Biometrics works best in 'layers'
Layering defense mechanisms is standard best practice for a range of payments security, and biometrics is no different.
In addition to the transformation of biometric data into an irreversible template, these templates are also later encrypted and further protected by hardware and software both at rest and during the matching process.
The most successful example of a biometrics use case, the smartphone, utilizes the highly secure software isolation of Trusted Execution Environment (TEE) technology for storage and matching of biometric templates on device. The hardware on which it runs is intrinsically secured through its high degree of integration, complexity, miniaturization and specialization.
This approach is also championed by new use cases such as biometric payment cards. Here, the Secure Element (SE) – the chip technology that secures the financial data in your bank card – is utilized to store, process and match biometric information within the confines of the card. This treats biometric templates with the same security as the PIN and other financial data that is stored on our payment cards.
Nothing is "unhackable." With enough time, money and effort, it’s possible to get into anything. A safe, a bank vault. However, attackers take the path of least resistance, and often it’s the end user that is the "weakest link" in the security chain when it comes to social engineering attacks.
End-users are vulnerable to attacks, such as phishing, where they can be tricked into giving away information such as a PIN or password. With consumer biometrics, the user only presents their biometrics to their personal device and can’t give anything away. This also removes the risks generated by mistakes or complacency, such as creating a password that’s easily guessed.
Biometric authentication can protect a whole host of other sensitive personal data, far more quickly, conveniently and securely than was ever possible with PINs or passwords.
Today however, passwords and PINs remain the most used authentication methods outside of smartphones – something increasingly problematic. The friction created by asking users to create a new password has a significant impact on drop-out rates – especially as new best practices guidelines recommend complex requirements such as including numbers, capitals, special characters and length. NIST’s digital identity guidelines outline the importance of usability challenges and stress, fundamentally, “positive user authentication experiences are integral to the success of an organization achieving desired business outcomes.”
Six out of 10 consumers feel they have too many PINs and passwords and worry about forgetting them. Unsurprisingly, 41% also admit to re-using the same PIN code or password across multiple sites, apps and devices. So, not only are PINs and passwords frustrating for consumers, they’re also becoming less secure.
Biometrics can be the authentication silver bullet as it combines security and a convenient UX, with leading fingerprint sensors authenticating in under a second. Its capacity to bring security to devices and processes previously either unsecured, poorly secured, or secured with a poor UX is phenomenal. Mobile is the perfect example of how it has been able to transform a device from being unsecured most of the time, to now only unlocked when in use. And now, just look at how your bank accepts your fingerprint authentication on your phone for access to your account.
With consumer biometrics, it's quick and effortless to enroll in new services and subscriptions. Consumers are happy to authenticate more frequently, because it’s so simple and the action is so intuitive. Plus, you cannot forget your fingerprint.