The use of biometrics is increasing. We use our faces and our fingers all the time to open phones and complete transactions. But, there are risks associated with sharing the data that makes us, us. Here's an exploration of the convenience biometrics bring, and the care that needs to be taken.
What are biometrics?
Biometrics refers to any physical characteristic or characteristics of an individual. When we talk about biometrics we tend to mean face recognition, fingerprints and so on.But actually, it extends into the realms of DNA and even gait – the way people walk. The point is, it's a characteristic of a person that is unique to them and that can't be changed.
Biometrics is mostly a very exciting area of development for verifying or validating digital identities,but it can also be quite scary – especially when you think on the different ways they can be used or misused. On one hand, the idea that we can use biometrics to identify a person is intelligent, for example when doing KYC and customer onboarding.It makes things quick and simple for all involved, and it can be accurate,because it’s hard to impersonate you. This means trust can be built through the use of biometrics - the bank can trust you are who you say you are; therefore,you get access to the products you want.
However,there are other circumstances where identifying people through biometrics is questionable.Should your unique identifiers, the specific characteristics that make you,you, be spread all over the internet every time you want to buy something or usea website? Probably not…The more data that’s out there, the bigger the risk of losing it or having it stolen.
Responsible use of biometrics
The general public and financial institutions are naturally cautious about the use of biometrics in an identification process. There is potential for face recognition and similar technology to be misused, as Dave Birch pointed out in a recent PassFort podcast –
“I was reading a about a guy who is rich executive. He was in a restaurant and his daughter walked in with her new boyfriend. He surreptitiously took a picture of the new boyfriend and fed it through an online face recognition database he was connected with and in a couple of seconds it came back and recognised the guy from his social media pictures. He was someone working in hedge funds in Los Angeles. The executive was worried for his daughter; worried the boyfriend was a charlatan, but the point is - is that right? It probably isn't.”
When biometrics are used in a constrained way for a specific purpose, and with the consent of the individual, it can be very convenient for everyone. Which is clearly a different ball game from using biometrics to “check up on people”; taking photos surreptitiously to vet them without their consent.
Biometrics for KYC processes
Biometrics are now widely used in KYC processes and during onboarding to validate an individual’s identity. This can include so-called “liveness” tests which will verify a person’s face against their passport photo or another form of photographic ID.
Dave Birch again – “I recently signed up for Revolut, who I think use PassFort technology.In that example, the KYC process was actually, quick, easy and convenient. Youdo the picture, and you move your head around and the check is sorted. For most people, they don't actually really see that as a security technology. They see it more as a convenience technology, as with the face ID or fingerprint on a smartphone.”
For the purposes of completing KYC or onboarding, which people and institutions want to get done safety, biometrics can be a convenience technology. Biometric identification can be a “wow” moment for a lot of customers as it drives smoother and easier customer journeys, which have historically been manual and clunky.
Authentication vs. Identification
There is an important and distinct difference between the use of biometrics in identification vs. authentication.
When you buy something in the shops and open your Apple wallet with your face, that is authentication – not identification. The technology isn’t trying to use your biometric information to “identify” you, it is trying to verify you are the authenticated owner of that device and account.
Biometric authentication has lots of useful and convenient aspects to it. For example,instead of having to remember a pin number or password, which might be fairly easily lost or stolen, you can use your face or finger, which clearly you can’t ever forget, and you always tend to have with you!
Authentication is ironically fairly anonymous. The technology is asking, is this the right fingerprint recorded by the device? If the answer is yes, the device doesn’t care that it’s actually this specific John Smith's fingerprint, who lives in London and and and... Used for identification, then the biometrics will suddenly care that it’s the one and only John Smith. And it will place John at the point of purchase or as having been on the website, etc..
It’s a subtle, but important distinction to make.
Biometric identification in transactions needs to be managed much more carefully and in a regulated way according to Dave Birch. We’ve talked about its usefulness and convenience in onboarding and as part of KYC, but if identification is used more widely to complete transactions, such as logging into websites and purchasing goods, it becomes much more problematic, more intrusive and more risky.
Do we need to be personally identified in our transactions?
Being identified in our transactions certainly has never been the case previously, with the use of cash for example. Cash transactions are almost completely untraceable. We walk into the shop, hand over our money and walk out with the goods in a bag. It would take some serious detective work with CCTV and fingerprint dusting to trace we were there. So why should a digital purchase be any different? Why does the shop need to know that Jane Doe bought a Mars bar at 12.25pm?
The data might be interesting to companies trying to sell more confectionary. They can target Jane with ads to tempt her into buying more chocolate if they know her preferences. When she buys what etc., this bank of data can be really useful. Maybe not so much to Jane of course.
Purchases completed with biometric identifiers can essentially give too much away and put too much at stake - not least Jane's waistline.
Dave Birch, “Who I really am should not be part of a transaction. And the more you make people identify themselves in different places, the more identity theft you get, because there are more places that our identity can be stolen from.”
Handle with care
Used correctly for both identification and authentication, biometrics can create better customer journeys, online experiences, and consumer interactions along the way. They create convenience, can help meet regulatory requirements, and support risk management, but they need to be handled with care.
And again, according to Dave Bich, individuals actually need protecting in this regard, as we tend to tick the T&Cs and give too much away too freely. And, we don’t want to be giving away our identities and most personal information for the price of a Mars bar, do we?
Get in touch
PassFort is a SaaS RegTech provider that helps financial institutions manage anti-financial crime and compliance processes. We use automation to complete KYC and AML processes that deliver compliance efficiency and great customer experiences - no compromise.
Our platform can be integrated with more than 25 leading data providers, all through a single API. And, PassFort can be connected with existing back office systems to create a 360 degree customer view. Many of the data providers we partner with have biometric capabilities to aide your KYC process. Get in touch if you would like to talk through how to use them with care to create convenience for your customers and your team.