Indian Banks set a Global benchmark – the Biometric Way

About a year back, faced with the potential vulnerability of such security tools as passwords, tokens, OTPs and other traditional forms of authentication to the risk of loss, theft, phishing and duplication, Public Sector banks across India undertook a mammoth program to secure access to their core banking systems using biometrics as a second factor of authentication besides an employee’s password. The program, which across all Public Sector banks, aims to biometrically secure access of over 500,000 employees to Core Banking Systems (CBS) is perhaps the largest organised deployment of biometrics across the corporate sector globally, not just across the banking sector.

shutterstock_95097232

Smart Chip, having enabled most Public Sector Banks already covering over 400,000 bank employees, traversed this unique journey which unraveled interesting aspects of biometric technology to the banks. Before we get into the various technology aspects, I find it extremely interesting to note that this has been one of the few technology rollout programs which have continued to enjoy one of the most vibrant user community support – as it ultimately secures each user against an assault on their identity and rights. Armed with biometric security, the bank users feel safe against the hitherto potential threat of impersonation. While biometric security is firmly ensconced at most Public Sector banks now, the path to this was one of learning for all stakeholders.

In simple terms the technology adopted by the banks allows them to biometrically enrol each bank employee, biometrically de-duplicate each employee, and, at the time of CBS login, in addition to verifying an employee’s password, also authenticate the employee’s live fingerprint against their reference template stored in the biometric database.  The technology, though it may sound simple, isn’t as trivial, with sophisticated compute intensive performance oriented systems powering the entire process working on state-of-the-art computing platforms. With a layer of biometric security working over the existing CBS and becoming a gateway to CBS, the authentication systems have to be highly reliable, available and scalable.

While fingerprint scanners have been the most visible components of the banking solutions, and of course, their features are critical, it was an early realisation for most banks that systems that provide security really need to ensure “end-to-end” security, offering not just high quality and accuracy of matching, but also an inherent ability to prevent man-in-the-middle and replay attacks. While there is no doubt that biometrics offers an unmatched security, it is also important to note that unlike passwords and pins, you cannot change your biometrics. So, a system using biometrics has to ensure the highest form of security to prevent theft of biometrics, which may sound dramatic, but is easily achieved by biometric sensors capable of encrypting captured fingerprints on the sensor itself – virtually eliminating all possibilities of fingerprint theft along the entire chain of security from the sensor to the backend biometric engines. Imagine the power of such a feature when coupled with randomness / session uniqueness, features – you have virtually eliminated all possibilities of not just theft but any replay.

While the efficacy of biometrics was long accepted, it is important to mention that for the first time in India, the standardisation of biometrics, including equipment and processing, brought about by UIDAI under the Aadhaar program has, in more ways than one, simplified the adoption of biometrics across varied applications.

The banking industry in India is a ready success story of biometric solutions – backend biometric engine and front end fingerprint devices – with over 400,000 bank employees actively using biometric 2nd factor authentication, every day. This Indian story has not just stretched the imagination of the biometrics industry but set a ready blueprint for the banking sector across the world for adoption of biometric for internal system security. The possibilities from here on are immense – biometrics can not only secure access, a user’s biometrics can be used to approve critical business transactions, almost as a substitute of digital certificate, in particular with biometric technology which allows for embedding digital certificates.

The Banking story offers a ready case for the corporate sector in general where security of corporate and transactional system is a critical consideration. The possibilities for harnessing the strengths of biometrics go beyond the traditional boundaries of any large corporate and I can already see several other sectors, creating yet another success story, close on the heels of what the Indian Banks have achieved.

Leave a comment