2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

Licensed for Distribution

This research note is restricted to the personal use of Manuel Muniz Somoza (mmuniz@abanca.com).

Biometric Customer Authentication: Love, Hate and

Ambivalence in Equal Measures
Published 12 May 2016 - ID G00303234 - 19 min read
ARCHIVED This research is provided for historical perspective; portions may not reflect current conditions.
By Analysts Alistair Newton, Ant Allan

Supporting Key Initiative is Delivering the Digital Banking Experience

Growing opportunities and threats in the digital banking market compels CIOs and digital leaders to seek
stronger, but user-friendly, customer authentication. Consumers, however, have widely different levels of
understanding of, and tolerance for, new solutions such as biometric technologies.

Overview
Key Findings
■ As the use of digital technologies by customers grows, the means by which a bank authenticates those
customers to bank products and services will start to differentiate the institution.

■ Banks will need to deploy stronger, user-friendly, customer authentication if they are to balance the need for
seamless customer access with those of security, transparency, data integrity and fraud prevention.

■ The expanded use of fingerprint-based authentication, such as Apple's Touch ID, for some mobile payment
and mobile banking applications, has set the ball rolling in terms of bank adoption.

■ Consumer desire to adopt and use such solutions can vary hugely across countries and customer segments
and is subject to significant variance depending on country and regions.

■ Consumer understanding of how biometric authentication solutions actually work is understandably low,
resulting in serious misconceptions as to the threats they pose and the benefits they bring to a user.

Recommendations
Digital leaders and CIOs should:

■ Reappraise their strategies for customer authentication across all channels as it increasingly becomes a
differentiator in the customer experience space. They must, however, recognize that customers still value
absolute security above pure convenience.

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 1/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

■ Assess and deploy technology solutions that place the bank front and center in the authentication value chain.
Third-party proprietary solutions (such as Touch ID) may have a role to play for some banks, but many banks
will require greater control over the technology.

■ Initiate a substantive and wide-ranging education program for customers and staff on the realities and the
myths surrounding biometric authentication.

Analysis
User-Friendly Bank Customer Authentication Remains a Quest
Customer authentication has for many years been an area where the security of the bank, and the integrity and
confidentiality of customer data, has been the primary driving force in the selection of technology. While
customer experience will have been part of the selection criteria, too often it has not had the primacy that it
deserves, resulting in customer experience that has often been suboptimal at best.

With the rise of biometric customer authentication solutions — most notably the fingerprint solutions from the
likes of Apple, Samsung and others — the expectation from customers and many within the banking industry has
changed. The ability to deliver great customer experience has been aligned to an increasing need for the banking
industry to enhance the strength and capability of customer authentication. Many banks and credit unions in the
United States were initially exposed to the use of biometric customer verification technology as they signed up to
offer their customers the Apple Pay mobile payment solution, which used Apple's Touch ID to enable customers
to authorize a payment. However, many of those institutions found that those initial steps toward offering a
mobile payment solution, rather than enhancing the digital credentials of the bank, simply highlighted a new truth
in the eyes of many of their customers, namely the lack of consistency in how the institution authenticated their
identity. The one solution leveraging a user-friendly (for most customers, at least) customer authentication
technology — matching a user's fingerprint on a mobile device — enabled customers (theoretically, at least) to
buy anything from a newspaper to an automobile with a touch of their thumb. That stood in contrast to the
perception of the less user-friendly nature of many customer authentication solutions currently used by most
banks to allow customers access to basic balance inquiries or transaction histories during a mobile banking or
e-banking session.

As a consequence of this obvious lack of consistency, and more generally an increasing acceptance of the day-
to-day use of fingerprint-based authentication for a range of other mobile applications (social media login,
mobile commerce transactions and the like), increasing numbers of banks are starting to assess or move to the
use of biometric customer authentication. The bulk of the early public domain deployments have focused on the
reuse of Apple's Touch ID; however, banks increasingly are looking beyond such proprietary technologies to
deploy a wider range of solutions.

Gartner views such early moves to improve the customer experience associated with customer authentication
as positive. However, there remain significant issues that need to be addressed:

■ The primacy of the technology itself in the eyes of customers. In the context of authenticating for financial
services products and services, some customers view bank-owned authentication technologies more
positively than those embedded solutions delivered by mobile vendors like Apple and Samsung.

■ Embedded biometric authentication technologies vary in strength, integrity and performance. Matching the
strength and customer experience of a solution to the associated risk and context will be key to successful
https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 2/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

deployment.

■ The education of customers and staff on the realities of biometric authentication. What it really is and what it
isn't, as well the myths and the misinformation that surrounds the space.

In this research, Gartner focuses specifically on only three biometric modes:

■ Fingerprint

■ Face recognition

■ Voice recognition

This focus is based on the simple premise that a full analysis of the broad range of available biometric
authentication solutions is already available (see "A Taxonomy of User Authentication Methods"
(https://www.gartner.com/document/code/262913?ref=grbody&refval=3315921) and "Applying Biometrics for
User Authentication" (https://www.gartner.com/document/code/258371?ref=grbody&refval=3315921) ).
Notwithstanding other customer authentication technologies — such as scleral vein, or those aimed using an
individual's ECG trace, or more passive solutions such as gesture dynamics, these three modes encompass the
vast majority of existing short term customer-facing deployments within the retail banking sector. Coverage and
discussion will be limited to the use of such technologies for access to e-banking and mobile banking services.
This research does not discuss the deployment of integrated biometric solutions in ATMs or for physical access
to bank branches or premises.

In this research, Gartner has used the term "bank-owned" when referring to solutions such as "face recognition"
or "voice recognition" — as distinct from those fingerprint-focused solutions delivered by the likes of Apple and
Samsung — to ensure that those consumers surveyed could understand the specific distinction across their
obvious variations in technology knowledge and national language. Readers of this document may prefer the
more technically precise descriptor "bank-curated" rather than "bank-owned," given that, ultimately, all biometric
authentication solutions are sourced from third-party providers.

Most existing customer authentication solutions used for e-banking and mobile banking applications have
developed over a number of years to a point whereby they have proved adequate for purpose — but no more than
that. The move to mobile devices has added further complexity and risk — and a demand for better customer
experience. As increasing numbers of bank customers adopt the mobile banking channel as their primary means
of accessing and managing their bank accounts, banks have chosen to manage customer authentication in a
number of ways. Partly by enhancing the authentication technologies deployed, and adopting layered checks
that may include multiple data points such as device identity or even customer location. However, many banks
address the increased risk by simply limiting what a customer can do on channels such as the smartphone or
tablet.

A bank may associate a higher risk with a customer payment request when that request is initiated from a
mobile banking session, rather than from an e-banking session from a laptop or desktop PC. Consequently, such
banks have restricted account functionality perceived as high risk, such as setting up new payees or changing
the home address for an account holder, to existing e-banking channels. Not all banks have taken this approach.
Indeed, some have taken a more holistic view on balancing and managing risk. For example, leveraging the
unique identifiers associated with a customer's preregistered mobile phone to allow customers to download and
https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 3/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

use single function "quick balance" apps. This provides customers with access to their account balances without
the need for any additional login. However, from a customer point of view, moves to a strong — yet user-friendly
— form of biometric authentication should enable banks to provide a more integrated and consistent approach
across all their channels and service provisions.

Not All Authentication Techniques Are Equal in the Eyes of Customers

We must be clear. Customer authentication currently is not a topic that annoys or irritates most customers to the
extent that they end up leaving an institution. Indeed, many customers are willing to put up with authentication
methods that might be perceived as inelegant because they trust their banks to protect their money and data.
More subtly it means that they trust that their banks wouldn't make them jump through hoops unnecessarily, and
that all this pain actually does help protect their money and data. However, it is entirely possible that some
customers may choose to access the bank less frequently because of these hoops than they might otherwise
do, or use bank products less frequently.

Recent Gartner focus group conversations with retail banking customers in the U.S. highlight this balance
between security and accessibility. A consensus from those customers was that existing login procedures
provided by their banks are as secure as anything can be, albeit they are also accepting that nothing is 100%
secure. Here are some typical, verbatim, customer comments:

■ "They (the bank) protect it as well as anybody else in today's world. Nothing is 100% secure."

■ "…a complex login and password … can prevent unwanted access … if someone wants my data they will get it."

Even the more digitally aware customers, who recognize that alternatives are available, maintain a reasonable
perspective on the risks of digital banking:

■ "The fingerprint … probably keeps others from logging in on my phone, but the account itself is vulnerable."

However, across the interactions, all the customers were absolutely consistent — this was their money and their
data and they would opt for security over convenience every time. Additionally, it was clear that those customers
understood that biometric authentication solutions would likely enhance the level of security. This was mixed,
however, with concerns over usability — that they could become locked out of their accounts because of a
"failure" of a biometric solution.

Banks that are considering moving to new customer authentication technologies, such as biometric methods,
must take the nuances within this consensus to heart — focusing solely on convenience over security will not
win the day, and customers need to be convinced of the underlying rationale of any such moves. In the
meantime, banks still have much work to undertake in convincing all of their customers that a move to biometric
authentication is a positive step forward for customers. Figure 1 outlines findings from Gartner's 2015 digital
banking survey of retail banking customers across 10 countries. While significant percentages of customers see
the potential benefits of biometric solutions, many remain skeptical or concerned.

Figure 1. Customers Who Consider the Bank Safe and Secure When Using Biometrics

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 4/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

Note: This represents the percentage of respondents with top two ratings (6 or 7 on a scale from 1 to 7, where 1 means not at all safe and secure; 7
means extremely safe and secure). From the Gartner Digital Banking Survey, 2015.
UAE = United Arab Emirates

Source: Gartner (May 2016)

Equally, banks must recognize that while at a technology level the strength and integrity of biometric solutions
are measurable and quantifiable, in the eyes of consumers not all biometric solutions deliver the same levels of
confidence and usability. Hence, responses from focus group participants — from digitally literate through to
highly analog customers — raised concerns of the accuracy/reliability and usability of voice biometrics. They
were worried that their voices could easily be imitated or that the technology would be unable to recognize them
due to illness or connectivity problems. While participants were more accepting of face recognition, similar
concerns on security and usability remained.

Banks must take a different, albeit customer-centric, view when deciding on specific technologies to deploy.
Gartner's 2015 digital banking survey also highlighted that retail banking customers see a difference between
customer authentication solutions that are provided directly by and "owned" or curated by the bank, versus
solutions provided by mobile vendors such as Apple or Samsung. Figure 2 and Figure 3 illustrate the retail
banking customer feedback from the survey. Differences in customer perception of safety and security varied by
between 10% and 31% in favor of bank-owned/curated biometric solutions, a significant factor that should be
taken into account when deciding on future solutions. Equally, the number of customers who were "undecided"
remains high, reflecting a mix of a real lack of understanding by customers of biometric technologies and an
ingrained trust and reliance on existing bank authentication solutions.

The extent to which local markets have been exposed to other forms of biometric identity solutions will also
influence customer perceptions. Markets such as India and Brazil, where citizens have already been exposed to
biometric-based national identity schemes, certainly show a more pronounced degree of positivity on the safety
and security of bank-owned/curated biometric solutions — much of the work in migrating users from a state of
uncertainty has already been undertaken. However, despite these regional peaks, one thing remains clear — a

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 5/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

significant mass of customers will need convincing that biometric-based authentication is safe and secure for
financial transactions, whether provided by a bank or a third party.

Figure 2. Safety and Security of a Bank-Owned Biometric Authentication Method

Note: This represents the percentage of respondents with top two ratings (1 or 2), middle three ratings (3, 4, or 5) and two top ratings (6 or 7) on a scale
from 1 to 7, where 1 means not at all safe and secure; 7 means extremely safe and secure. From the Gartner Digital Banking Survey, 2015.

Source: Gartner (May 2016)

Figure 3. Safety and Security of a Third-Party Solution (Apple, Samsung or Google)

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 6/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

Note: This represents the percentage of respondents with the bottom two ratings (1 or 2), middle three ratings (3, 4, or 5) and two top ratings (6 or 7) on a
scale from 1 to 7, where 1 means not at all safe and secure; 7 means extremely safe and secure. From the Gartner Digital Banking Survey, 2015.

Source: Gartner (May 2016)

Fingerprint-Based Authentication: Three Steps Forward, Two Steps Backward

Biometric authentication methods can provide improved user experience (UX; although this varies by mode and,
for some modes, by user), and increased trust and accountability (because biometric traits cannot be easily
shared with others as passwords and tokens can). While improved UX is a key objective for the adoption of
biometric authentication, its potential is not always fully realized. Fingerprint modes are the most common, but
many users (up to 15%; see "Applying Biometrics for User Authentication"
(https://www.gartner.com/document/code/258371?ref=grbody&refval=3315921) ) have problems some of the
time, and a few users in a thousand are unable to reliably use these at all. Such issues have inhibited corporate
adoption (and erroneously tainted buyer attitudes to all biometric modes).

Figure 4 compares fingerprint against face and voice modes for a range of physical and usability attributes.

Figure 4. Key Attributes of Common Biometric Modes

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 7/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

Source: Gartner (May 2016)

■ Universality is a measure of how many of the intended users of a system possess that particular trait.

■ Distinctiveness is a measure of how easy it is to distinguish between individuals on the basis of a particular
trait.

■ Stability is a measure of how little or how slowly a particular biometric trait changes over an individual's
lifetime. These three are classed as physical attributes of biometric traits.

■ Measurability indicates how easy it is to acquire a biometric sample (for example, an image) and to process
and extract feature sets from that sample.

■ Performance relates to the accuracy and speed of the technology for acquisition, processing and extraction,
and matching.

■ Utility relates to how applicable a biometric trait is to solving identification and authentication problems.

■ Acceptability describes individuals' willingness to have their biometric trait captured and assessed.

■ Resistance to attack describes the ease with which a trait might be imitated using a facsimile (for example, a
"gummi" fingerprint, a photo). These five are classed as usability attributes of biometric traits.

Figure 4 represents the ideal; vendor implementations can fall short of that. In particular, while implementations
such as Apple Touch ID and similar technology in the Samsung Galaxy S5 (and later) might provide better UX
than legacy passcodes, the security value is limited in several ways:
https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 8/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

■ Engineering decisions made by handset and OS vendors tend to favor processing efficiency and UX over trust
(for example, to reduce false nonmatch or rejection rates).

■ Power-on access still relies on a potentially weak passcode.

■ Accountability can be eroded when phones are shared and multiple users each enroll a fingerprint. (Android
Lollipop has multiuser support, but iOS does not.)

The matrix in Figure 4 doesn't consider technical implementation issues. Face and voice recognition modes can
be implemented in software on most devices, exploiting ubiquitous inputs (cameras and microphones), yielding
multiple benefits over embedded fingerprint sensors, which have limited penetration and whose behavior is
constrained by device and OS vendors' engineering decisions.

Passive biometric modes exploit the user's presence or normal activity when logging in and throughout a
session, making use of inputs already available on phones, as well as tablets and many PCs. Face recognition
can be implemented in this way; some less common modes, such as gesture dynamics, work this way by
default.

The apps or software development kits (SDKs) that handle the biometric capture can also embed public-key
credentials for message integrity and proof of origin, adding to the level of trust. Where APIs are available,
nascent frameworks, such as that defined by the Fast IDentity Online (FIDO) Alliance, can be used to propagate
authenticated identities to downstream services.

Education of Staff and Customers Will Be Key to Adoption

Whatever the legal status, privacy concerns are often cited as having the largest effect on the acceptability of
biometric technologies.

For example, it has long been reported that the association of fingerprints with criminality, and putative
government or law enforcement abuse of the data, give rise to a widespread aversion to this biometric mode.
However, this does not seem to have been a significant barrier to the appeal of the most recent Apple and
Samsung mobile phones.

Surveys also find that people are significantly more accepting of the technology (whatever the mode) once they
have experienced it. Indeed, it is this lack of practical experience that needs to be factored into decision making
by banks because it can significantly influence consumer appetites for new authentication solutions.

The outputs from Gartner's recent surveys and focus groups highlight some very subtle messaging that banks
will need to undertake if they are looking for mass adoption of biometric customer authentication. While
independent authoritative studies on broad consumer acceptance of biometric solutions are thin, for day-to-day
use there seems to be a broader acceptance of face recognition over fingerprint. In most countries, the face is
socially accepted as how we recognize one another. In turn, voice recognition has higher acceptability (as shown
in Figure 4). However, for banking purposes — and specifically the capability for customers to access their
accounts and their own money — many customers highlight high degrees of uncertainty and plain skepticism on
the practical use of biometric technologies. This difference in opinion pivots on a nervousness in the eyes of
those customers — the potential inability for them to access those accounts and funds if they are forced to
adopt or use a new technology by their bank.

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 9/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

So why change something that in customers' eyes is not broken and serves the purpose? This is a question
banks can help answer if they address this nervousness. They must reassure customers that even if the
technology fails, they will have other options for accessing their accounts. Other issues and misconceptions will
also need to be addressed. One of the privacy objections revolves around a misconception that the system
stores captured images and other samples. In fact, while that is the case in some government schemes,
commercial biometric systems store only encoded data about key features extracted from the biometric sample,
and it is not possible to reconstruct the image from that encoded data. Clear communication about what data is
stored can go a long way to mitigating privacy concerns. (This has been an effective strategy in some U.K.
schools introducing biometric technology for recording attendance or library borrowing, pre-emptively allaying
parents' fears about their children's privacy.)

Bottom Line
Widespread adoption of biometric customer authentication solutions is not a given. Banks will need to:

■ Educate customers and staff.

■ Provide clear guarantees on how the banks will use the technology and how they will protect customer data
and information.

■ Ensure that customers have alternative means of accessing accounts and funds if the biometric solution
should fail.

Addressing these factors will ameliorate most customer uncertainties and encourage increasing numbers to try
and then adopt these approaches.

Evidence
Survey Methodology

The Gartner Banking: Digital Consumer Survey, 2015, was fielded from August through September 2015 via
online methodology among 10,212 respondents in the U.S. (n = 1,000), Canada (n = 1,077), the U.K. (n = 1,005),
France (n = 1,002), Poland (n = 1,068), UAE (n = 1,024), India (n = 1,011), China (n = 1,003), Australia (n = 1,007)
and Brazil (n = 1,015). Respondents ranged from 18 through 74 years old, results are representative of the
respective online populations with respect to age, gender, region and income (except UAE).

The UAE sample accessed respondents from the three regions: Abu Dhabi, Dubai and Sharjah, and was drawn to
be representative of the online population with respect to age, gender and income.

Indicative precision level: At full count, the sampling error is +/- 3.1% at the 95% confidence level. Levels vary
depending on the number being measured, as well as specific data cuts applied.

Follow-up online focus groups were conducted to understand user experiences, and perceptions of banking and
usage of different financial products, and how technology can help better meet customer needs. Respondents
for three online focus groups were recruited from adults (18 through 70 years old) in major metropolitan areas
across the U.S. The discussions consisted of moderator-led text chats with the respondents logged in from their
homes. In total, 27 respondents participated.

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 10/11
2019­1­21 Biometric Customer Authentication: Love, Hate and Ambivalence in Equal Measures

© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the
opinions of Gartner's research organization, which should not be construed as statements of fact. While the information
contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the
accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues,
Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and
use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
objectivity. Its research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."

https://www.gartner.com/document/3315921?ref=ggrec&refval=3892519 11/11