The future of identity and authentication – a bank perspective

biometric security

Connectivity is changing the world and the way we interact with one another. Last year, figures showed that the global population owned around 6 billion connected devices, approaching one for each of the 7 billion people on the planet.

Future of biometric payment

But, even more remarkably, some estimates suggest this figure will rise to 20 billion by 2020 – outstripping population growth – equating to approximately two devices for every person in the world by the end of this decade – writes Nick Kerigan, Managing Director Future Payments at Barclaycard.

This growth is partly due to consumers increasingly owning multiple gadgets, moving from just one household computer to a laptop, tablet and phone per family member.

However, a second driver is also driving up the figures. The term “connected devices” now encompasses far more than just mobiles, tablets and computers. More and more household objects, for example cars, washing machines and fridges, are being transformed into connected devices through the Internet of Things (IoT).

But what does this increased connectivity mean for identity and authentication, particularly in a payments context?

Future of Identity

The way we identify and authenticate customers in a banking and payments context needs to keep pace with the growing emphasis consumers place on connectivity – the more devices they have, the more important it becomes to keep their data safe.

In the payments space, to a large extent we still exist in a world of paper, passwords and PINs. But we increasingly see that these measures alone won’t be enough to keep up with the changing techniques of cybercriminals and fraudsters. Instead, we need to find quicker, more accurate ways to ensure only the right person can make payments or access an account.

As a result of the growing threat of cybercrime, new legislation in the form of the Second Payment Services Directive (PSD2) is being implemented to help provide consumers with an additional layer of security.

The PSD2 outlines that strong authentication should use at least two of three elements of identity: knowledge (something only the user knows, for example a password), possession (something only the user possesses, such as their mobile device) and inherence (something that the user is, such as their fingerprint).

In the future, it is likely that we’ll move away from actively being asked to prove our identities to log into an account. New technology will focus on the inherence and possession elements to recognise customers, seamlessly making use of biometrics – such as retina scanning or facial recognition.

Multi-layer Security

Although biometrics can be a more secure method of identification, they are not foolproof and therefore are by no means the whole solution. Fingerprints can be captured and facial recognition software can be tricked by masks – or even Facebook photos – of someone’s face.

There is also the issue of how to ensure the security of biometrics; unlike a password, you can’t reset your fingerprint, should your data be hacked. The risk therefore moves from the point of identification to the point of storage.

The Risk Based Approach

Given the limitations of biometrics, we should see them as a tool that takes us towards a bigger prize: Risk-Based Continuous Authentication (RBCA). This approach involves using the data sources we have – including biometrics – and using them to risk score the customer. In practice, this means that individuals can regularly be identified by their location and activity through every interaction they make with any given device.

This then will enable payment companies to assess whether a person is who they say they are at any given time and offer greater flexibility than the traditionally static, one size fits all approach to authentication.

Win-Win Innovation

There are many challenges to overcome before connectivity can truly transform identification. First, a shift in perception is needed to secure consent to source, store and use new forms of data on customer behaviour and biometrics. Second, even new authentication tools will have to keep pace with the new places and ways that customers are seeking to pay, for example as innovations such as Amazon Echo or Facebook Messenger become more mainstream.

It may take five to ten years for these challenges to be solved and the RBCA approach to become the norm; but there are various players who are already innovating in this space.

For example, Zighra, a mobile security start-up which completed the Barclays Accelerator programme, uses cognitive analytics to recognise a user based on their habits and interaction patterns, such as the way they hold their phone. This means another, invisible layer of security can be added to mobile authentication, without the need for PINs, passwords or other biometrics.

We are also working with the biometrics authentication firm Bio Catch to improve the Barclays online banking platform. Bio Catch helps us build a profile of customer interactions – how they move their mouse for instance – that yields genuinely new insights.

For example, we can now see when a fraudster is trying to make an unauthorised transaction on a customer’s account that involves them making a payment to an existing recipient and for the same amount that the customer has made before. Conversely, when we see a normal pattern of behaviour for that customer we can let through a transaction which might otherwise have been referred for review – say a larger one-off payment for a holiday.

This is a ‘win-win’ situation; it provides a better customer experience while also helping to reduce fraud levels. And along with these developments, it’s likely that we’ll see machine learning and artificial intelligence bring greater speed and accuracy to the identification process.

In summary, I see risk-based continuous authentication as where we are headed, enabling you, as a customer, to be easily identified – without having to identify yourself. But whatever the future may bring, it is imperative that we make identity and authentication fit for purpose in a connected world.