The use of biometrics is growing, to prove identity when new financial accounts are opened and when existing accounts are used. As more interactions become digital, biometric use has become acceptable to more customers. This was illustrated in a recent independent survey carried out on behalf of FICO of 5,000 people across ten countries. In all countries surveyed, more than 60% of consumers were happy to provide their bank with a biometric - such as a fingerprint, facial scan or voice print - to help with security.
Increased use of biometrics to verify identity is likely to continue – so what steps need to be in place in order manage identity using biometrics?
This involves being sure that an identity exists. For example, this process looks to establish there is a person such as Jane Smith and that she has the corresponding attributes such as date of birth and/or social security number. This is typically carried out by checking data, for example, the electoral roll or looking at trusted documents, such as government-issued passports, identity cards, or driving licences, and checking that they are genuine, valid and have not been tampered with or altered.
The technology available in most smartphones allows quality photographs of documents to be taken to validate identity. Optical character recognition can even extract data from the documents to fill out forms so that applicants don’t need to.
At this stage you need to confirm that the person presenting themselves to you is the same person represented by the identity given. This is the first stage in the process where biometrics can be used to establish identity. This usually happens by comparing the photograph in the documentary evidence to the individual concerned.
In a face-to face environment, an employee would check that the photo in the document matches the person in front of them. The digital identity verification equivalent enables a “selfie” sent by the applicant to be accurately compared with the photo of their identity document.
Additional checks can also be implemented to check that the person is present (rather than a fraudster using an image or film of the person). These "liveness" checks can be both passive, where machine learning analysis assesses if the person’s presentation is consistent with them being present, or active, where the person is asked to carry out specific actions, for example, to look up, down or from side to side.
Together identity validation and identity verification are often referred to as identity proofing.
Identity verification at point of account opening ensures that you have set up an account for a legitimate customer, but you must also be sure that you are still dealing with your legitimate customer at every interaction. These checks should be robust and multi-factor. To meet these requirements, you need to set up different authentication methods that meet the requirements of:
- Inherence—something that the customer is e.g. a biometric
- Possession—something the customer has, such as a mobile phone
- Knowledge—something the customer knows; ideally something only they know, such as a password
Enrollment of these factors can be a multi-step process; for example, you can automatically enroll the selfie and document scan taken at account opening without customers taking further action. Enrollment of other factors, such as a voice biometric, can be done as the account is opened. Customers who can see their account is already open are less likely to balk at the enrollment processes that happen after that. As your requirements and capabilities develop, you can ask customers to enroll additional factors on an ongoing basis.
It may become necessary to enroll long-term, existing customers for authentication periodically. This has been recently demonstrated in the European Union with the introduction of strong customer authentication for the Second Payment Services Directive (PSD2). Banks have undergone significant programs to ensure they have the correct mobile phone numbers to determine possession and enroll biometrics so that they can carry out inherence checks.
While it may be tempting to enroll customers for as many factors as possible, this needs care. For each factor enrolled, you will be processing personal data that needs to be protected and meet regulatory requirements, such as the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). You should not be processing data you don’t need for your stated intent. However, you do need to have flexibility to carry out authentication in most circumstances.
Having collected data, you need to be sure it can be firmly connected to the individual you intend to authenticate. While binding is generally used to refer to the protocols that recognize that a device belongs to a specific identity, the concept of binding can be usefully extended to encompass how all elements of authentication are reliably linked to an identity and so to each other.
This is particularly important when an element of authentication needs to be changed or confirmed, for example:
- Your customer gets a new mobile phone and you are seeing it for the first time. You need to confirm that it is their device as soon as possible and without disrupting them. Because you have securely and reliably linked the customer’s fingerprint to their identity, you will know that the fingerprint being used with the new device is theirs and therefore have a high degree of certainty that the new device can be linked to their identity and used for authentication.
- You want to register a new authentication factor, such as enroll a voice biometric. When you do this, you need to be sure that it’s your legitimate customer you are capturing a voice print from. You can do this by confirming it’s them using other factors bound to their identity.
- The customer’s device presents with a different SIM card. If the associated device profile hasn’t changed, you can trust the SIM card. If the device profile has also changed, you know there is a potential SIM swap fraud and prevent access or invoke step-up authentication.
To prevent fraud and money laundering, activities must be secured with identity checks, including:
- When an account is accessed
- When an activity is undertaken that increases a risk of account takeover— for example, if account details such as address or email need to be changed
- When high-risk transactions such as a payment are made
As much as possible, the authentication you undertake must meet the requirements of the specific situation, including:
- Regulatory requirements
- Customer preferences and ability
- Environmental factors (e.g. loss of mobile phone signal)
- Channel and device accessing it
- Organization’s risk appetite
- Level of risk present
- Cost of authentication checks
Getting this right means not only having the right authentication methods available, but also the ability to orchestrate them appropriately. Forward-looking organizations put effort into deploying solutions that can execute authentication throughout the organization. For example, if a customer has just been securely authenticated with biometrics on one channel, they shouldn’t be immediately forced to use step-up authentication in another.
Having secured identity management at account opening and at the initiation of an activity such as a login or account details change, it’s also necessary to look at security throughout a session. For example, once a customer has logged in to their account, what can you do to ensure the session isn’t taken over? Similarly, if fraudulent use was not detected at account login, what can you do to identify it during a session?
Recognition of these challenges has driven adoption of authentication measures that can be applied in the background throughout interactions. Behavioral analytics are a key component of such an approach. If a fraudster uses the mobile device in ways that deviate from those expected from the legitimate customer, the system can trigger preventive or remedial action - for example, interrupting the session and requesting additional step-up authentication, or sending a message by another channel to the legitimate customer to check it is still them.
Many organizations have taken a piecemeal approach to implementing the six steps mentioned. Different teams are often managing different projects and the technologies used to underpin each step cannot be integrated. This leads to both inefficiency and inaccuracy.
The emergence of platforms that can effectively manage all stages and offer abundant choice in biometric and non-biometric methods of identity management gives financial institutions a head start in building a more integrated approach that delivers more effective identity management across the customer lifecycle.
For more information about how biometrics can be integrated into a comprehensive solution that helps you to achieve truly integrated solution, read our white papers: