Biometrics are continuing to gain relevance and popularity everyday, especially during the pandemic. According to an SPA report, biometric payment cards are predicted to become mainstream in 2022. Governments are using biometrics alongside citizen digital IDs and airports are adopting the technology too.
Even with the ongoing roll out of biometrics, there’s still a substantial gap between people’s comfort levels and using biometric authentication (outside of unlocking their phones).
This gap poses an important question: why are people hesitant?
While you can guess some reasons ( perhaps even based on your own opinions), not all of the answers to this question are straightforward. In this post, we’ll explore people’s attitudes around biometrics and the qualities companies and governments need to design into their biometric systems in order for people to willingly use them.
In 2019, surveys showed that people felt skeptical of biometrics- its security, safety and the possible threat to privacy. In a Paysafe Group report, they found that 56% of people in the U.S. and U.K. were concerned with switching from online passwords to biometrics, citing concerns around identity fraud. An additional reason for hesitance was a lack of trust - 45% of respondents didn’t want companies to have access to their biometric data.
According to a handful of 2021 surveys conducted by different companies, people do seem to be warming up to the idea of using biometrics for more everyday uses, especially since the pandemic began.
An independent survey sponsored by Idemia, a biometrics company, found that 4 in 5 people are wanting to try biometric payment cards. Another 2021 survey done by FIDO Alliance showed that 32% of consumers believe biometrics are the most secure way to login to an app, accounts and devices ( compared to 19% believing passwords were the most secure).
The discomfort around biometrics
People hold many reservations around using biometrics for different parts of their lives. The following reasons were discussed in a webinar done by Liminal, a consulting company working with companies in the fintech, digital identity and cybersecurity spaces.
Why people aren’t willing to give widespread biometrics a try:
- Giving away biometric data makes consumers feel like they have skin in the game and want to protect it more.
- External biometrics have association with crime: background checks, police stations, the government, etc.
- People get wary of not understanding how biometrics are stored.
- Consumers want to feel control over data, which is why many people say no to biometrics.
Margaret Cunningham, Principal Research Scientist, G2CI at Forcepoint mentioned in the webinar that “biometrics needs a rebrand” due to its association with criminality and law enforcement. I’d argue that beyond this historical association, past and present failures of biometric authentication are coloring the public’s perceptions too.
The reality is that if biometric systems aren’t designed and executed responsibly and in compliance with privacy regulations, the potential for expanding the use of biometrics is threatened.
Designing acceptability into biometric authentication
Whether its customers, employees or people entering a stadium, everyone deserves to know the basics before agreeing to biometrics and experience a well-designed system. The following are qualities companies and governments should consider including in their biometric authentication experience.
Proportionality means that the need for using biometrics is equal to the circumstances it’s being used in. Asking for more biometric data than is needed or for reasons that aren’t essential to the use case, are not proportional.
For example, a company asking for someone to authenticate their identity with an iris scan at the grocery checkout so that they can market products to that person, is non-essential and it’s an abuse of personal privacy.
Transparency & clarity
People need to be well educated on the essentials before they consent to using a biometric system: how their data is stored, their privacy rights and the scope of the biometric being used.
An important note: this information shouldn't be communicated in pages of legalese that people will mindlessly scroll through. It should be shared in a simple, engaging way that communicates the basics. It could be a series of short videos, an animated presentation - as long as it’s a format that anyone can understand.
Without proper education, people feel confused about how biometrics works in the first place and naturally won’t want to give away such sensitive information. Information is power, and without it, people will experience fear and helplessness in giving away their biometric data.
It’s one thing to claim that people’s data is secure and not being sold for profit, but the actions of the company or government must back it up. The public’s trust is hard to earn and easy to lose. Also, consider how we live in a time of distrust. Misinformation is purposefully spread for political gain and profit, and it has bred a deep sense of skepticism in societies across the globe.
More than ever, people value accurate information and companies coming through on their promises.
An interesting violation of trustworthiness was brought up in the report Biometric Recognition: Opportunities and Challenges, done by the National Research Council (US) Whither Biometrics Committee; Pato JN, Millett LI, editors.
They discuss “mission creep”, which was originally a military term used to describe the gradual shift in objectives over the course of a military campaign.
An example of mission creep with biometrics would be if a company told their employees they were using finger vein scanning for clocking in/out of work, but over time decided that they’d also use it to track employees’ locations throughout the workday.
This change would become an issue for a few different reasons:
- Violation of privacy due to constant surveillance.
- Absence of communication - not notifying employees of this change.
- Non-consensual use of biometrics because the employees didn’t agree to this change.
In this case, intentionality refers to creating a biometric system with the understanding of who will be using the system and catering it to them. Users of biometric systems might include travelers, people whose first language is not the native language of the country where the biometrics will be used, and so on.
Again, according to Biometric Recognition: Opportunities and Challenges, the authors discuss ideas for those creating biometric systems:
“How the system will be perceived in its user communities as well as possible side effects, even if the system is accurate and robust—must be considered when first examining the solution space.”
For example, if an American biometrics company set up an identity authentication system in a country whose custom is for women to wear burqas, and then chose facial recognition as the modality, they wouldn’t be approaching the project with intentionality. They’d end up offending another culture’s way of life and alienating a large demographic of people.
Final thoughts on acceptability
We owe people acceptability. People’s hesitance to try biometrics in more areas of their lives isn’t a measure of stubbornness, but of self-preservation. Cheap tactics like incentivizing use isn’t what makes a system user-friendly and trustworthy. Designing a system for acceptability from the beginning is what matters. Biometric authentication should always serve people first.