Blog article
See all stories »

Biometrics and the Banking Business

Usually, customers need to be authenticated before they can access their banks' services. The authentication mechanism may be token-based for electronic access, signature-based for branch services or PIN-based for other services.

Biometric authentication identifies customers by their biological traits. More specifically, biometric technology is an application that uses individuals' characteristics and traits to identify them and control their access to various systems. 

Can biometric authentication be successful in banking? If yes, what are the drivers of success? And what are its advantages?

Although biometric verification and authentication is commonplace in immigration control and forensic studies, and multinational banks have used it to authenticate employees for years, customer-oriented biometric authentication is rare in banking, even in advanced markets. The most quoted example is that of Japan, where almost a majority of ATMs is equipped with vein pattern recognition. While a string of ATM fraud incidents triggered the use of biometric authentication by Japanese banks, the main motivation underlying the move was not to mitigate fraud related losses, but to allay customers' security fears.

Socio-technological challenges pose the biggest barrier to adoption of biometric technology by banks. Banks also need to consider the local culture and level of literacy in the target region. For example, they might like to use fingerprint authentication in lieu of signature at branches located in areas with low literacy.  But they might prefer to use iris recognition in other regions.

Although the use of biometric technology could shorten transaction time, improved security is its single largest "USP" or benefit. Banks and other financial services businesses increasingly recognize the importance of biometric technology in securing their organizations and their customers against security breaches. The financial industry is also thinking of ways to employ this technology to combat money laundering, Internet fraud and identity crime.

While the security offered by biometric technology is an undeniable truth, the cost of biometric authentication must be evaluated vis-à-vis its projected benefit, before coming to a deployment decision.

Even so, banks seem willing to try biometric authentication provided their customers are comfortable with it. In order to make this happen, banks must first acquire a deeper understanding of biometric technology and its implementation to appreciate its advantages and then pass on the same message to their customers. The use of biometrics might also get a boost from advances in mobile apps, although ironically the latter will also emerge as the main competitor to current biometric authentication techniques.


Comments: (2)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 11 September, 2012, 08:51Be the first to give this comment the thumbs up 0 likes

Sorry, the security of biometrics is entirely deniable.

No biometric today provides lasting signatures on electronic transactions. Biometric security is much more focused on access control – to secure data centres or to log on to computers – than transaction authentication. A biometric doesn't let you "leave your mark" on the transactions you later create. Biometrics just don't meet the business needs of paperless applications.

We must remember biometric devices are imerfect. Even if individuals' biological traits  were intrinsically unique (and few actually are), the ability of real world commercial devices to measure them flawlessly is limited. Lenses (and bodies) get dirty, lighting varies, body parts age and scar, and each time they get presented to the scanners in subtly different ways, with variable pressure, angle, volume etc.

Therefore, every biometric system commits errors. They can confuse one user with another (False Positive) or they can fail to recognise an enrolled user at all (False Negative). The very best technologies have trial-by-trial False Positive rates of around one in a million - which sounds good but for biometric ATMs is actually not good enough; see below. Typical error rates are actually more like one in a hundred or worse, which has an impact in even small scale usage.

When deployed without any other authentication factor, in what's called "1:N identification", biometric performance becomes critical. If the trial-by-trial False Positive Rate rate is 1 in a million, the chance of getting at least one False Match when identifying someone against a database of N enroled users is P = 1-(1-0.000001)^N. So for 100,000 people using a 1-in-a-million accurate vein scaner, the probability of at least one false match is surprisngly high 9% [the maths isn't hard; Google "Birthday Pardox"]. For very 100 attempted withdrawls at a biometric-only ATM, around nine of those accesses will hit the wrong bank account. For N = one million customers, P = 1-(1-0.000001)^N = 74%. That is, 3 out of 4 withdrawls will hit someone else's account!!

So if you look at the much vaunted Japanese biometric ATMs they don't use vein scanning alone. Rather, customers must enter their PIN and their Date of Birth!

Biometrics suffer significant performance concerns especially in large scale deployments where users must be matched against big databases. Tests were conducted by the UK Passport Office in May 2005 on over 10,000 people using fingerprint, face and iris technologies. Average verification times were 39 seconds for face, 58 secs for iris and 73 secs for fingerprints. Accuracy was disappointing too: success rates were 96% for iris, 81% for fingerprints, and 69% for face.

These performance stats are old, but sadly there isn't much more recent information available in the public domain. Biometrics vendors tend to be rather secretive. A critical spec is the "Detection Error Tradeoff" curve which shows how False Positives go up (security worsens) when False Negatives are pushed down (for better convenience). But I find it impossible to get vendors to talk about their DET curves.

Biometrics are not really mature technologies. Different vendors use different algorithms; biometric scanners & software applications for now rarely interoperate across manufacturers. Single vendor solutions are usually mandatory, and migration to alternate suppliers is difficult. Many algorithms have only just come out of the R&D lab.

Perhaps the worst problem is this: it is impossible to revoke a compromised biometric and reissue a new one. In contrast, one of the best security features of smartcards and most other authenticators is they can be cancelled and replaced if lost or stolen. No security system is perfect; all good security systems have fallback mechanisms. 

A Finextra member
A Finextra member 14 September, 2012, 05:03Be the first to give this comment the thumbs up 0 likes

I agree with Stephen and, in this context, find it a little strange that even the FBI which, surely, must have access to the same research, is actually begging the Senate for a mountain of money, to move to biometrics - specifically, face recognition - as an authentication technology. Seems to me that everyone is scraping the sides of the box in which they're thinking, trying to squeeze something new out of old and, largely, discredited technology. Fortunately for a few banks and other organisations, they've chosen to adopt an Australian authentication system, which is as near foolproof as is possible, given the compromise that has to be made between robustness, and user-friendliness. If you can tell the difference between a zero and a one, and can match them to a word, which only exists in your head, then there will never be a false positive or negative, and the spy cameras, keyloggers and network snoopers will all fail. This is, because you're entering different patterns of zeros and ones with each access, and don't need to refer to your bank for updates, passwords or encryption keys. There's a technical description of the algorithm at, and a working ATM which, unfortunately, is only giving out virtual cash :)


Now hiring