Quite a few news stories and blog posts have appeared this month covering Visa’s recent survey on consumer awareness of biometric technology and their perceptions of it. The key headline: “Consumers are ready to say goodbye to passwords”. This is not likely to happen soon, but it is the direction we are heading.
Most people today understand how weak passwords are as a security factor (something you know). And at VBG, stories that advocate the use of biometrics are of course music to our ears. So, this month we wanted to call attention to VISA's findings. Click here for the original press release.
Buried in the press release is a link to the publicly released findings. If you want to skip the press release, click here for the complete presentation.
There is a lot of good information in the presentation. Of everything covered, we feel it is particularly important to discuss the finding on Page 6, “Top concerns of using biometric authentication for payments”. Many of these concerns highlight public misperceptions about biometric technology, and particularly differences between different forms of biometrics.
VBG and other vendors clearly have a long way to go toward educating consumers about the benefits and risks of using voice biometrics. So, here is our take …
Concern 1 - The risk of a security leak of sensitive information – e.g., you can’t change your fingerprint if it is compromised. Some biometrics, like fingerprint, retina, and facial recognition systems do work this way. Essentially, an image is taken from a local sensor and transmitted to a system which contains one or more stored images for comparison. For example, if you can get someone’s fingerprint and place it on the sensor so that it maintains integrity, you can possibly beat the system.
This is a valid concern for these types of biometrics. However, newer sensors also attempt to measure heat, sweat, and other characteristics that living human beings have – and that a Playdoh fingerprint or photograph wouldn’t have. But, not all such systems have these advanced sensors, so this concern remains valid for now.
On the other hand, voice biometric systems work by transmitting speech samples (typically as WAV files) at the source to a system which them distills unique vocal characteristics from them and compares them to a stored voiceprint. Voiceprints, even if stolen, cannot be directly re-used – you don’t submit a voiceprint to a voice biometric system, you simply talk. So, this concern doesn’t really apply to voice biometrics, which is a key advantage over other common biometrics.
Concern 2 - Biometric authentication won’t work well/will take multiple tries. All security systems have their limits and don’t work perfectly. Password-based systems can be very frustrating if you forget your password and need to reset it. The same is true when you forget the exact answer to a secret question. Computer-related security by its very nature carries some level of inconvenience, and all forms of biometrics are no exception. The key for biometrics is to use the appropriate system for the usage environment, so that inconvenience to end users is minimized.
Voice biometrics for example won’t work well in the middle of a rock concert – fingerprint biometrics would be a far better choice. On the other hand, if you are calling your credit card company, voice biometrics is a great technology, far better than any other readily-available biometric.
Concern 3 - The cost of owning a device that allows for biometric authentication. This concern clearly points out the continued need by biometric security vendors to educate consumers (if this is their target market). Relative to cost, fingerprint sensors tend to be very inexpensive and are embedded in many laptop computers, tablets, and smartphones. Facial recognition software is also available in many of these same devices.
Of course, the argument that you need to own a high-end smartphone (some are $1000 USD now) or need to purchase a nice video camera is valid. Older flip phones, mid-tier smartphones, etc. don’t include these devices – or if they do, they tend not to be very reliable.
Voice biometrics can work with ANY source of audio, and since everyone owns at least some form of telephone, there is no incremental cost for using this technology. Rotary phones (remember them), old cell phones, PC microphones, etc. all work with voice biometrics.
Concern 4 – Privacy - worry that a bank or store has sensitive personal information about me. Of all the concerns listed, this is by far the most valid and relevant for everyone – not just consumers or commercial users of biometric technology. Clearly some people have a “big brother” concern, where they don’t want any company storing any personal information about them. They don’t trust the company to handle their personal information, or wish to remain anonymous, etc. Many clauses of the upcoming General Data Protection Regulation (GDPR) in the EU are designed to provide individuals with “rights” and “control” over who has their data, how it is being used, etc.
The other concern, and why consumers have it, is the regular stream of news stories about massive data breaches in large companies such as Equifax and Yahoo. Tens of millions of people having their personal data, credit card information, and other private facts made available is extremely negative and can cause individuals significant amount of time and money to rectify.
Unfortunately, we live in a world where data we all consider to be personal is being tracked and stored by many different companies for commercial and other purposes. The best thing we can do is understand that it is happening, and make sure that companies who are handling our personal information are taking ALL conceivable precautions to protect it. Note that VBG is making extensive investments to protect the data of our clients, and data security will surely be the topic of many future articles.
Concern 5 – Discomfort using biometric authentication in public. People have been expressing concerns about using biometric technology in public for years. However, these concerns tend to be limited to two situations: (1) with voice biometrics, it may be embarrassing to speak a private passphrase with others around, and (2) with contact sensors like fingerprint readers, people don’t want to share them. There is an "ick factor". Imagine having to use a shared fingerprint reader after someone who just sneezed.
Advances in voice biometric technology are now able to leverage conversations, so it is hard to argue how talking on a phone can be uncomfortable. Also consider facial recognition, as these use cases are no different than taking a “selfie”. Other sensors can read biometric information in public with no one knowing it, such as bracelets that sense heart rates, sweat, etc.
Biometric technology vendors have been listening to these types of concerns for years now. And the good news is, they are doing something about it.
Concern 6 – Not having one standardized form of biometric authentication. As described above, biometric technology and sensors are making their use easier and less obtrusive. The process of enrollment is becoming more and more “passive”, so the issue about everyone having a different way to do things – should be less and less relevant over time.
Closing Comments. The concerns expressed in the VISA survey about the use of biometric technology are valid, but end users are being heard by vendors and many of these concerns have been greatly minimized – or will be in the very near future.
The best news for all of us however, is that consumers understand the benefits of biometrics and are beginning to warm up to using these technologies. Perhaps in the not-too-distant future, we’ll truly not need passwords any more. Wouldn’t that be nice?
Peter is an avid reader, particularly of high-tech topics. These articles express his opinion only, but he hopes you enjoy them!
Other Related Articles You May Enjoy
Click on any article title to read ...