Advances in fingerprint, face, voice, and iris are resulting in more affordable, reliable and accurate biometric technologies. In particular, the benefits of biometrics in enhancing customer experience and securing transactions has resulted in substantial adoption throughout the financial sector over the last 10 years.
Biometric technologies can add value across all areas of customer verification and identification including:
- In-Branch: Access control and VFR;
- Mobile: Remote authentication using biometrics including voice, face and fingerprint verification;
- Onboarding: Electronic identity verification solution
Biometric and identity systems do however differ from traditional security systems in that they are inherently probabilistic and so present a different risk to an organisation. Additionally, determining and managing the implications of responsibly dealing with biometric personal data is essential. Though there are many factors when implementing a biometric system, there are four core factors for consideration when considering risk:
- Management of matching results to determine suitable real-world decisions based off the outputs of the biometric matching engine.
- Understanding the relationship between biometric quality and system performance is critical to managing risk and ensuring good outcomes.
- Vulnerabilities must be considered where there are exploitation opportunities for attackers.
- Biometric design must take into account laws about the use and retention of all privacy sensitive data. The new EU GDR laws are an example of how important this is becoming globally.
In addition to managing these factors, there are system specific intricacies that need to be actively managed and monitored to ensure high usability balanced with adequate security. Real attempts and false attempts fall into two distributions across the spectrum of biometric performance, with an expectation that imposters perform poorly and genuine users perform highly. While this will establish a range of ‘certain matches’ and ‘certain non-matches’ there exists a grey area of uncertainty. How do you manage this grey area consisting of possibly fraudulent and legitimate attempts to reject the imposters and facilitate legitimate users? If the thresholds are configured too low you risk the possibility of allowing too many fraudulent attempts through your system and compromise its security. On the other hand, if thresholds are configured too high, your system may reject many legitimate attempts from genuine users and risk alienating customers.
The answer is that this can only be managed through an evaluation to ensure correct configurations of thresholds and active performance monitoring in production.