Biometrics and PIN: the future of authentication

Consumers are becoming more concerned about their privacy and security, and this has been exasperated by recent high profile data breaches, such as at TalkTalk[1] and, more recently, with Myspace.[2] This has led many to question whether traditional authentication methods, such as usernames and passwords, are still secure. In a recent survey, 80% of consumers preferred biometrics over usernames and passwords.[3]

Indeed, biometric authentication solutions have a lot potential in the identification and verification of consumers. They can’t be guessed like passwords, which are often simple words or even the word password itself, and are convenient, allowing you to login by tapping your finger on a sensor. Biometrics are who you are, so you don’t have to remember anything; this gives consumers greater login convenience and security. Biometrics are nothing new, we have been using fingerprints for over 100 years to identify criminals[4], while voice recognition software has been around since the 1950s.[5]

Now biometrics are used in everyday life, from unlocking our smartphones to voice recognition in our cars. However, when it comes to making payments, biometrics are better if used together with additional authentication methods for verifying transactions.

As biometrics operate on a close enough principle, they leave room for mistakes A recent report has said that IRIS eye scan biometrics can have a false non-matches rate of up to 6%. [6]

However, as biometrics authenticate the user so quickly and conveniently, they can be combined with another authentication method such as PIN; which increases the reliability and adds another layer of security, without harming the user experience.

Combining biometrics with PIN is the answer. A recent survey by VISA Europe, indicated that out of all non-biometric authentication methods, consumers had the greatest confidence in the security of PIN.[7]

Biometrics are well suited for low value transactions where the convenience factor outweighs the possibility of fraud. With higher value transactions, when they identity of the person has to be categorically verified in line with legal requirements, then only the PIN can do that.

Neither biometrics nor PIN is adequate for strong, practical security on its own. Each has strengths and weaknesses, and real security requires multi-factor authentication, a combination of something you are, something you have and something you know.

 

 

[1] https://www.theguardian.com/business/2015/nov/06/nearly-157000-had-data-breached-in-talktalk-cyber-attack

[2] http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach

[3] http://www.planetbiometrics.com/article-details/i/4516/desc/survey-80-percent-see-biometrics-as-more-secure-than-passwords/

[4] http://www.biometricupdate.com/201501/history-of-biometrics

[5]http://www.pcworld.com/article/243060/speech_recognition_through_the_decades_how_we_ended_up_with_siri.html

[6] http://www.economist.com/node/2246191

[7] https://www.visaeurope.com/media/pdf/20146.pdf