Biometrics also can be used for employee authentication. In these applications, solutions enhance productivity and security. Applica- tions include logical access for networks, shared workstations, call centers and remote applications. Biometrics also can be used for transaction verification in applications including working with cus- tomer records and processing approvals. Finally, biometrics authen- tication is ideal for controlling physical access to ATMs, branches and safe boxes. Citibank is already using fingerprint biometrics for employee logon to ease password frustrations, which also enhances the customer impression that security is taken seriously.
There are many choices of biometric modalities, from face, iris and vein to voice and either conventional or multispectral fingerprint. Choosing between these and other options requires an evaluation of their comparative ease of use, ability to detect fakes, interoperability, and—if needed—the modality’s availability for mobile applications. Fingerprint is one of the most popular modalities, with Yole Dével- oppement forecasting that demand in consumer applications will push total volume shipments 19 percent through 2022 to $4.7 billion.
Realizing the Full Benefits of Fingerprint Biometrics
The most effective deployment of any biometric modality requires the right capabilities for image capture, liveness detection, and reli- able template matching. A recent study by the research firm Novetta describes a new way to evaluate fingerprint technologies in user-fo- cused commercial applications like banking, where security-focused biometric performance criteria have traditionally been used to certify, rank, and differentiate between fingerprint technologies. More im- portant for these public-facing applications are ease of use, availabil- ity, and convenience, which depend on three key issues: the quality of the biometric data that is captured, the use of liveness detection to enhance trust, and the level of matching performance and interoper- ability across different devices.
Image is everything in any biometric. Bad images lead to bad deci- sions. Many customers choose sensors that use multispectral imaging because it collects information about the sub-surface fingerprint in order to augment available surface fingerprint data. The skin is il- luminated at different depths to deliver much richer data about the surface and sub-surface features of the fingerprint. Additionally, the sensor is able to collect data from the finger even if the skin has poor contact with the sensor because of environmental conditions or fin- ger contamination. Multispectral sensors also have an uncoated glass
platen that resists damage from harsh cleaning products.
Equally important is liveness detection, or the ability to detect fake fingerprints. This capability influences both security and privacy pro- tection. Security is sensor-dependent, with some modalities more resis- tant to spoofs than others. The most resistant sensors facilitate a real- time determination that the biometric characteristics presented are genuine and are being presented by the legitimate owner, rather than someone impersonating them. This requires the use of advanced ma- chine learning algorithms so that the solution can adapt and respond to new threats and spoofs as they are identified. With this technology in place, privacy is also protected – if you can’t use a fake finger, then even if you did obtain someone’s fingerprint data, it is meaningless. Furthermore, if the data is useless, why would fraudsters try to capture it? Strong and updatable liveness protection is absolutely critical if
biometrics are to eliminate the need to use PINs or passwords. Systems must be implemented correctly with regards to data, en- cryption and the overall system architecture, with requirements de- pendent on multiple factors. For example, where does the biometric template reside? How and where is enrolment performed? Will the authentication point be fixed or must it be mobile? There are sev- eral backend implementation choices to consider, including match on ATM PC, match on phone, match on sensor and match on server. Each has its own pros and cons and the additional option of encrypt-
ing with tamper resistance.
For instance, the match-on-phone approach offers the advantages
of a simplified backend. The user chooses the biometrics modality, is trained to use it, and controls the template. The phone’s biometric sensor does it all—captures the fingerprint, checks liveness, and gen- erates the template. But, as mentioned earlier, “cons” include varying degrees of spoof protection, if it is even available. Plus, there is a con- solidation of all authentication channels in one device that is beyond the control of the bank.
In comparison, by using a fingerprint sensor located on the ATM, banks can choose to do match-on-ATM, match-in-sensor, or match on a bank’s secure servers with an encrypted channel and tamper pro- tection that is extremely secure and trusted, similar to the encrypted pin pad or EPP in use today. The fingerprint sensor in the ATM is responsible for capture, liveness checking and live template genera- tion. There is central administration of enrolment templates that are held on the bank’s secure servers. If that match is done on the ATM PC or in the sensor itself, the template is only sent once, even if the user retries the process. This reduces network traffic. Cryptography prevents any man-in-the-middle attacks and also protects the biomet- ric database.
Using multispectral fingerprint biometrics located on the ATM is particularly popular, especially in South America. It is used for fingerprint authentication at the ATM and can be deployed in PIN- replacement or cardless implementations. In Brazil, this approach is responsible for 4 billion transactions a year at over 85,000 ATMs. Five of the six largest banks in Brazil use this approach.
Biometrics solutions are becoming increasingly important across all banking channels. Convenience can be as valuable as fraud reduc- tion, but there is no silver bullet and customers need choice. Pilots must be large for institutions to understand the true performance of the planned biometrics solution. Ultimately, picking a biometric sen- sor designed for the task and a proper implementation will mean the difference between success and failure. Imple-
mented correctly, today’s solutions enable insti-
tutions to fight financial fraud without forfeiting
convenience, and deliver security while preserv-
ing trust in transactions.
Bill Spence is the global vice president of sales, United States and Western Europe, Biometrics, at HID Global.
24
0817 | SECURITY TODAY
BANKING SECURITY