While biometric authentication is generally more secure than OTPs, the ever-advancing AI technologies are making it easier for bad actors to take advantage and steal users’ data
Banks in the UAE have completely moved away from traditional one-time passcodes (OTPs) and security pins to in-app authentication, which typically uses biometric data for online transactions.
The shift was made to enhance security and in response to rising cases of phishing and fraud. However, the push toward biometric authentication has led some UAE residents to question the safety and security of such measures.
Consent and privacy concerns
“I understand why banks are strengthening security measures,” said Dubai resident Ann M., adding that scams and fraudsters have become all the more common nowadays. “But making biometric authentication mandatory raises concerns for me around consent, privacy, and responsibility.”
The media professional questioned the security of biometric authentication, noting that although it reduces the risk of remote fraud, victims remain susceptible to physical coercion.
“There is a valid trust issue, which means customers should be allowed to choose how to secure their device,” she added.
The Dubai resident said that while biometric security may be convenient and reduce certain types of fraud, consumers should still have the right to choose how they access and secure their own finances.
Harder to change biometrics
While biometric authentication is generally more secure than OTPs, ever-advancing AI technologies are making it easier for bad actors to exploit and imitate biometrics, extracting information that could be used to steal data, cybersecurity expert Maher Yamout told media.
Yamout, a lead security researcher at cybersecurity firm Kaspersky, explained that banks should encrypt and securely store biometric data to make it more difficult for scammers to access it. Unlike PIN codes or passwords, which can easily be changed if compromised, the same cannot be said for biometric data.
“Since biometric information cannot simply be changed like a password if compromised, organisations have a responsibility to adopt the highest levels of security to safeguard it from unauthorised access or misuse,” Yamout said.
The UAE Central Bank’s official rulebook states that banks should protect customers’ credentials against vulnerabilities and unauthorised access, and regularly monitor their biometric applications to detect any security breaches.
The most secure way to go about it, the expert said, is a combination of biometrics with PINs or other authentication factors. “This creates multi-factor authentication, requiring users to provide something they are (biometrics) and something they know (a PIN or password). Using two-factor, or even three-factor authentication, significantly reduces the likelihood of unauthorised access and strengthens protection for financial transactions and access to sensitive data,” he added.
‘Not a choice anymore’
Rihea Sadarangani shared Yamout’s sentiment, saying that her fingerprint is not something she can change and sometimes doesn’t even match during the in-app authentication process. “What concerns me more is that it has stopped being a choice. You open the app, and you’re nudged, then pushed, and eventually more or less required to enable biometrics. There should be a choice for a PIN/Fingerprint,” she said.
Sadarangani, who is the founder and CEO of marketing agency Iconic Episode, added that she is not entirely convinced it’s always safer for the user. “A PIN, used carefully, doesn’t carry the same risk,” she said. “Biometrics have their place, and the convenience is real. But banks should let customers decide for themselves what they’re willing to trade for it, rather than making that decision on their behalf.”
