Written by Chamber Member FACEPHI BEYOND BIOMETRICS LIMITED
H1: Your Phone’s Face ID May Not Be As Safe As You Think
Biometric features such as facial recognition scans and fingerprint sensors have revolutionised smartphones, making them powerful tools for efficient authentication. With a simple glance or touch, your phone can be unlocked, transactions authorised, and much more – all without the need for cumbersome PINs or passwords.
But while this novel technology offers impressive functionality and a higher security level than some traditional authorisation methods, it may not be as secure as generally presumed.
H2: The Verdict of the EBA
Strong Customer Authentication (SCA) is a crucial security protocol created to combat payment fraud. It necessitates the use of at least two of the following elements: something you know (like a password), something you have (like a phone), and something you are (like a fingerprint).
In its recent guidance regarding how SCA should be applied to digital wallets, the European Banking Authority (EBA) made it clear that using biometrics to unlock a phone should not be considered a valid SCA element (if that biometric data is not controlled by the financial institution). Essentially, device biometrics, such as Apple Pay’s Face ID, don’t offer substantial protection against fraud.
H3: Device Biometrics vs Biometric Identity Verification Solutions
Device biometrics, like Apple’s Face ID, are exclusively stored on the user’s device. They serve to unlock a password container and send the saved password to the remote server. This, however, does not verify the user’s identity. The remote server merely confirms the correctness of the password.
This method could potentially lead to serious security flaws, especially if multiple users register their biometrics on the same device and resort to PIN codes when the biometric fails, thereby enabling unauthorised access to personal accounts.
For example, consider a common situation where an iPad is shared amongst friends. Each person’s biometrics are registered on the device, and they all know the same entry passcode. Here, bypassing another friend’s Apple Pay facial scan by simply entering the shared pin code would be quite easy.
Therefore, any application that uses device biometrics for security, like a mobile banking app or Apple Pay, is only as secure as its weakest method of authentication: a simple PIN code.
In contrast, biometric identity verification solutions capture, encrypt, and transmit biometric credentials to a remote server. There, liveness tests and authentication confirm that the person in front of the camera is the same person who enrolled with the account. Until the user’s identity is verified, they cannot gain access.
Even if device biometrics, PIN codes, or the entire device are compromised, remote identity verification technology can protect the account and provide secure access to the legitimate customer.
H4: Biometric Identity Verification Solutions for Greater Peace of Mind
Using a robust biometric identity verification solution with passive liveness technology for payment authentication is highly recommended over mobile device biometrics. This method offers enhanced security and protection against fraudulent activities.
Implementing biometric identity verification solutions can help businesses ensure their customers’ identities are reliably verified and protected. This brings peace of mind to both the business and its customers.
For more information on secure biometric identity authentication, please visit www.facephi.com