There are three classic criteria for determining identity; something you have, something you know and something you are. For example, you might have a driver’s license with you, you know your mother’s maiden name and your fingerprint is unique to you.
Biometric verification is an example of the third criteria, the analysis of physical attributes such as fingerprint, iris, facial, voice and retina. You won’t forget it or lose it (well, hopefully!) as it’s based on a your biological characteristics.
The biometric industry is ready; a BCC Research report, Biometrics: Technologies and Global Markets, predicts a compound annual market growth rate of 22.7%, reaching 41.5 billion by 2020.
It seems the public is ready; a recent Retail Banking Biometrics Confidence Report discovered that 79% of respondents stated they want the opportunity to use advanced biometrics for mobile banking or payment apps. Eighty-six percent thought that biometrics are easier than passwords and 82% think they are more secure.
While there is increasing public interest in digital biometric technology, which has been around since the early 60’s, there are still stumbling blocks preventing rapid implementation. Perhaps the most significant factor preventing quicker adoption is the lack of industry knowledge. According to a Mastercard/Oxford biometric study, only 36% of decision-makers have adequate knowledge to make decisions around the use of biometrics. As security is a vital consideration for any electronic payment system, implementers need a thorough understand the technology, limitations, and how it will fit into your workflows.
The same Mastercard/Oxford study points out “Five considerations for implementing biometrics: performance, usability, interoperability, security and privacy” five factors that require consideration for implementing biometrics: performance, usability, interoperability, security and privacy. Simply put, the systems have to work. No business will want to implement biometrics if it is slow or inaccurate, produces a lot of false positives, or is difficult to implement or use.
With so many types of biometrics and use cases ranging from ultra-secure entry to consumers accessing their phones, there is no set standard. Therefore, the hope (or fear) of one biometric to account for a true identity will probably not happen. Systems will need to account for different biometrics and be upgradable as the technology evolves.
The information provided by biometrics is not a be-all-end-all for identity solutions. The information needs to work in context with previous layers of identity to work with existing business structures, ensure compliance, and protect privacy.
From a legal perspective, many countries don’t accept biometrics for Anti-Money Laundering (AML) Know Your Customer (KYC) compliance checks. To do so will require legislative changes as well as building out the database that safely and securely records and provides access to the highly personal information.
When updating the identity infrastructure, careful consideration is crucial. There are broad impacts on entire industries, with changes to hardware, data handling, security, compliance and many other aspects. Identity has a proven 100+ year legacy with established data points, however due to several external factors (e.g. data breaches, API adoption), identity verification and authentication has evolved since to include alternative data to offer a more robust layered approach. To exclude or disregard names, date of birth, addresses, and phone numbers, as some have proposed, is a step backwards for identity.
Rather, layering biometric information (as with any other data point) on top of the existing identity information helps create a consortium view of identity, a broad, dynamic, resilient approach to identity.
Adding to, instead of replacing identity systems, eases the adoption curve enabling institutions and individuals to integrate the new capabilities with less friction and upheaval. A holistic identity framework provides ways to advance identity without the risks of complete overhaul. Let’s work with what we have and add new technologies appropriately to protect individual privacy, expand identity inclusion and optimize compliance and fraud prevention.