6 Things You May Not Know About Biometrics
Biometrics hold significant promise and are likely the future of identification and identity verification. However, as noted in a previous blog post, “The Biometric Balancing Act in Digital Finance,” biometrics are a complex and evolving family of technologies. It is important that we understand their strengths, limitations and appropriate applications if we are going to make the best use of them to advance financial inclusion. Biometrics are extremely complex technologies. When they are implemented badly, it is not always obvious, leading to loopholes that can be exploited to facilitate fraud. Here are six things you should know about biometrics.
A fingerprint biometric is not the same as a fingerprint
A biometric is not the same as the thing it represents. A fingerprint biometric is a representation of multiple points on the fingerprint, and the relative positions of those points. The same basic principle applies to all biometrics, and biometrics vary in quality. A biometric comprising 20 or more points would be viewed as good quality, whereas one with just four or five would be viewed as inadequate. When a biometric is stored, it is referred to as a biometric profile of a person. Since a profile approximates a fingerprint, it follows that the same biometric can be generated for different people. When someone successfully matches against someone else’s profile, this is referred to as a false positive.
Financial services providers can use biometrics for both customer enrollment and authentication
When someone’s biometrics are captured, it is either for identification — when a financial services provider (FSP) onboards a customer — or for authentication — when a customer wants to access a service. These are two very different use cases, as the following two points illustrate.
Before you can identify someone using a biometric, you need a national biometrics database
It is difficult to identify a person (and verify that his or her identity is distinct from everyone else’s) by capturing biometrics. This can be done only if there is a centralized database of biometric profiles against which the captured biometric can be compared (this is referred to as “1:N” matching). Consequently, unless there is a national database of biometrics available for customer onboarding, using biometrics for unique identification is impossible.
Even where there is a suitable database, the biometric technology is often not yet reliable enough to support identification. When British police used it to try to identify “persons of interest” in crowds, it generated a staggering false positive rate in excess of 90 percent and needed extensive human intervention. This happened with a biometric profile database that is considerably smaller than the entire British population of 65 million. Of course, the percentage of false positives rises rapidly when the quality of captured biometrics is low, so a false positive is much more likely if only five points are captured than if 20 are captured.
Biometric authentication is more straightforward than identification
Authentication, confirming a person against a pre-established identity for the sake of accessing a service, is considerably more straightforward and reliable than identification. Instead of trying to match a person against an entire population, authentication compares a newly captured biometric with one previously captured and stored for the same person. If they match with a high degree of confidence, the identity of the person can be said to have been authenticated (this is referred to as “1:1” matching).
Of course, authentication requires access to an original biometric for comparison. This is often the purpose of a national identity card, which either points to the biometric profile to be used for comparison or holds the profile itself. This is also the mechanism used for e-passport holder authentication.
Service providers who want to use a biometric national identity service for ongoing authentication often create a “derived identity”
When an FSP is onboarding a customer, it might try to identify the customer using a biometric national identity service, if such a service exists. This entails capturing the prospective customer’s biometric profile and comparing it with the biometric held on that same person (1:1 matching) by the national identity service. If there is a match, the service might release some additional attributes for that customer, which can be used to conduct customer due diligence.
After completing this process, the FSP might issue a digital identity derived from the national identity that the customer can use, for example, in digital banking. This might include a biometric profile to be used by customers to authenticate themselves when they log on to their bank’s services. In each case, the FSP undertakes 1:1 biometric matching; no 1:N matching is even attempted.
No single biometric will work for everybody
The type of biometric used by an FSP should suit its customer base. For example, fingerprints are notoriously unreliable if most people being registered for a financial service are manual workers, live in a dusty environment, smoke or are over 50. Voice is difficult to use with mobile phones because cheap phones tend to have poor microphones, which may not capture the full vocal range or overlay a hiss.
In addition to physical factors, personal and cultural sensitivities can also affect the usability of some biometrics. The various vein biometrics that require you to, for example, place your finger in a tube, tend to be unpopular. Iris biometrics are disliked because people are quite reasonably sensitive about their eyes.
Therefore, a service that relies on biometrics should not necessarily use just one biometric. Rather, an approach like that taken by Aadhaar in India might be more appropriate. During Aadhaar registration, all 10 fingerprints are captured along with both irises. To make the service usable by everyone, facial biometrics are also being captured now.
Biometrics can be a powerful set of technologies when delivering services in an environment where identity fraud is likely or a significant proportion of the population is illiterate or innumerate. Although biometrics are not straightforward to use, a greater understanding of their mode of operation, strengths and limitations will greatly enhance their effectiveness.
a biometrics verification based payment system could be very risky without having a system of continued monitoring, evaluation and course correction. a poor authentication system could lead towards large scale embezzlements and frauds. the Programme that I am affiliated with has witnessed the appearance of many such negative efforts by the payment agents of the implementing partners and through proactive vigilance we have been able to cut short the impact by killing it in its initial stages otherwise one can well imagine the quantum if the system is catering for more than 5.2 million illiterate women recipients.
Further, my last ten years experience has exposed the importance and criticality of financial literacy for any technology based payment systems and no matter whatever and which risk mitigating measures are taken the impacts are not ideal if the recipients of the funds are financially illetrate.
Thank you for your comment. You are right to highlight that having a "system of continued monitoring, evaluation and course correction" is essential. I'd argue that it is a key point of good practice for any financial service, but unfortunately it is too often neglected. Like you, I have experience of its effectiveness - allowing my team to become aware of frauds whilst they were still small scale, and act to close the door promptly. Without such monitoring, such frauds may start small, but once their effectiveness has been demonstrated they can scale up frighteningly quickly.
I'd also agree wholeheartedly with your comments about financial literacy. Lack of financial literacy, coupled with a lack of technological familiarity, is a significant stumbling block to financial inclusion initiatives. It concerns me that we as service providers sometimes expect far too much of people; only a short time ago, many existed entirely in a world of physical cash, and we expect them to quickly adapt to not only the dematerialisation of cash, but also to managing their money through another new technology, the mobile phone. We could do better, and there are technological approaches to reducing the size of that huge step up we are expecting people to take.