This blog answers some of the questions that attendees asked following the presentation from Alasdair Anderson, a banking industry consultant who previously worked for HSBC and Nordea, and James Stickland, Veridium’s CEO. And if you missed our webinar, be sure to listen to it on demand.
Is there research around which biometric is most secure and which biometric and platform organizations prefer to use? Face or fingerprint? SDK, API or a hardware solution?
James: There’s a huge amount of research being done by NIST and other organizations on the most secure biometrics. There’s no one single answer, which I know is a very political way of avoiding an exact answer. You need to take a systemic approach that lets you build the right biometric for the right audience or use case. Clearly, Veridium is a big purveyor of a multifactor authentication approach. If I were in a cinema and needed to make a payment, I’d probably not want to use facial recognition to approve the transaction because the phone’s flash could go off. I’d want to use a native biometric since it’s simple to use and unobtrusive. But if I wanted to approve a transaction for a million dollars on my phone, I want not want to use only Touch ID. I might want to use multiple forms of authentication to make sure that the transaction is secure. I know that’s an incredibly wild use case, but the world we are moving toward a world where everything is done on mobily and remotely executed and delivered. We need to ensure that we are building platforms that allow us that longevity and flexibility.
Faces versus fingers, Face ID versus Touch ID, clearly native biometrics have a huge advantage because they’re embedded in the device and written for the firmware and chipset. So obviously utilization of natively available biometrics and blending that with behavioral biometrics is another way to provide advanced security but not harm the user experience.
We’ve all heard about spoofing biometrics using methods like imagery and 3D printed masks. Obviously — and here’s a warning that a sales pitch is coming — we’re big purveyors of touchless biometrics like fingerprints. Why? There are less instances of fingerprints in the world today. There are pictures of my face on LinkedIn and Google so trying to create an image of my face for spoofing purposes should be easier than trying to capture images of my fingerprints, which aren’t readily available. Having a multiple layers of security — like using behavioral biometrics — make make spoofing more difficult.
In general, how prepared are European banks for providing SCA?
Alasdair: If you look at this from the perspective of compliance being a task to complete, most European banks are in decent position to meet the SCA requirement. SCA isn’t like other regulations that have come down the pike and caused panic. But when you look at SCA from the perspective of will this enhance the customer experience, is this something that will become an asset to the organization, the number of banks that are prepared becomes much smaller. In terms of making SCA a customer enhancement that reduces the friction with ecommerce, I don’t think banks have really grasped that opportunity.
People in the banking community tell me that they are already using a multitude of vectors to identify a person: passwords, behavior, photos, native biometrics. They don’t see the need for additional way to authenticate a person. What do you tell those people?
Alasdair: You’re seeing an evolution of the protections that the banks are putting in place and how they’re supporting their customers. We’re seeing an evolution from a roles-based model to a data-driven behavioral model. To that end, I think customers are going to be irritated by the where the new and old models meet and feel that they are being asked to identify themselves too often. I feel that as a consumer sometimes. You can almost predict when certain credit card providers are going to ask you to identify yourself to finish a transaction.
The other thing I see is that it will allow a better enhancement of customer intelligence. When I talked about regulatory programs that put people in a panic, the KYC [know your customer] programs over the last few years are a good example. It’s an example of how we as an industry have to get a better grasp of the information that goes to our institutions and how that relates to a customer. To that end, being able to authenticate a person with that degree of certainty and having the capability to share that across other functions in a bank, like making high value payments.
As an industry, we have to explain to customers that we are going through changes and hopefully we won’t inconvenience them too much. Generally, these changes are really well received by the customers when they understand the why behind them.
James: Behavior, which is a highly fashionable topic with regards to strong authentication measures, is a highly valuable for preauthentication and good to use to increase the quality of the client experience. And we’re all working toward getting the 100 percent explicit authentication that behavior can potentially provide in the future.
Sales pitch warning: Veridium has a behavioral biometric feature that we are using to assist with liveliness and other forms of explicit authentication so that we can combine an event. The challenge with behavioral capabilities is that they are not explicit. So while they are on the journey and potentially we can get to the point when 100 percent or even 99-plus percent of authentications measures are delivered by using behavioral biometrics capabilities, we’re still not there. But we are on a journey where behavior is a very important part of multifactor authentication or an underlining part of an explicit authentication measure.
However, if I want to to move a lot of money, would I be super comfortable using behavior to make that transaction on my mobile phone? I might be happy, but the bank working with me may not be happy. The combination of being able to use an explicit measure (ie a face, a fingerprint, an iris) with a behavioral capability gives me that extra security and also enables me to create a good user experience and gives me relative risk weighted access based on my behavior versus my explicit biometric authentication.
How can biometrics be stored securely? What happens if they’re exposed in a data breach?
James: There’s a big utilization now around biometrics into banking and applications. I guarantee that less than 50 percent of people have asked the institution you’re working with who is responsible for protecting their biometrics and where they’re being stored. So if I’m using my voice, well you’re voice is being stored locally on your device. Your voice is being stored in the enterprise. Is the same for a fingerprint or a picture of your face. Most people click thru the terms and conditions of the applications they use very quickly and don’t read the utilization of storage.
So if you’ve had your identity stolen in the last few years in the Equifax breach or the Aetna breach or any other breach in the last few years, what would happen if your biometrics were breached in the same fashion? It would be very hard for me as an institution to send an email apologizing and asking you to reset your face, fingerprints or iris. Once they’re gone, they’re gone. Obviously, we’re very sensitive to the fact that storage and localization or centralization is a big policy decision. We’ve seen other regulations around data, like GDPR, that are shining a light on the decisions that institutions need to make around storing data.
Veridium allows you to store your data in three ways. You could enroll an individual and store the data all locally on a secure enclave in an iOS device. You could store it centrally, like the U.S. federal government does so when I pass thru immigration and place my fingers on a scanner, my fingerprints are being matched against ones in a centralized U.S. government database.
The third way that Veridium — apologies again for the sales pitch — we feel that there’s a better way to do storage and authentication by sharding the biometric template. It entails distributing portions of the template in multiple locations, making organizations hyper sensitive around securing biometrics without making them a custodian of the data. We can change how people use biometrics and are thinking about the strategy behind them. What I don’t want is a situation where millions of people have had their biometrics breached in the same that their personal data has been.
What two-factor authentication methods do European banks prefer to use to meet SCA?
Alasdair: It depends on how the institution is approaching SCA. If it’s being approached from the perspective of checking the box for compliance and I’m done or if they give it to the information security department of the IT department then you end up with a technical view on how to achieve compliance and you could end up with a number of technologies.
More progressive institutions are looking at this as an opportunity to make their customers more secure and no single technology is going to enable that and encourage customers to engage in the right behavior. That brings me back to the phrase I’ve been overusing in this webinar: customer experience. To breed trust and security, you have to incentivize good customer behavior.
Institutions that are coming from the customer perspective and are looking to implement all these protections but in a way that encourage their customers to behave in a way that helps security. That’s why we’re seeing institutions use biometrics and being customer centric.
The one thing I’d criticize about PSD2 is that there isn’t the level of standards within the security implementation that we would have hoped for. So the authorization at the bank level is very much an integration challenge so if you look at how do you get something out quickly that can benefit your customers, you’d be looking at something that you can naturally fit in to the bank or payment provider’s ecosystem.
How can I help customers understand why they’re being asked for SCA for some transactions and not others?
Alasdair: Explain the benefits of enhanced protection and let them know that their financial security is a top concern for the bank. Emphasize that both protecting the individual from bad actor and protecting the financial system from mass fraud is at the heart of SCA. SCA is about allowing banks to develop a personal relationship with their customers in an age when they no longer have to go into a branch to complete transactions.