Biometric identification in financial applications is a relatively young and experimental business.
In this conservative industry, where security flaws can lead directly to major branding and monetary implications, the smart tradition is to stick to the proven old methods.
However, the August and September of 2014 were particularly eventful in the space of mass market biometrics and there is now a new hardware infrastructure that forces financial institutions to create another wave of experiments with user experience.
The biggest developments are related to the fingerprint scanners built into Apple and Samsung smartphones. Apple’s Touch ID has been available for a year now, but was only used for unlocking screens. With the launch of the new iPhone, Apple has essentially endorsed Touch ID to replace the traditional PIN code for payment cards via Apple Pay.
More importantly, Apple has now also given third-party developers access to the Touch ID application programming interface (API), enabling integration of its biometric identification method into iOS apps.
Given the scale of iPhone’s deployment worldwide, a number of financial institutions reacted within weeks, including the US branchless bank Simple and Australia’s Bank of Melbourne. Samsung has also introduced its fingerprint scanner earlier this year. In the past few weeks two major wallet operators – PayPal and Alipay – have upgraded their apps to allow users to sign in and authorise payments by swiping their finger.
While both wallets offer wide acceptance by ecommerce merchants, PayPal offers the same experience for in-store transactions. These financial institutions are the first to bet that the security level offered by mass market fingerprint scanners is at least as good as that of a PIN code or a password. If this is the case, they win by offering a significantly improved user experience to their customers at no extra cost.
”While improving authorisation experience is attractive and will help adoption of mobile banking services, financial institutions should not just blindly commit to mass market biometric identification solutions, especially those provided by third parties via publicly-available APIs’,” says Andrei Charniauski, research manager at IDC Financial Insights.
“It is going to take several years for the financial industry to assess safety levels. Until then, the best approach is to use two-factor authentication in mobile applications. In order to maximise user experience, it would be appropriate to introduce biometrics only for the initial sign in and access to the information area that offers account overview, transaction statements and branch or ATM locators.
“However, for the transaction part of the mobile application – including account transfers, bill payments and other sensitive functions such as payment card PIN change – financial institutions should double-up by retaining the traditional password.”
