WHITE PAPER Let s do BI (Biometric Identification) Fingerprint authentication makes life easier by doing away with PINs, passwords and hint questions and answers. Since each fingerprint is unique to an individual, it is a lot more reliable than tokens, PINs and what you know methods. It also makes transacting more convenient. A shopper can authorize payment for purchases with their fingerprint at an EFTPOS terminal, after which the money is debited from their account, and credited to the merchant s in a fraction of second. While we have used the fingerprint illustration, it is just one aspect of biometric identification. It is proven that different aspects of human behaviour and physiology can also be used for authentication.
Let s get smarter Smart seems to be the operative prefix in today s world, qualifying everything from phones to cards and cars. So it is logical to ask if we humans can also become smarter, specifically in the way we go about our financial transactions. Biometric Identification (BI) enables us to do that by mitigating the threat of theft, manipulation, forgery and spoofing. By using fingerprints for authentication, biometric devices ensure secure access to payments and transactions and eliminate the need to carry plastic cards and cash. Fingerprint authentication makes life easier by doing away with PINs, passwords and hint questions and answers. Since each fingerprint is unique to an individual, it is a lot more reliable than tokens, PINs and what you know methods. It also makes transacting more convenient. A shopper can authorize payment for purchases with their fingerprint at an EFTPOS terminal, after which the money is debited from their account, and credited to the merchant s in a fraction of second. While we have used the fingerprint illustration, it is just one aspect of biometric identification. It is proven that different aspects of human behaviour and physiology can also be used for authentication. The major issue that most financial institutions face today arises from the huge volume of data which is frequently overwritten that must be dealt with. So knowledge-based data, be it a password or PIN needs to be reset more often because of its vulnerability to hacking. On the other hand, something unique and belonging to a user and which cannot be copied, such as a fingerprint, offers a much more secure method of authentication. Two Es of biometric identification The two Es stand for Easy and Effective, characteristics of biometric identification. Easy: It s easy to install a biometric fingerprint reader in any outlet. The device has a sensor to scan and read fingerprints, and the read data is then stored in a database. Software logic compares the data captured with the data present in the enterprise to match the fingerprint. Within the database, the process brings together a fingerprint and a reference or PIN number. A comparison with a person s name or account takes place, which depending on the purpose, allows or disallows access, updates a time clock, or even enables payroll access. A biometric device basically works on three factors: a) Human b) Device c) Algorithm Human: It is essential that the finger is placed properly, in contact with the sensor surface to ensure reliable data assessment. Device: Biometric devices must be kept in moderate temperatures; too much heat can affect the sensor surfaces and may result in wrong assessment. Algorithm: The logic used for biometric identification is based on three factors, namely enrolment, evaluation and decision making. Enrolment, as the name suggests, is about reading the fingerprint, recording the data and passing it for evaluation through a baseline template. It s the most important stage and the data needs to be captured accurately without the slightest error. During evaluation, the data captured as above is compared with the corresponding data in the bank s database. When the comparison results in a match, it signifies the print is genuine. The results are then passed on to the decision-making component. The decision-making component uses the result (score) from evaluation to decide its authenticity based on two algorithms, Matching and Ranking. It publishes the result to the device which acts on it by displaying a success or error message as the case may be. Effective: In the digital era, data theft and copyright issues are rising day by day. As customers switch to electronic banking, they must remember a bunch of PINs and passwords, and change these often in the interest of security. On their part, banks must provide a mode of authentication that is easy, yet robust. Authentication can be done in three ways : a) Knowledge-based, where something that the user knows, like a PIN, password or secret question is used b) Device-based, where authentication is done with a smartcard, security token or other gadget and c) Biometric, which relies on a user characteristic like a fingerprint, retina scan, psychological behaviour etc. Let s look at it one by one. Knowledgebased techniques are useful because they make it possible to define a large number of combinations of numbers, alphabets, and special characters, but are very cumbersome to remember and manage. When the same password is not used for more than one account, it defeats the notion of Single Sign On. A security token or smartcard can mitigate the pain of remembering passwords and 2 Infosys External Document 2015 Infosys Limited
PINs and of completing the reset logic and generating new PINs as per business rules. While this sounds good there is a huge operational cost specialized hardware, infrastructure support, shipping involved for the financial institutions and banks implementing it. Biometric identification has always been considered a fool proof, or at least difficult to forge or spoof, authentication solution. The concept of system identification based on physical characteristics used earlier for guarding mainframe access or restricting entry to select users was sluggish, intrusive and expensive. With innovations in technology, things have taken a giant leap. Now the networks are faster, movement of data to and from the server takes microseconds, and to top it all, biometric devices are very cheap to install. These reasons have made fingerprint authentication popular. Today, many laptops and PCs are inbuilt with fingerprint readers at hardly any cost to the manufacturer. Users can be allowed a password or PIN option as the second factor after fingerprint authentication. The solution and its benefits Customers opening an account register their fingerprint along with other personal data with the bank. They request Single Sign On access and transaction processing based on their fingerprint and perhaps additionally, a PIN. This two-factor authentication can be extended to three or four factors, or downgraded to a single one, using a business rule that can be set based on customers requests. It can be done in a branch or online (using devices where this feature is enabled) depending once again on the customers convenience. Benefits To banks: Financial inclusion: A massive number of people, mostly in Africa, Asia and the Middle East, aren t currently unbanked because they re unbankable, but because most simply cannot comply with the identification requirements of financial institutions. In fact, about 60% of the world s citizens do not have national ID cards, passports, driver s licenses or other government-issued identity credentials. Other inhibiting factors include distance from banking locations and illiteracy. A step towards security: Consumers complete a relatively simple enrolment process, which generates a unique and secure identity for each. Because the identity is biometrics-based, it s virtually impossible to duplicate or forge. The resulting database could be used to authenticate the identity of consumers when they want to access financial services, such as payments etc. in the absence of governmentissued credentials. They can simply scan a fingerprint and their identity will be confirmed by matching it to the biometric data stored in their file. Affordability and simplicity: In addition to greater certainty in the identification process, biometrics-based systems also bring simplicity and affordability. The scanners and software used to read, capture, manage and confirm fingerprints and other biometrics have demonstrated reliability and performance in a variety of demanding applications around the world. They also tend to be affordable, which contributes to the financial viability of microfinance and other relatively new initiatives. To end users: Security: Fingerprint (biometric) authentication is highly secure as fingerprints are the hardest to forge. Overcomes language and literacy barriers: Biometric identification overcomes barriers of illiteracy and language and circumvents the lack of government-issued credentials. Once enrolled (opening an account) with the bank, transacting is easy and hassle free. Does away with multiple passwords Biometric or fingerprint authentication relieves users from maintaining multiple passwords for multiple accounts in various banks. Ease and affordability: The convenience of fingerprint scanning versus secure cards or other tokens, is also a plus. Also, since many laptops and phones are now available with a built-in fingerprint reader, there is no need for their owners to buy a separate device. Biggest challenges Biometric data cannot change: While passwords and PINs are very easy to reset and can be changed as many times as needed, biometric data can t be altered. Be it a fingerprint or iris scan, the data remains the same, which can become an issue if it is compromised. The chances of that happening are rare though. 3 Infosys External Document 2015 Infosys Limited
Biometric systems can t be used by everyone: Fingerprint authentication is ruled out for people with certain disabilities. Amputees or those with certain congenital defects can t use biometric authentication systems. While it is proposed that an alternative system be established for such cases, Mark Ryan, Professor of Computer Security at the University of Birmingham suggests they might cause embarrassment to those who have to use them. Privacy concerns: Biometric systems will need big databases for obvious reasons. Since they access personal data, including that of senstitive agencies like law enforcement and private corporations, ensuring privacy is imperative. Conclusion Biometric identification has tremendous potential as a fool proof, secure and cost effective method of authentication, which may be used for all kinds of payment and monetary transactions. Reference http://www.brighthub.com/computing/ enterprise-security/articles/104563.aspx http://en.wikipedia.org/wiki/biometrics http://uidai.gov.in/biometric-devices.html Sankhanil Chakraborty Senior Consultant Infosys Finacle 4 Infosys External Document 2015 Infosys Limited
About Infosys Finacle Infosys Finacle partners with banks to simplify banking and arms them with accelerated innovation to build tomorrow s bank, today. For more information, contact 2015 Infosys Limited, Bangalore, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.