In an unusual experiment, two European banks (one in Hungary, the other in Spain) are trying to boost security and – nonintuitively – convenience by layering one biometric authentication method on top of another.
The two biometrics are facial recognition and palm recognition – both performed via a mobile device – and the banks are Hungary’s OTP Bank and Spain’s Liberbank; the vendor behind the effort promises imminent deployments in Slovenia and the UK. It’s clear that such an approach would theoretically be more secure, but is such a combo going to mean too much friction for the typical customer? Or will users accept a minute amount of additional effort to better safeguard their money?
Hungarian vendor PeasyPay is running the deployments and experienced a variety of initial problems, including some language conversion issues (“minor misunderstands, problems with email validation”) and “sometimes slow payment process start because of push notification service provider lags,” according to PeasyPay’s product leader Csaba Körmöczi.
The intriguing aspect here, though, is whether this approach truly delivers the best of both worlds. Does it negate the downsides of both biometric approaches or does the combo inherit the problems from both? Facial recognition can sometimes be tricked by a three-dimensional representation of the user, and can encounter light and facial changes issues. Palm recognition has fewer drawbacks, as long as the palm hasn’t been damaged (likely burned) since the initial image was captured.
Körmöczi didn’t offer any specific figures, but did stress that the app allows the business (banks, in these cases) to choose in settings how strict they want to go, which is true for many biometric authentication systems.
“So one system can be fine-tuned for more security – lower false acceptance rate, but higher false rejection rate [FRR], so less convenient – or for easier usage, with lower false rejection rate, but higher false acceptance rate, so less secure. With multimodal biometric authentication methods, if we have two independent factors, the combined FAR will be very low, about the product of the two original FARs,” Körmöczi said. “So we can decrease the thresholds in order to achieve low FRRs, and still we will have a high security system (low FARs).”
This is tricky business. As a practical matter, businesses are supposed to consider the value/risk of the service being performed and then figure out the friction/convenience level. When Apple initially deployed biometrics to open an iPhone, it permitted an unusually high false acceptance rate so that the user experience would be pleasant. And given that it was replacing in most instances a very weak bit of security (a 4-digit password), it was still meaningfully more secure.
But when the app is from a bank and is allowing access to much of that person’s money, it would seem that a false acceptance rate needs to be remarkably low. Most consumers would rather go through additional authentication hurdles rather than make it easy for a thief to wipe them out. That should mean that all financial institutions will opt for high-security at the cost of lower convenience.
In short, it’s better to reject an occasional legitimate customer than grant access to a thief.
This brings us back to the original question: Will users sit still for double biometrics if it means thieves will have a much harder time getting at their money?
PeasyPay could have opted for two alternative biometrics, allowing users to choose which one they want to use today, theoretically bypassing whichever method is more problematic. In these days of COVID-19, leaving a face mask on in a bank and instead displaying a palm might be preferable, whereas sitting at a restaurant with a facemask off might make facial recognition the preferred option.
This vendor didn’t do that, however, instead opting to force all to use both. And what if the two results conflict? What if facial recognition decides the user is legitimate and the palm scan says it’s an imposter? Do both have to give a greenlight for access to be approved? This would seem to make it more likely to deliver a false rejection because both are essential.
It’ll be interesting to see whether two biometric measures mean double trouble or twice the security.
