Perhaps it’s the rash of daily reports about data breaches. Or the one-too-many compromises of protection of people’s passwords.
Whatever the cause, it appears that Americans are becoming increasingly interested in the use of biometrics to verify personal identity or to enable payments.
And the credit card industry has taken notice. Biometrics – the descriptive term for body measurements and calculations – is becoming more prevalent as a means to authenticate identity and enable proper access and control of accounts.
A recent survey of ~1,000 American adult consumers, conducted in Fall 2017 by AYTM Marketing Research for VISA, revealed that two-thirds of the respondents are now familiar with biometrics.
What’s more, for those who understand what biometrics entails, more than 85% of the survey’s respondents expressed interest in their use for identity authentication.
About half of the respondents think that adopting biometrics would be more secure than using PIN numbers or passwords. Even more significantly, ~70% think that biometrics would make authentication faster and easier – whether it be done via voice recognition or by fingerprint recognition.
Interestingly, the view that biometrics are “easier” than traditional methods appears to be the case despite the fact that fewer than one-third of the survey respondents use unique passwords for each of their accounts.
As a person who does use unique passwords for my various accounts – and who has the usual “challenges” managing so many different ones – I would have thought that people who use only a few passwords might find traditional methods of authentication relatively easy to manage. Despite this, the “new world” of biometrics seems like a good bet for many of these people.
That stated, it’s also true that people are understandably skittish about ID theft in general. To illustrate, about half of the respondents in the AYTM survey expressed concerns about the risk of a security breach of biometric data – in other words, that the very biometric information used to authenticate a person could be nabbed by others who could use it the data for nefarious purposes.
And lastly, a goodly percentage of “Doubting Thomases” question whether biometric authentication will work properly – or even if it does work, whether it might require multiple attempts to do so.
In other words, it may end up being “déjà vu all over again” with this topic …
For an executive summary of the AYTM research findings, click or tap here.
3 thoughts on “Comfortable in our own skin: Consumers embrace biometrics for identification and authentication purposes.”
My concerns refer to the predictable abuses.
Biometrics – phrenology or craniometry or other measuring techniques – have a well documented history of abuse. The abuse, of course, ensues when the techniques developed to determine identity are employed to monitor someone’s emotional state or emotional reaction, etc. Call center software already uses the recordings of the calls you make to monitor for emotional state. Vocal biometrics.
Body temperature, measured over the entire body as a person passes through a sensor gate, can determine health issues – or maybe provide a false positive.
Measuring people’s head dimensions is still merrily abused for unabashed racism.
And eugenics (Mengele & Co.) had a heyday with biometrics.
Don’t say I didn’t tell you so.
I’m actually more worried about simple mistakes than abuse.
A lot of variables pop into this equation the moment you move beyond PIN numbers and past fingerprints. What if someone wears colored contact lenses or hairpieces, gains or loses weight, has a face or eye-lift (or several) and, heaven forbid, ages strangely, develops a smoker’s voice, has a stroke affecting facial muscles, acquires a glass eye, or simply becomes “unrecognizable”?
Given the technologies available, people need to realize that the multi-factor authentication (MFA) is the only feasible way to improve security these days.
The principle behind MFA is that authentication requires any two of the following three pieces of evidence (factors): “something you know”; “something you have”, and “something you are”.
Or, more precisely: “something you (and only you) know”; “something you (and only you) have”, and “something you (and only you) are.”
“What you know” includes passwords and PINs. Of course, these need to be difficult for someone else to know or guess; otherwise they fail the “you (and only you)” test. That rules out using the same password for all your accounts, using “password” as your password, or something easily tested like “1234” as your PIN.
“What you have” includes security tokens (like RSA SecurID fobs) and other devices (PCs, smartphones or plain old hand phones) which can receive or generate a one-time password (OTP). “What you have” is not the token or device; it’s the OTP. By definition, you and only you have this OTP.
“What you are” includes biometrics, running the gamut from your fingerprints to your DNA and face recognition profile. The problem here, as former Minnesota Senator Al Franken was fond of pointing out, is that a bad actor can trick sensory systems into thinking you are what you aren’t. Late last year, for example, Apple was accused of racism following reports that iPhone X face recognition technology couldn’t distinguish between Chinese users. A man from Shanghai bought his wife a new iPhone X, but she was shocked to discover their teenage son could unlock it.
Be that as it may, when any two of these three factors are presented, it becomes exponentially more difficult for a bad actor to get in — even if one of those factors fails. For example, the Shanghai teenager would have needed to point his mother’s iPhone X at his face (something you are), and supply his mother’s password (something you know). If Mom follows good security practices, she’d have made her password hard to guess and always kept it secret. This almost surely would have foiled her son’s attempt to unlock her phone, because you only get so many failed attempts before the iPhone X locks out for good.
Many people will complain that this is all too complicated. I suspect many of them aren’t worried about handing all their personal data over to Facebook, either. (The rest, like most people, just like to complain.)
The point is, security comes at a cost of convenience. Having to pull out a key to unlock the front door of your home is always less convenient than leaving the door unlocked, all the time, but it’s much more secure. Likewise, two factors are always more secure — but less convenient — than one. And simply replacing one factor with another (like replacing passwords with face recognition technology) doesn’t really improve security at all.