Open in app

Sign in

Write

Sign in

Secure Authentication with Biometrics

Gareth Tyler
12 min readMar 23, 2021

(Further reading)

The world is favouring biometric authentication over passwords and there’s a reason.

The Password is Dying

Pins, passwords, passcodes. They are what the financial industry has relied upon for decades, even longer, and the reason is because particularly in this sector we require safety and security. Yet these basic measures are not the trustable assets they once were. Not only are knowledge based authenticators sometimes difficult to remember, and a poor user experience but they can easily be stolen or, with the technology freely available today, hacked in seconds.

This is why companies all over the world, not just financial institutions, have been looking for alternative means to authenticate their customers, and prove with a high level of assurance that they are who they say they are.

Smartphones are taking over

The use of smartphones has grown exponentially in recent years and in 2020 the number is set to increase to 3.5bn users worldwide, with 80% of users preferring smartphone-based digital banking. With over 45% of the world having a smartphone and over 61% of the world having mobile phones this means that nearly 75% of the global population mobile users are on smartphones.

73% of Brits use online banking and 13% have moved entirely to an online only bank. And digital banking users are expected to rise to 3.6bn worldwide by 2024. With only 1.7bn individuals globally not having access to a bank account this means the proportion of digital account holders is now well above half the world population. The growing number means not only is there huge potential for those institutions that have made a complete digital transformation but that security has never been more important for online banking.

What’s Next?

As with all improvements in security there are always those looking to exploit any weak links and faults in security walls. However, for the foreseeable future the most secure method of identifying an individual correctly is through a combination of measures. The use of biometric authentication is one of the most important changes that every sector looking to improve their customer security must look to implement.

Until the current technologies used to read your biometrics become redundant they are the answer, and when combined with other methods such as Timebased-One-Time-Passwords (TOTPs) they become extremely difficult to crack and leave innocent people at risk of losing control over their data or even finances.

In the pages below you’ll see what biometric authentication is really all about. How important it is, the risks and benefits and the standard we’ve used in our implementation. This once limited to spy novels technology is readily available, highly cost effective and should be seen as the new basic level of ‘Secure’.

Multi-factor Authentication

Recent standards and regulations have introduced a norm that we generally refer to as MFA. What we mean by this is that to authenticate a user needs more than one factor. In the new Payment Services Directive (PSD2) we have requirements to satisfy Strong Customer Authentication. This is where you’re required to provide at least two of the three factors we have in play. Our implementation of Biometrics enforces this and we make the user provide two of the three below:

  • Knowledge — Something you know — eg. password or PIN
  • Possession — Something you have — eg. Device
  • Inherence — Something you are — eg. Fingerprint, face, iris or voice recognition.

BIOMETRICS

What is Biometric Authentication?

Biometrics is the technical term used for measuring the body. It refers to the metrics of unique physiological or behavioural characteristics, such as fingerprint, facial recognition, DNA, or even location and browser habits. So biometric authentication is the process of using these metrics to identify and authenticate an individual. When a service asks someone to authenticate they are looking to determine whether that person is who they say they are, and using biometrics is the most sure way to confirm the presented information matches that which is held on the system.

In short, Biometric Authentication allows a person to be identified and authenticated based on a set of recognizable and verifiable data, which are unique and specific to them.

Fingerprint Recognition

Fingerprint recognition is currently one of the most trusted and reliable pieces of verification used in biometric authentication. Based on an impression made by the user on their device, the system verifies the individual through the analysis and comparison of his or her finger dermal ridges. The comparison is against information stored on the phone and when these two pieces match the user is authenticated.

Facial Recognition

Facial recognition is technology that is able to identify and verify an individual based on characteristics and points from a digital image or video frame from a video. They work by comparing features, textures and shapes from the provided source against those stored in a database — in this case on your mobile device.

Voice Recognition

Though Voice Recognition is not part of the product currently it is worth noting in the case it becomes a part of the product offering in the future. Voice, speech or speaker recognition is the ability of the system to interpret received dictation and verify a user or translate spoken word into computing commands. For verification the system needs to be trained and will often request certain words to be spoken to help form a baseline for the system to work with. Verification is a comparison of the provided speech against the information already stored.

Authentication Strength

As shown in the below graphic the security and level of assurance strength grow exponentially when multiple factors are combined.

Whilst there might be the occasion where an attacker has access to/or knowledge of your PIN, password, security question answer, the email address registered to receive a One Time Passcode or, at worst case, your fingerprint, needing to have access to all at the same time is much more unlikely.

This is why having only one factor is not recommended, no matter what type of authentication it is. On their own they all carry risks. Biometric authentication is still the most secure as a standalone but Backbase, as well as many security organisations, advocate for multi-factor authentication when requiring the highest level of assurance.

Backbase Biometrics

Our MFA capability provides biometric authentication based on the FIDO Universal Authentication Framework (UAF) specification. It uses the biometric capabilities of mobile devices to enable passwordless authentication and we currently support:

  • Facial recognition (iOS & Android)
  • Fingerprint recognition (iOS & Android)

FIDO (Fast Identity Online)

In Backbase’s Identity we have developed FIDO based authentication for Biometrics, as well as Passcode and Device Authentication. Using FIDO means we follow a standard public cryptography implementation which provides much stronger authentication.

During online device registration for a user a new key pair is created. The device retains the private key and registers the public key with the service. These keys are essential for security in the authentication process. Only by the client device proving possession of the private key by signing a challenge can the authentication continue. A private key also has to be unlocked locally by the user on their device by, for example, placing their thumb on the device’s fingerprint scanner. This means the biometric information for the user actually never leaves their device. It is stored on the device and is never sent, only the private key is, meaning the biometric cannot be stolen during the authentication process.

An example of registration:

  1. User opens app and starts registration process.
  2. User is given a choice of FIDO based authenticators — Biometrics/Passcode.
  3. User unlocks the biometric authenticator using the device’s fingerprint reader.
  4. User’s device creates the unique public/private key pair for the device and the online service.
  5. Public key is sent to the online service and linked to the User’s account.
  6. User, device and biometrics are registered.

An example of authentication (login, transaction signing etc):

  1. On receipt of a request for authentication the online service challenges the user to authenticate using a device known to the service and registered to the user, that also matches the service’s acceptance criteria.
  2. User unlocks the Biometric FIDO-based authenticator by scanning their thumb/finger on the device.
  3. Device uses the identifier for the user provided by the online service to select the correct key and sign the challenge.
  4. User’s device sends the signed challenge back to the service, which then verifies it with the stored public key.
  5. User is authenticated.

The Backbase Identity biometric authentication flow enables the user to authenticate using their registered biometrics.

At a basic level:

  1. The server generates a challenge for the client to digitally sign using its securely stored private key.
  2. The FIDO Service verifies the user’s signature using the previously registered public key, in accordance with the FIDO UAF specification.

This flow is closely based on the FIDO UAF Authentication flow.

The Uses of Biometrics in a Banking Environment

Initially biometric authentication was limited to identifying criminals, recording attendance in the workplace or verifying travellers at border control but the world moves on. Using biometrics to verify an individual means you can trust the user more and as such allow them to carry out more important actions without needing to enter the bank in person, or for that matter even move anything more than their own hand.

In Backbase we are already using Biometric Authentication to verify a user on login, and have recently released our confirmation service which, if integrated with, allows someone to sign transactions. This could be a payment from the users’ mobile to an institution or individual, or it could be to confirm a purchase from an online retailer where they’ve started the flow on the web and get redirected to their phone.

Soon we will be looking at Step-up authentication and, out-of-the-box, provide the tools to allow a user to raise their level of assurance up to the required state to carry out an action. For example, a user opens their mobile banking app with their passcode and then wants to transfer funds between two of their accounts. The requires more assurance from the user that they are who they say they are and so the bank challenges the user to authenticate using biometrics and potentially even another form of authentication, such as a One-Time-Password.

There are myriad uses for biometric authentication, though they are all essentially just different flavours of a login authentication. How you implement it can mean allowing your user a range of functionality that used to only be possible by entering the bank and providing all their personal information, their password and even a physical form of ID.

The Benefits of Biometrics

Implementing Biometric authentication brings with it many pros:

  • High individual identification accuracy — biometric data is based on unique physical traits.
  • Superior level of security — biometrics can’t be stolen as easily as a password.
  • Higher level of resiliency — biometric data rarely changes.
  • Highly efficient — much quicker to place your thumb on the screen than remember and type out a password.
  • No reliance on human memory — passwords and PINs can be forgotten
  • Very convenient — No need to carry around anything extra, it’s all based on physical features.
  • Excellent accountability — Very high level of assurance that it is that individual carrying out the action.

Weighing these up against cost might seem like the natural next step, but maybe it’s worth considering that this is an inevitable change within identity verification and implementing it must happen. It’s then just a question of doing it now or at some later date. With Backbase Identity this is what you get out-of-the-box meaning all you need to worry about is how to shout about it to your customers.

What Customers Want

When looking to improve technology, or a product offering it’s a balancing act between providing the customer with what they want and what they need. Here you can see how closely aligned these two seemingly different angles of attack are. If a user wants a better, quicker, easier experience then biometric authentication is the way forward. Likewise, if they need a safer and more secure way to identify themselves then the solution is the same.

The below table represents what the biggest reasons why customers would look to change banks:

Table from statista

As you can see security is one of the highest priorities for the general user. Traditionally financial institutions have been responsible for our biggest assets and with that it’s natural to hope we’re protected as much as possible.

The Risks and Concerns

It is important to be aware of the downside of biometric technology as well so that you’re able to make a fully informed decision around implementing what might be a brand new technology to you and/or your company. Just like any other means of authentication available today biometric authentication has its cons:

Biometric readings can be inaccurate — whilst we know our fingerprints, faces, and voices all have very unique characteristics the technology reading them is where you may find problems. Devices don’t take a complete reading, instead they look at small details. This means how your biometric is stored and referenced is not as unique as the actual biometric itself. Take fingerprints for example — the information stored isn’t as you would think. The information is turned into points of data. Where you have major turns, valleys, or general deviations a point is marked. This means rather than it looking like a fingerprint, the stored data is more like a child’s dot-to-dot image.

The same goes for facial recognition. Instead of something a human would recognise as a person, or image of a face, the information stored is a series of reference points. These are measurements such as distance between the eyes, depth of the eyes, width of the nose etc.

Both facial and fingerprint recognition systems on devices have seen concerns raised around security. There have been cases where an individual’s fingerprint was able to be stolen and used on the first iterations of mobile readers, as well as screen protectors actually being used to reissue a fingerprint to the device. Facial recognition systems had to change quickly after transgressors realised they were able to fool them by using a photo of a person rather than needing to scan the actual face.

Another area of concern within facial recognition is in the system’s ability, or lack thereof, to distinguish between faces in unique situations. A study has shown that there is a 10x higher rate of failure when a black woman is trying to use facial recognition vs that of a white male. It seems a darker skin tone can consistently lead to an increase in ‘false match rate’ (FMR). The typical rates are 1 in 1000 with the darker female attempts and 1 in 10000 with the lighter male attempts.

Something that often comes up as a concern around this topic is that if your fingerprint or face biometric data was stolen in a way to be reused then you potentially run a lifelong fraud risk. However, the way these systems are designed is to mitigate these risks as much as possible. Not only does the biometric data never leave the phone, meaning stealing is much more difficult, but also that biometric data is synced to the device. This means you cannot just go use the stolen biometric on another device in an attempt to authenticate into an account, you would need to have both the biometric AND the device it registered with, otherwise there is no way the system would even link the stolen data to a user or account. Stealing the biometric would give you access to only that device, not the system itself, whereas if a password is stolen it can be used from any machine capable of inputting those characters.

Though we’ve outlined the potential downsides to implementing this new authentication method it is vital that we reiterate how many more benefits are brought. Stealing a password is a lot easier than stealing a fingerprint and the phone associated with it. Just like anything else built by humans this system is at risk of subversion, but in this current age of computers biometric authentication is the most valuable to any institution looking to improve customers’ experience and when combined with other factors can provide the safest and more secure means of identity verification currently available.

Final Word

Are you satisfied with the information? Are you already implementing this technology in your institution? If not we recommend that you get fully informed, read more research, consult with security experts and discuss this with important stakeholders at your company.

Customers want easier and more secure access to systems, and you need them to have it.

Biometrics
Biometric Authentication
Passwords
Passwordless
Backbase

--

--

Gareth Tyler

Written by Gareth Tyler

2 Followers

Founder, Product Manager, Soldier and Snowboarder

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams