Financial Biometrics Month: Evolving Multimodality in Mobile Banking

Today’s biometric banking arena is a multifaceted and complex space, especially when observed from the consumer touch-points. Branches, ATMs, call centers, online portals, and mobile apps all offer the biometric experience in terms of security and convenience, thanks to fingerprint, voice, vein pattern, iris, and behavioral recognition technologies. Indeed, as or the writing of this article, there are probably more biometric modalities available to banking customers than there are channels through which they can bank. But it wasn’t always this way.

The multimodal biometric banking landscape evolved to its impressive scope only in recent years. In fact, it was the mobile biometric revolution spurred on by Apple’s iPhone 5s announcement in 2013 that really kicked things off in terms of popularizing the concept of consumer-facing biometrics in the first place. A single modality used for access control – the fingerprint – was all it took to acclimatize mobile device owners to the concept of strong authentication. And it was in the wake of Touch ID that we began to see the initial testing of biometric login on banking apps.

The Power of Choice

Facial recognition and voice became early champions in mobile banking thanks to success stories like that of USAA’s deployment of Daon’s Identity X biometric platform. The contactless nature of those two modalities set a precedent for convenience, and the software-based nature emphasized the importance of accessibility, but a crucial aspect to the dual-factor nature of such deployments set perhaps the most important precedent: choice.

As people banked with biometrics from their mobile phones, it became clear that some preferred face over voice when it came to convenience and discretion, while the option to combine the two modalities added a scalability to the security when needed. Now, the Daon deployment mentioned above also supports fingerprint recognition, broadening that choice even further, and some banks have even embraced iris recognition, which is becoming increasingly popular on consumer handsets.

While choice is important to the consumer experience, security is also tantamount in banking applications. Thankfully, where there is choice, there is scalability. A massive benefits to having multimodal biometric smartphones is that multimodality can be used to engineer multi-factor security. However secure a face scan is, it is orders of magnitude stronger when combined with finger, iris, voice, or all three.

Scalable and Flexible Power

A four-factor biometric login might seem like overkill, especially in a mobile banking scenario, but recent developments in Korea have highlighted the importance of having the option to scale-up biometric security. Reports show that Korean banks are refusing to allow for Face ID – the 3D facial recognition feature on the iPhone X – to be used for mobile authentication on their apps.

If this was a Samsung Galaxy S8 we were talking about, a user wouldn’t have to worry. The facial recognition on the S8 is admittedly terrible and not ready for authentication use, but the device has iris and fingerprint biometrics that can be leveraged for authentication instead. The iPhone X, on the other hand, is famously single-modal when it comes to built-in biometrics, and so unless a bank is supplying the biometry, early adopting Apple users are out of luck, at least with the Korean banks in question. If the iPhone X had at least retained Touch ID fingerprint biometrics from previous generations, users could either fall back on the more traditional and trusted modality or rely on a bolstered two-factor biometric login.

Multimodal biometrics are scaling-up the mobile banking process in less overt ways too; ways that allow for continuous biometric authentication even after log in. And that’s a good thing, especially considering that experts say the vast majority of fraud occurs in authenticated sessions.

Mega-Multimodality

Behavioral biometrics – a modality made of micro-modalities – are being coupled with biometric login in order to ensure that even someone acting with your authenticated device can’t get far into your bank accounts without actually being you. The most recent high-profile example of such a mega-multimodal solution is Nexsign from Samsung SDS – which recently bolstered its FIDO Certified login with continuous behavioral authentication from BioCatch.

“Almost all fraud today comes from within authenticated sessions, prompted by malware, social engineering and other sophisticated attacks that circumvent the login method entirely. Our experience shows that cybercriminals are able to usurp the initial login authentication – whether a PIN, password, token, or physical biometric – and the only way to combat this without disrupting the user experience in a mobile session is to implement continuous and passive authentication with behavioral biometrics,” said BioCatch VP Frances Zelazny, speaking to FindBiometrics during Money20/20.

“While physical biometrics is a good way to do this at login, behavioral biometrics is the perfect complement to provide continuous authentication without asking users to constantly re-authenticate themselves,” she said. “It is imperative that we constantly authenticate users in a way that isn’t annoying to the consumer.”

There are those who believe that the comprehensive nature of behavioral biometrics can fully replace logins, though many experts suggest that at least some friction must be present in a transaction for a customer to feel safe – sort of as token proof to the user that security is actually present. With biometrics, that minimal friction can be more than a placebo, fully protecting your bank account with all the power and choice of highly evolved multimodality.