The second part of a discussion about biometric technology and its use in making our digital world more secure and less vulnerable to threats. The intense use of online tools in recent weeks accentuates the need to be on guard.
(An earlier version of this article appeared on WealthBriefing, sister news service to this one. The examples here refer to the US as well we Europe, and given the cross-border nature of the topic, we hope readers find this valuable.)
Continuing our focus on the cybersecurity and data protection challenges exacerbated by COVID-19, we now turn to the boom in biometric authentication. (Part one of the feature is here.) This second part of the feature digs into the technological choices and hidden risks wealth managers need to be aware of; Part 1 unpicked the compelling business case for verifying the identity of staff and clients using this technology. To jump into the conversation email email@example.com and firstname.lastname@example.org
As the first part of this feature set out, the costs and risk surrounding passwords have been pushing financial institutions towards Multi-Factor Authentication and then biometrics for some time now, a trend which experts say is being hugely accelerated by the COVID-19 crisis. Surging cybercrime, remote working - and very often the need to enlist employees’ own computers and mobiles in it - have created an acute need for wealth managers to beef up security around systems, devices and data. At the same time, clients are likely to be logging on to monitor portfolios and transacting business digitally like never before. Nor can verifying that a caller is who they say they are be neglected amid a rise in “vishing” attacks by phone.
Coupled with the desire to create a seamless user experiences, the heightened cybersecurity and data protection dangers facing the sector have added to the already impressive momentum driving the industry’s adoption of biometric authentication methods. Even before the pandemic struck, biometric technology was predicted to grow at a CAGR [compound annual growth rate] of 22 per cent between 2017 and 2024 in the banking and finance sector. (1)
Add in the productivity gains to be had from eradicating the pain of password resets and expiration, the business case for biometrics is compelling. However, careful choices must still be made, the experts warn.
First is the institution’s choice of biometric from what is actually quite a wide range. Some institutions have been using voice recognition with clients for years, but the prevalence of facial recognition and fingerprints via smartphones has brought these to the fore (vein patterns, iris/retina scans and even electrocardiograms are also possibilities). Here, James Stickland, CEO of Veridium, advises firms to be strategic in deploying the right method for the use case, but to give particular weight to the maturity of the method.
“Fingerprint authentication is the most mature and accurate,” he says. “They are harder to spoof than other methods and less likely to suffer from interference from external factors, such as the problems with lighting or headgear you encounter with facial recognition.” Importantly, he observes that institutions like the US National Institute of Standards and Technology recognize standards for fingerprints, which they haven’t done with other biometric technologies.
As Part 1 noted, fingerprint technology has the very great advantage of already being baked into smartphones – as are the high-quality cameras needed for facial recognition and scanning documents like passports. As a further boost to the digital onboarding movement, UK regulator the Financial Conduct Authority recently confirmed its acceptance of selfies and videos as a means of verifying clients’ identities.
That there is no need to invest in hardware already in the hands of staff and clients means that institutions are eagerly adopting biometric authentication for all kinds of purposes - and the technology is clearly proving invaluable to helping businesses carry on as close to normal as possible. “Use cases include remotely onboarding clients and employees; secure access to systems, applications and devices; self-service password resets and encryption recovery keys,” says Darren James, technical lead at Specops Software. “Firms also use it to verify directors dialling in for virtual board meetings.”
The creation of legally binding e-signatures and consents for transactions is, of course, another hugely important application - and one which underscores how immensely important security around biometrics will be. Here, implementation choices become more complex.
Institutions looking to implement biometric authentication may encounter grave concerns about the theft of this data. Hackers will naturally salivate at the thought of stealing biometric markers and one cannot, after all, reset face or fingers if a theft should occur. Just as important is the fact that biometric information is specifically included in the GDPR’s definition of special category personal data under Article 9 and so exposes firms to the highest possible fines for breaches.
Here, James first advises firms to pay close attention to the jurisdiction in which the technology provider resides (ensuring data isn’t transferred to countries with weak protections for personal data is a concern not limited to the EU’s protection regime); and second to ensure adequate encryption of data, both in transit and at rest. Strictly limiting access to data internally, potentially through a Privileged Access Management system, is also strongly advised.
Most importantly, he says, firms should never trust any vendor with their users’ data and should instead “only store the data in their local environment - typically something resilient such as an Active Directory or a clustered database with sufficiently strong access controls and backups in place.”
To be even safer, Stickland explains that firms need never be the custodians of an individual’s biometric data at all. “Techniques such as the distributed data model can be used, which encrypts biometric data in multiple places by leveraging decentralized technology such as blockchain,” he says. “In this way, the data is secure and the individual remains the sole owner of their biometrics.”