Two European banks are looking to boost security by layering a pair of biometric authentication methods – facial recognition and palm recognition – atop one another. That could mean more security, or more headaches for users.
In an unusual experiment, two European banks (one in Hungary, the other in Spain) are trying to boost security and – non-intuitively – convenience by layering one biometric authentication method on top of another.
The two biometrics are facial recognition and palm recognition – both performed via a mobile device – and the banks are Hungary’s OTP Bank and Spain’s Liberbank; the vendor behind the effort promises imminent deployments in Slovenia and the UK. It’s clear that such an approach would theoretically be more secure, but is such a combo going to mean too much friction for the typical customer? Or will users accept a minute amount of additional effort to better safeguard their money?
Hungarian vendor PeasyPay is running the deployments and experienced a variety of initial problems, including some language conversion issues (“minor misunderstands, problems with email validation”) and “sometimes slow payment process start because of push notification service provider lags,” according to PeasyPay’s product leader Csaba Körmöczi.
The intriguing aspect here, though, is whether this approach truly delivers the best of both worlds. Does it negate the downsides of both biometric approaches or does the combo inherit the problems from both? Facial recognition can sometimes be tricked by a three-dimensional representation of the user, and can encounter light and facial changes issues. Palm recognition has fewer drawbacks, as long as the palm hasn’t been damaged (likely burned) since the initial image was captured.
Körmöczi didn’t offer any specific figures, but did stress that the app allows the business (banks, in these cases) to choose in settings how strict they want to go, which is true for many biometric authentication systems.
“So one system can be fine-tuned for more security – lower false acceptance rate, but higher false rejection rate [FRR], so less convenient – or for easier usage, with lower false rejection rate, but higher false acceptance rate, so less secure. With multimodal biometric authentication methods, if we have two independent factors, the combined FAR will be very low, about the product of the two original FARs,” Körmöczi said. “So we can decrease the thresholds in order to achieve low FRRs, and still we will have a high security system (low FARs).”
This is tricky business. As a practical matter, businesses are supposed to consider the value/risk of the service being performed and then figure out the friction/convenience level. When Apple initially deployed biometrics to open an iPhone, it permitted an unusually high false acceptance rate so that the user experience would be pleasant. And given that it was replacing in most instances a very weak bit of security (a 4-digit password), it was still meaningfully more secure.
But when the app is from…