Biometrics hit the headlines again recently with news that Barclays is rolling out voice recognition technology to its telephone banking customers as a replacement for passwords. In recent years, there has been an increased focus on biometrics, for example with many people getting used to fingerprint technology to access iPhones. It’s an interesting subject from a cybersecurity point of view, as any new technology brings with it the opportunity / threat of compromise, demonstrated, for example, by this story about exploring 3D printing to bypass fingerprint access to an iPhone.
With the news of Barclays voice recognition, I was approached by a few media outlets to comment on whether we are about to see the end of the password, and the cybersecurity implications of biometric systems, including this interview on Radio 4’s Today programme.
When I’m able to, I’m always happy to give my opinion to the media on issues which relate to cybersecurity, but with something like this it’s the opinions of the general public which interest me the most. After all, it’s the attitudes and behaviours of the ‘average user’ that we’re often trying to engage with and influence, so how do they feel about biometrics?
A few days ago, I asked members of the general public in the UK the following question:
Would you use a biometric system (voice activation, fingerprinting etc.) instead of a password to access your internet accounts (e.g email and online banking)?
1,003 people completed the survey, 51.6% were male and 48.4% female. The overall findings were:
The most popular response was that people would consider using a biometric system, at 35.5% of the sample, closely followed by those who would not use it because they don’t trust it, at 28.7%. Behind that were those who wouldn’t use it because they don’t understand it, at 22.3%, and finally the group of people who already use it, 12.9% of the sample. There was a tiny percentage of people, 0.6%, who selected ‘other’ and their responses included ‘don’t know’, ‘too tech’, ‘maybe’, ‘not sure’ and ‘boring’*. I could dismiss the respondent who inputted ‘boring’ but this response has value in itself. The response rate for this survey was only 15.4% and this could be related to the perception that cybersecurity is boring and onerous – a challenge the industry faces when trying to encourage engagement from the ‘average user’.
Returning to the top level findings, the proportion of people that either currently use a biometric system in place of a password, or would consider doing so, is 48.4% and those who would not use it either because they don’t trust it or don’t understand it is 51%. So there are marginally more people in this sample who reject, rather than feel quite comfortable with, biometrics. However, it’s such a small margin that it’s hard to put stock in it, and so it seems pretty much 50/50 whether people in the UK are willing to embrace biometrics or not.
When we unpick the data further, the findings offer more insight.
People in the East of England were most likely to consider replacing their passwords with biometric systems, at 52.9%, and Londoners were least likely, at 29.3%.
The East of England was the area which displayed the most trust in biometrics (only 16.7% rejected the idea of biometrics due to distrust). The least trusting place was the North East, with 34.8% of people from that area saying they would not use biometrics due to distrust.
Comparing how women and men feel about biometrics shows that men have more faith and trust in replacing their passwords with biometrics. The gap between women who would consider replacing their password with biometrics (33.2%) and those who would not trust it (30.5%) was much smaller than the gap between men who would consider it (39.7%) and those who do not trust it (27.3%).
When we breakdown the findings by gender and geography, we discover that the least trusting population is women from Wales, 43.5% of whom would not use biometrics due to distrust. This contrasts quite sharply with the most trusting population, men from the East of England, where only 10.3% reject biometrics due to trust issues.
Attitudes by Age
Attitudes to biometrics also varied according to age group, and probably not in the way many people would expect. It is often said that ‘millennials’ have a laissez-faire attitude to privacy and security. However, my findings here contradict the notion that 18-24 year olds are oblivious to issues of technology and security.
18-24 year olds were the age group least likely to consider replacing their passwords with biometrics, with only 25.4% of that age group saying that they would consider doing so. They were also the age group least likely to trust biometrics, with 38.1% saying they would not use biometrics in place of passwords because of distrust.
It’s interesting to speculate why attitudes to biometrics vary according to age. Perhaps the younger age group feel more comfortable with passwords, having grown up with the internet? Are the older age groups more willing to trust biometrics because they, perhaps, have more work accounts and are fed up with trying to manage so many passwords? Could it be that younger people are more privacy conscious, and more aware of the pitfalls of technology, and so more considerate of the risks of giving away their biometric data?
Sharing this article on Twitter elicited the following suggestion regarding why young people in the UK may be the age group most likely to distrust biometrics:
@drjessicabarker @cyberdotuk it would be interesting to cross check this with whether they had been required to use biometrics in school
— Jen Persson (@TheABB) August 19, 2016
At least 3,500 schools in the UK use biometric security systems and as this article highlights “a data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives”. Perhaps the very experience of being expected to entrust their schools with their biometric data has instilled in many young people an awareness of the potential pitfalls of such systems?
Without more research, it is impossible to know exactly why people feel differently about passwords depending on where they live, their gender and their age. However, if organisations want consumers to use biometrics more, they will need to address the sections of the population which are most sceptical about how biometrics work and whether the systems can be trusted. In particular, 18-24 year olds are an important cohort they will have to engage with if they are to have any success. The password isn’t going to die anytime soon if the younger generation has little trust in the alternatives.
*The two other responses from the ‘other’ field were ‘I have no biometric qualities’ and the most inane / depressing response, ‘rape’.