Biometrics is Necessary, but Not Sufficient

News & Publications

By Denis Kalemberg, CEO and co-founder, Airome Technologies | CSA Editorial Sep 14, 2020

Signing financial transactions in digital banking channels has always been done under special supervision. It’s hardly surprising: authentication and payment document confirmation are often referred to as the cornerstones of digital banking. And now, given the massive interest in biometrics, banks are increasingly willing to test these technologies for transaction confirmation and signing. But is there more than meets the eye here?  What do we need to consider when implementing biometric solutions into digital banking channels? Let’s try to find out.

Biometrics is necessary

The very concept of biometrics is not at all new: this technology has been around for decades to provide identification or additional authentication. Previously, though, it was mostly about getting access to a local device (e.g. laptop or smartphone) or its data (e.g. digital signature keys). First biometric systems were based on fingerprint scanning alone, but facial and iris recognition came along soon after. The key advantage here is two-factor authentication. Users need to have both their device and the relevant biometric factor. However, there is a huge disadvantage: the user is “tied” to an end device. For example, if a user loses the smartphone used to access their banking accounts via FaceID, biometrics does nothing to help them restore that access. They will have to go through a rather cumbersome procedure and enter lots of data, which could be intercepted by scammers via technical or social engineering attacks.

This is why biometrics only broke through to a mass market in the past few years. Now, almost every smartphone has a high-resolution camera to make high-quality face images and send them over to a server for verification. No more ties to a specific device.

You might say that biometrics became a mandatory additional factor to authenticate high-risk user transactions: atypical payments, registering a new mobile device, and updating digital signature keys.

While there are success stories related to biometrics implementation, the market’s expectations of the technology, especially its capability to serve as a full-fledged security solution, are set a bit too high. The biggest danger is confusing biometric and cryptographic technologies, their objectives and application scope, which happens more often than we’d like. Obviously, we are about to witness a number of severe security incidents, like thefts of funds from banking accounts or private data leaks caused by incorrect implementation of biometric technologies into banking and other information systems. So what’s the problem?

Biometrics is not sufficient

More and more often we see attempts to use a biometric face/iris scan, with further verification on the back end, as a digital signature. This poses significant risks. First of all, this set of data is in no way tied to the signed document. Hence, a user could potentially dispute a considerable part of the transaction, e.g. the recipient details in a payment order or the borrowing amount in a loan agreement. This won’t necessarily be so-called “friendly fraud”, when users abuse the loopholes in the service. For many years, cyber attackers have been using “autofill” to replace the details of payment documents without the customer noticing. There are legal precedents where banks, under similar circumstances, had to compensate such losses at their own expense.

As we discussed above, biometrics is a sort of an “additional” authentication factor. When used to confirm transactions or digital documents, it only “adds” to a cryptographic signature. However, biometrics alone cannot confirm integrity and authorship of the document. In no case should it be the only factor!

Thus, given the current trends — advancement of digital banking, increased scammer activity, dynamic biometrics development, and growing interest in the technology among banks — let’s formulate the maxim for digital transaction confirmation: “biometrics is necessary, but not sufficient”.

So, biometrics helps confirm that a transaction is being performed by a certain user. Later, however, it won’t be possible to prove any of the transaction’s details. Let’s imagine that a customer signed a loan agreement using their “face”. What was the amount of that loan: 100 dollars or 100,000 dollars? Or, what was the interest rate: 5% or 25%? Biometrics won’t answer these questions. But cryptography — a fully featured digital signature of a transaction or a document — will. It’s a security service that assures integrity and authorship. Let’s act on our maxim that “biometrics is necessary, but not sufficient” and use the technology appropriately. Agreed?