The Customer Effect
Facial biometrics in banking still face security hurdles, say analysts
- Face ID will allow users to unlock the iPhone X with their face, and this could be extended to mobile banking apps.
- Banks are encouraged by the possibilities Face ID offers for mobile banking, but are adopting a wait-and-see approach while use cases are tested.
The key to unlocking one's financial life will soon be your face, if Apple and the banks have their way. But beyond the hype, there are some security considerations that still need to be worked out. So far, industry watchers have set high a high bar on how Face ID on the iPhone X could change mobile banking, with the ability unlock the phone through face verification and the extension of that capability to third-party apps. The possibility of using a "face print" instead of a password could be a convenient and seamless way a customer can authenticate a mobile banking app. But it's still not a completely secure gateway to a customer's financial information, analysts say. "We see the Face ID technology as a good step forward in [mobile] biometric identification," said Brian Ziff-Levine, senior director of payments strategy and support at First Tech Credit Union, which has taken a lead among credit unions on the use of facial recognition technology with payments. "We will wait to see whether the security claims Apple is making will withstand real-world conditions." So while a face recognition feature may be more trusted by banks than old-fashioned passwords, Ziff-Levine still said he is still cautious. One scenario that worries Frank Gillett, vice president and principal analyst at Forrester Research, is when a thief accesses a phone and registers their face. "When you set up Face ID, how does Apple and the bank know it's your face, and not a bad guy's face pretending to be you?" said Frank Gillett, vice president and principal analyst at Forrester Research. The face scan is saved on the iPhone X's secure enclave hardware chip, but the bank doesn't doesn't store a copy of the customer's face to match it. While Face ID is a convenience feature, to go mainstream, there would need to be less false accepts and rejects, said Andras Cser, vice president and principal analyst for security and risk management at Forrester. (Apple said yesterday that the chance that someone else could fool Face ID is one in a million.) Cser added that the secure enclave has to be "hardened," especially given recent news of a hack. Still, some industry players say the benefits outweigh the risks. Despite the security concerns, ATM manufacturer Diebold Nixdorf is optimistic on possibilities for the technology, and that the security concerns could be countered by requiring additional authentification methods for higher-value transactions. "Just because we're talking about facial recognition as part of the iPhone announcement, it's not the only method of authentification that can be used," said Douglas Hartung, senior director of global software innovation at Diebold Nixdorf. "For example, you could make a decision as a risk officer that you're going to use face recognition capabilities on the device for withdrawals and payments below 200 dollars, but if you want to transfer 2000 dollars, [the bank] could push a notification to the device and you could use voice authentication in addition to face recognition for that kind of transaction." The big banks aren't saying much, other than the fact that they're watching the developments with interest. Michelle Moore, head of digital banking at Bank of America, told Tearsheet that the bank is always testing new forms of authentication for the safety and security of customers, but wouldn't comment specifically on Face ID. While the security concerns could delay the onset of mobile banking powered by facial recognition, increased demand for the service could accelerate a mass rollout. "With the popularity of Touch ID, already used more than 80 times a day [per person] on average, we believe consumers will drive the speedy adoption of Face ID," said George Avetisov, CEO of Hypr. Photo courtesy of Apple