What is Biometric Authentication?

What Is Biometric Authentication?

Biometric authentication is a security method that verifies a person's identity using their unique physical or behavioural characteristics. Instead of remembering a password or carrying a security token, you prove who you are using something inherent to you -- your fingerprint, your face, your voice, or the pattern of your iris.

The concept is not new. Fingerprints have been used for identification for over a century. But the technology that makes biometric authentication practical for everyday payments and account access has only matured in the last decade, driven largely by the widespread adoption of smartphones with built-in fingerprint sensors and facial recognition cameras.

Today, biometric authentication is used across the payments industry -- from unlocking your phone to approve a contactless payment, to logging into your banking app with your face, to verifying your identity during a 3D Secure 2 challenge. It is also increasingly relevant to telephone payments, where voice biometrics can be used to verify a caller's identity.

Types of Biometric Authentication

There are several types of biometrics used in payment security, each with its own strengths and limitations:

Fingerprint Recognition

This is the most widely used form of biometric authentication. The sensor on your phone or device reads the unique pattern of ridges on your fingertip and compares it to a stored template. Fingerprint recognition is fast, accurate, and well understood by consumers. Its main limitation is that it requires a physical sensor, which means it is primarily used on devices rather than remotely.

Facial Recognition

Facial recognition uses a camera to map the unique features of your face -- the distance between your eyes, the shape of your cheekbones, the contour of your jaw -- and matches them against a stored template. Apple's Face ID and similar systems use infrared sensors to create a 3D map of the face, making them difficult to fool with photographs. Facial recognition has become the default biometric on many smartphones and is increasingly used for payment authentication.

Voice Recognition

Voice biometrics analyses the unique characteristics of a person's voice -- their pitch, tone, cadence, and the physical shape of their vocal tract -- to verify their identity. Unlike fingerprint or facial recognition, voice biometrics works over the telephone, which makes it particularly relevant for businesses that take payments or provide account access over the phone. The caller does not need any special equipment; the authentication happens using the audio from the call itself.

Iris and Retinal Scanning

These methods use the unique patterns in the iris (the coloured part of the eye) or the blood vessel pattern in the retina to verify identity. They are extremely accurate but require specialised hardware, making them more common in high-security environments like government facilities and border control than in everyday payment scenarios.

Behavioural Biometrics

This is a newer category that analyses how you interact with your device rather than your physical features. The way you type, how you hold your phone, the speed and pressure of your screen swipes, and your mouse movement patterns are all unique to you. Behavioural biometrics can run continuously in the background, providing ongoing authentication without any conscious action from the user.

How Biometric Authentication Works in Payments

In a typical payment scenario, biometric authentication works as follows. The customer initiates a payment (online, in-app, or in person). The payment system requires authentication before the transaction can proceed. The customer is prompted to verify their identity using their biometric -- placing their finger on the sensor, looking at their phone's camera, or speaking a phrase. The biometric data is compared against the stored template, and if it matches, the transaction is authorised.

Crucially, the actual biometric data (your fingerprint image, your facial map) is typically never transmitted to the merchant or the payment processor. Instead, the biometric check happens locally on the device, and the device simply confirms to the payment system that the user has been verified. This is an important privacy protection -- your biometric data stays on your device and is not stored on any remote server.

In the PSD2 framework, biometric authentication qualifies as the "something you are" factor in Strong Customer Authentication. It can be combined with "something you have" (like your smartphone) and "something you know" (like a PIN) to meet SCA requirements.

Biometrics in Telephone Payments

The telephone payment channel has historically relied on knowledge-based authentication -- asking callers security questions like their date of birth, mother's maiden name, or the last four digits of their card number. This approach is fundamentally weak because knowledge can be stolen, shared, or guessed. Data breaches have made vast amounts of personal information available to criminals, undermining the effectiveness of knowledge-based checks.

Voice biometrics offers a compelling alternative for telephone payment authentication. Here is how it typically works:

• Enrolment -- during an initial call or through a separate setup process, the customer's voice is recorded and analysed to create a unique voiceprint. This voiceprint captures the physical characteristics of their vocal tract, which are as unique as a fingerprint
• Verification -- on subsequent calls, the system analyses the caller's voice in real time (usually during the natural conversation, without requiring them to say a specific phrase) and compares it against the stored voiceprint. If it matches, the caller is authenticated
• Continuous authentication -- some advanced systems continue to monitor the voice throughout the call, not just at the beginning, to detect if a different person takes over the conversation

Voice biometrics can significantly reduce the time spent on identity verification during calls, improving both security and customer experience. Instead of asking multiple security questions (which frustrates callers and takes up agent time), the system can verify the caller's identity within seconds of them starting to speak.

Why Biometric Authentication Matters for Businesses

Biometric authentication addresses several key challenges that businesses face:

• Stronger security -- biometrics are much harder to steal or fake than passwords or security answers. You cannot guess someone's fingerprint, and you cannot buy their voiceprint on the dark web
• Better customer experience -- customers generally prefer biometric authentication to remembering passwords or answering security questions. It is faster, easier, and feels more natural
• Reduced fraud -- by making it harder for criminals to impersonate legitimate customers, biometric authentication reduces account takeover, identity theft, and unauthorised transactions
• Regulatory compliance -- biometrics satisfy the "something you are" requirement under PSD2's Strong Customer Authentication, helping businesses meet their regulatory obligations
• Operational efficiency -- in contact centres, voice biometrics can reduce average call handling time by eliminating or shortening the identity verification step, directly reducing costs

Privacy and Ethical Considerations

Biometric authentication raises important privacy questions that businesses need to take seriously. Biometric data is, by its nature, permanent -- you cannot change your fingerprint or your voice the way you can change a password. If biometric data is compromised, the consequences are lasting.

Under GDPR and the UK Data Protection Act 2018, biometric data is classified as "special category data" that requires explicit consent for processing and must be subject to enhanced security measures. Businesses that use biometric authentication need to be transparent about what data they collect, how it is stored, who has access to it, and how long it is retained.

Best practices include storing biometric templates (mathematical representations of the biometric) rather than raw biometric data, encrypting all biometric data at rest and in transit, minimising the number of systems and people with access to biometric data, giving customers a clear choice to opt out and use alternative authentication methods, and being transparent about your biometric data practices in your privacy policy.

Practical Considerations

If you are considering implementing biometric authentication, whether for online payments, in-app purchases, or telephone payments, here are some practical points:

• Offer alternatives -- not all customers can use biometrics. Some have accessibility needs that make fingerprint or facial recognition difficult. Always provide an alternative authentication method
• Plan for edge cases -- voice recognition can be affected by illness, background noise, or a poor phone connection. Your system needs graceful fallback options when biometric verification fails for legitimate reasons
• Consider the enrolment process -- for voice biometrics, the initial voiceprint creation needs to be done securely and with the customer's informed consent. This is a one-time step, but it needs to be handled well
• Stay informed about regulation -- the regulatory landscape around biometric data is evolving. Keep up with changes to data protection law and industry standards