Exploring the How and Why of Biometric Security
In the financial industry, security is paramount. As the world moves online and technology becomes more sophisticated, so do hackers and scams. The advantages of leveraging technology have just skyrocketed with the impact of COVID-19, but preventing systems breaches can make the difference between customer loyalty and customer attrition. In China, biometric security is rapidly being adopted as a safe and easy way to handle financial transactions securely. Will COVID-19 be the thing that pushes North American banks to begin implementing these security measures on a wide scale?
In this episode, we speak with Nick Hallas, Vice President of Sales at Daon – an innovator in developing and deploying biometric authentication and identity assurance solutions worldwide – about the why and the how of biometric security.
Melinda: In the financial industry, security is paramount. As the world moves online and technology becomes more sophisticated, so do hackers and scams. The advantages of leveraging technology have just skyrocketed with the impact of COVID-19, but preventing systems breaches can make the difference between customer loyalty and customer attrition. In China, biometric security is rapidly being adopted as a safe and easy way to handle financial transactions securely. Will COVID-19 be the thing that pushes North American banks to begin implementing these security measures on a wide scale? Today, we’re talking to Nick Hallas, Vice President of Sales at Daon – an innovator in developing and deploying biometric authentication and identity assurance solutions worldwide – about the why and the how of biometric security. Welcome, Nick. Thanks so much for being with us today.
Nick: Thank you, Melinda. Thank you for having me on your podcast today.
Melinda: Can you start us off by telling us a little bit about how you came to be interested in biometric security?
Nick: Sure. So, I’ve been in the IT software space for a little over 25 years. I’d say I spent the last 15 in security and the last 10 in biometrics, authentication security I should say. I got very interested in it many years ago primarily because I was using my password for many of my accounts, whether they be business or personal. I started to realize that, you know, my Yahoo account or my Gmail account password was the same as my banking account, as well as my 401(k) account. And at some point, as you know, with the proliferation of devices and applications have started using more and more of the same passwords not only with all my accounts but started adding them to sticky pads. And at some point, rather than using the same one, I would use variations of them.
So I thought, there’s got to be an easier way to do this, right? An easier way to maybe just to get rid of passwords altogether. I started doing some due diligence and looked at biometric technology primarily as it was being employed back then, which was primarily at customs and border patrol and airport security terminals. And so that was just maybe because a little of me is intrinsically a procrastinator and sometimes a little lazier, I said, “There’s got to be a better way for us to be able to authenticate. What better way by doing that than using, you know, your human attributes.”
Melinda: Yeah. So, I mean, I absolutely hear you and I am guilty as well of having the same password for multiple things, and then you change it and you can’t remember what you changed it to, and you have to go back to your email and change it all again and get the code to your phone and it’s just such a pain, but for some people, I think the idea of biometric security still feels a little bit futuristic. Can you just give us a level set and tell us what are we actually able to implement today in 2020?
Nick: That’s a great question, Melinda. You can absolutely say that to some, it’s too futuristic, right? We take a look at it and say, “You know, we should be getting rid of passwords because they are archaic, right? They’re 40, 50 years old at this point.” You know, not going back to the stone ages, of course, but being frictionless and inserting Melinda or Nick into the transaction as a person to patch it, right? Someone that’s, you know, 90 years old of age, 90 years of age or 21 years of age to be able to easily and seamlessly and frictionlessly authenticate themselves. I would say that with proliferation of smartphones and primarily what Apple has done and Samsung with touch ID and face ID has made that less futuristic. You know, I would say that five, six years ago, people would have been very hesitant to use their fingerprint to authenticate and/or use their face to authenticate. And I think Apple, primarily as the leader there, really did a great job making the consumers feel much more comfortable in using biometrics to log into their device.
Today, we’re able to utilize face, finger, voice, iris, behavioral. And so, you’re seeing that happen and proliferate in many channels, we call it an omnichannel environment. So, whether you’re in a branch, whether you’re on the web, whether you’re using your mobile device or even wanting to authenticate a call center, people want to be able to secure their identity and biometrics can assist in doing that and building trust.
Melinda: And why is it better than what we’ve got now? I mean, obviously, we talked about just trying to keep track of your passwords is a big struggle for people, but in terms of security, why is it better?
Nick: So, we always have to say biometrics is probabilistic, right? It’s not yes or no, it’s not binary. So, biometrics typically is more secure in a layered approach to current environments. You have to remember…today, you know, you’ve got to remember your password for 50 different accounts. I know that last year global security reports said that 65 percent of consumers use the same password for all of their accounts. And I’m certain that it could even be higher, right, if you start to include both work and personal accounts. I would say that it’s also very difficult to scoop biometrics. So, making it easier and more secure for us as a consumer or customer. The fact that I can seemingly authenticate whether I’m using my finger, my face, or my voice, or my eyes just makes it easier and frictionless and convenient.
And I think it’s important too, to remember that using biometrics typically is great when you offer a choice. So, if I’m perhaps in a train station where it might be very loud, I may want to use my face or my finger, right, where perhaps I’m in a dimly-lit restaurant and I can’t necessarily use my face, I may want to use my finger or my voice. So, the opportunity to have convenience and a choice makes for not only a great user experience but also allows for better security as part of that layered approach. Does that make sense?
Melinda: Yeah, absolutely. And so, you’re out there talking to financial brands that are considering this kind of technology, what are some of their concerns about moving in this direction?
Nick: So, great question, Melinda. And I firstly want to mention, you know, I’ve been here at Daon for four years in March and when I first came on board, and this is just Nick speaking, I thought that we were, kind of, still in that, you know, leading forward technology-wise. I think a lot of banks were talking about, “I don’t know,” “maybe if,” you know, perhaps, fast forward to, you know, 2020, even 2019, and we’ve moved beyond “it” and more about “when.” Some of the challenges, I think that they’re…or I should say not challenges but concerns one is, you know, speed to market, right? They’re seeing that many financial institutions today are using biometrics, and obviously they don’t want to not have the same service offerings to their consumers. So, you may have X bank in New York and Y bank in New Jersey, and they obviously want to compete for the same consumers. And particularly now with millennials really having moved to digital banking channels and even looking at baby boomers that are now more and more using their smartphones, it’s really kind of a perfect storm for deploying biometrics in that scenario.
So, the first answer would be speed to market. I think some of the challenges around that is that there are many stakeholders when deploying a biometric system and getting them all on the same page with the same priorities in large organizations could be a little bit challenging or daunting. So, being able to convince the right people within an organization about the ease of deployments and the real quick wins that they would get with their net promoter score. For example, USAA attributes their high net promoter score to one of many factors and one of those being the fact that we’re very easy and convenient to use. And, of course, as you’re probably well aware, USAA’s been a leader in, kind of, net promoter score indexes. So, it really depends on the organization, but I think it is more about speed to market and deploying a solution and a solution that’s been in production with others, right, not kind of this science project of we’re in the wild now and how is this really going to interact with our consumers or even our employees?
Melinda: Yeah. I mean, that definitely resonates with the same, sort of, things that we see when we’re working with financial brands is that getting everybody on the same page and then how can we implement this, especially if we have a huge network of branches, how do we do that? That is always a challenge.
So, as I mentioned in the intro, in China, people are happy to pay with a face scan. Can you tell us about some of the ways in which Chinese consumers are using these technologies in their daily lives? I mean, they’re so far ahead of us. It’s really interesting to see what they’re up to over there.
Nick: Yes. You know, I would definitely concur with you and agree wholeheartedly with regards to where China is, you know, in deploying biometrics with the rest of the world. First and foremost, China and even Asia as a whole really, kind of leapfrog the world as it relates to the use of mobile devices and how they use those mobile devices, right? It’s not just text somebody or call somebody. You know, with Alibaba and buying online or whether you’re on a mobile device or banking, going to a grocery store. I even saw a video recently where they were authenticating getting a train ticket and then at one stop, they were buying their groceries with a biometric algorithm using their face. And then when they would get to their station at home, their groceries were ready for them to be picked up and taken home.
You name it, any way of, you know, using digital commerce in China and utilizing biometrics has made it very seamless and frictionless for a consumer. So much so, as you’re very well aware of this, Melinda, but, you know, back in 2016, a biometric algorithm provider was acquired by Alibaba and embedded that technology within their mobile app and then shortly thereafter throughout all of the apps that are related to that ecosystem. So, biometrics has been an important part of virtual commerce, and we can only see that growing throughout their economy as well as the globe.
Melinda: So, I mean, if we look in the context of a North American market, and I’m thinking specifically about more conservative markets in the U.S. where consumers might have a fear of governments or corporations having access to personal information, banks might have to work a lot harder to convince those consumers that biometric security is in their best interest. So, how do you think brands can build that trust?
Nick: You know, we’re a global company. We have a big office in Dublin that covers our EMEA market as well as in Australia. The reason I say that is, as you’re well aware of GDPR and PSD2 and what happened there over the last few years and that slowly has trickled over here to the U.S. with CCPA in California and some other kind of smaller…I shouldn’t say smaller, but security-related legislation, for example, what’s going on in New York and parts of Texas. So, we are well aware of that, and we have, kind of, addressed that with two parts of our solution. One is what we call FIDO, which is Fast Identity Online. That’s an alliance and essentially what that allows for is device side or using your mobile device for authentication. So, nothing is being stored on a server. There’s no real way of accessing any of those records because they are stored locally to your device.
But then we have other organizations that want to use the server-side that can either retain the templates as we would call them, the raw images, which would be the raw image of your face, so a picture of your face, or the ability to have a template, which would be a template, you know, Xs and Os of your face, which would really, kind of match that as well. So, those are the ways that you can, alleviate the fear of that PII data. And then again, you know, back to Apple and Samsung and how they’ve really made something that was of concern regarding PII is something that’s, kind of, mainstream in life today, being able to authenticate, using your finger or face to not only to get into your mobile device but into apps that you use to shop and bank with daily.
Melinda: Interesting. I think banks are going to have to have a tiered strategy on that for markets that might be earlier adopters than others.
Melinda: We’re dealing today with COVID-19 and people being forced to use digital banking, even if they weren’t previously really using it. I would think now’s a good time for banks to start accelerating their move towards biometric security. Can you talk to me a little bit about that?
Nick: Absolutely. We definitely should have a very large uptick in digital transformation initiatives that include biometric authentication as part of COVID-19. We’re seeing a lot more interaction, which is a huge uptick in transactions that have occurred in visual channels, whether it be web or mobile. And we feel that the new norm as we come to hear about interactions at a branch or an ATM or any of your digital channels will make it much more convenient and a lot less friction in using biometric predication to do so. So, again, our vision of identity continuity. So, having that same look and feel whether you’re in a mobile web branch or call center channel and having that constant identity continuity throughout, kind of, that consumer life cycle. So, we have definitely seen a huge uptick.
We’ve even heard discussions, and we’ve actually had some internal here at the company around a COVID-19 passport. So, being able to digitally onboard you and then start to keep some of those records. I don’t know if it will come to fruition per se or not, but as you start to go out, interact, you know, as things open up in this country, perhaps having something that can, kind of provide details as to where you’ve been, and whether you’ve been tested or whether you’ve contracted COVID to allow you to move more freely in the open marketplaces as I mentioned as things open up. So, definitely seen a big move there and has really, kind of pushed digital channels and digital transformation at a quicker pace than we’ve seen over the last two years.
Melinda: One of the big advantages I can see is that in the branch itself, if I need to go into the branch, I don’t want to touch that pin pad. I’d rather be able to have my voice or my eyes scanned so that I don’t have to touch things. Are you seeing interest in that?
Nick: So, we’ve had a lot of inquiries from the top-tier banks here in the U.S. around that new norm, you know, consumer experience in the branch. One has been in the form of kiosks, as you had mentioned using your face or even your voice to have that contactless experience. We’ve also had some that have wanted to potentially use the mobile device and the QR code. So, imagine walking up to a teller, authenticating yourself on your mobile device, and then providing him or her, the teller, with a QR code that they can then scan to verify your identity. So, we’ve had a lot of interesting and great discussions around that. I think many in the marketplace are still trying to see what that new norm might look like, but, you know, not only within banking, but a lot of brick and mortar stores have been very interested in how they can authenticate users and allow users to procure goods using their face or their voice. So, that’s a great question and we’ve absolutely seen a very large uptick in that in the last few months.
Melinda: Yeah. That’s a great point. That’s not just relevant to banks, that other retail brands are going to need to start thinking about this as consumers are not going to want to touch things within their environments. So, you mentioned earlier that one of the concerns that banks have is about the speed to market. Can you tell us a little bit about the process of adopting this kind of system, you know, how long does it take, and what happens?
Nick: Sure. Well, I’m pretty fortunate that I sit, you know, in a seat with the company that has a product that’s really, kind of, off the shelf. It doesn’t require a lot of customization per se. It’s very easy to integrate. You know, we talked to a lot of other point players and it requires a lot of customization and each customer is unique that requires, you know, some more legwork and actually standing it up into a production environment. Typically, our customers, I would say particularly for the banking sector, typically about 12 weeks. And the reason for that is, you know, a variety of reasons, right, whether the customer wants to host the solution on their own premises, whether they want Daon to host it in a public cloud, how many resources you’re going to allot for it, you know, do they have the infrastructure in place already, for example, server and databases that are going to put it on-prem, do they have the right resources, you know, are they junior in nature, are they senior in nature? We’ve got a top-five bank that has, you know, half a dozen junior programmers on board. And so, it makes things a little more challenging. You know, is their banking platform up to spec and do they have…you know, is their mobile app ready to go? So, there’s numerous factors that relate to that.
But I will say at the end of the day, it’s typically about 12 weeks and we actually have had a Fortune 10 company banking customer that was up in nine days. Of course, we were hosting it and they were ready to go with their mobile app, so I hate to use the word “it depends,” but I would say 12 weeks is typically how long it would take to implement a solution like this.
Melinda: So, if I was a financial brand and I want to start integrating a biometric system, what would be the top three things that I would need to do?
Nick: So, first and foremost, you want to make sure that you have, as I mentioned before, an out of the box solution, you know, it does not require a lot of customization and integration plugins are ready to go day one. You know, you look at some organizations and they may pay X for the software and then they’re going to pay 10X for the customization and professional services. So, you’ve really got to be cognizant of where that product is in its maturity life cycle. Secondarily, I’d love to say that you want to work with a biometric vendor that’s been around for a while and that has numerous production customers. Before COVID-19, we went to 10 trade shows on a monthly basis. We would laugh because, you know, we used to call it two guys in a garage that bought an algorithm, now they’re a biometric authentication firm.
And you also want to make sure that you have numerous customers in production because as we call it, it’s kind of the Wild, Wild West, you know, it’s the little things that you may forget that are very important from a user experience perspective. For example, when we first rolled out in the USA five, six years ago, we realized that it was best to have an oval so that folks would know where to put their face when they were going to authenticate using their face. And so, just little things that people don’t realize are important when you start to deploy this amongst consumers with 10, 20 million users, it’s making it easier for them to not only be able to authenticate but more importantly, to enroll.
And then lastly, I think the ability to tune your platform that addresses convenience and securityfor their customers, right? And we have certain organizations that rolled out, for example, post-production pilots to say wealth management, kind of the white-glove customer features that may have 100,000 users and then, you know, roll out the retail bank that might have 60 million users, but the ability to tune that platform so that you can make it convenient, for good actors and maybe tune it to make it more difficult from a security setting for perhaps bad actors. So, those are the three things I think you really need to consider, most importantly when integrating a private authentication system. And I guess at the end of the day, it’s really a firm that knows what they’re doing and has been around for a while.
Melinda: That makes a lot of sense, especially when we’re talking about people’s financial security, you don’t want to take any risks. So, I mean, that’s fantastic advice. And I know that a lot of banks are thinking about this right now if they haven’t already started the process. So, I am going to link in the podcast description, if you want to get in touch with Nick at Daon, I’ll have a link so that it’s easy for you to do that. And thank you so much for sharing all these thoughts with us today.
Nick: Thank you, Melinda. Hope you stay safe and look forward to continued discussions.
Melinda: I’m sure you’re as tired as I am of hearing about the new normal. And that being said, if there ever was a time to prioritize biometric authentication, it’s now while things are in such flux. Consumers are going to be looking for a touchless experience. So, if freedom from passwords wasn’t a good enough reason to move to biometrics, maybe this will be the motivating factor and the reason customers would be willing to shift their behavior. If you’re already on this journey, we welcome you to get in touch and let us know what you’ve learned. We’re always interested to find out. Don’t forget to subscribe to Think Retail on iTunes or Spotify. And thanks for listening.
Nick Hallas is Vice President of Sales at Daon, a company whose mission is “to be the world’s leading human authentication platform enabling people across any channel to easily assert and protect their identity.”
Think Retail is a podcast where top designers, strategists, thought leaders and business people discuss what’s coming next. For more information, email firstname.lastname@example.org.