Biometrics – novel solution, or novelty?
Thomas Bostrom Jorgensen is chief executive at Encap Security
One of the trends of 2014 was its delivery of technology that we had been promised for years but had fallen short until now. Siri, Cortana and Google Now all make good on the sci-fi staple of the voice-activated computer. Virtual reality has been attempted many times, but it seems that the Oculus Rift may have finally cracked it. And biometric authentication, while often included in devices but rarely used, is now commonly used by owners of new iPhones to unlock their devices thanks to Touch ID, writes Thomas Bostrom Jorgensen.
(The Motorola Atrix had a fingerprint reader in 2011, and IBM was including fingerprint readers in laptops way back in 2004, but both failed to blaze a trail. Only now, thanks to Apple, is it being taken seriously as a mass market proposition.)
The success of Touch ID has meant that some banks, such as Bank of America, are considering integrating it into their mobile apps. Barclays is to introduce a ‘finger vein’ reader that will identify its corporate customers, And a potential bank challenger, Atom, has raised £25 million this month, with the intention of investing in customer identification through fingerprints, voice, facial recognition, and iris recognition. Atom is expected to launch next year and will be ‘digital only’ – with no branches, the only way to access the bank will be online and through mobile apps.
It’s not hard to see why biometrics has people excited. Rather than a password, which could be stolen, forgotten, or guessed, identifying someone through a physical attribute such as their fingerprint or face seems, at first glance, far more secure. Rather than basing identity on something that that the customer knows, it is verifying identity based on an intractable part of who they are. Banks are keen to ensure that they are protecting themselves and their customers from fraud – a recent report from Ovum forecast that US banks will spend 4.3% more on IT in 2015 than they did in 2014, and the lion’s share will be investment in security.
There are good reasons to see biometrics as a valuable, useful authentication technology, but it’s far from the ultimate solution. Every security measure has its weaknesses, and biometrics are no different.
It’s difficult but definitely not impossible to subvert fingerprint scanners and face recognition systems. Touch ID was ‘hacked’ less than a month after introduction, thanks to a latex finger and fingerprint. We leave our fingerprints wherever we go, and removing a fingerprint from, for example, a discarded coffee cup is not the science fiction it might first appear. As Touch ID uses local verification, an attack would need access to the device. Once that data is stolen, it’s impossible to reset like a PIN or password. But as cash becomes less common and people become wiser to the risks of fraud, this and other types of ‘social hacking’ will become a bigger part of criminal enterprise.
Financial institutions and other organisations handling sensitive financial data are also worried about larger scale hacks attacking them directly, such as the breach in August at JP Morgan Chase, or this month’s attack on Sony. It’s important to consider what information could be lost in such a breach. Apple has been savvy enough to ensure that the fingerprint data will only ever be stored on the device and there is no ‘central database’. There are ways to make sure that a stored bio credential is only valid for a particular service. But history tells us that bad security practices are more common than we would like to admit – passwords stored in plain text, failing to implement SSL, easily guessed security questions such as ‘Mother’s maiden name’, and so on. A database of biometric credentials that falls into criminal hands means that biometric authentication is potentially less secure for everyone, not just the company that suffers such a hack.
Atom’s focus on biometrics is a worthy ambition, however it’s difficult to see how this can work if it intends to reach a wide audience. For a technology to be mainstream now, it has to have ‘internet scale’. Social networks such as Twitter and streaming services like Hulu have internet scale because they’re accessible to anyone on any device that has a connection to the internet. At the moment Touch ID is the only biometric method that has wide adoption, and even then only among those who can use it – that is, owners of newer iPhones. Apple shipped a massive 39.2 million smartphones in Q3 2014, but this is still only around 12% of the worldwide market.
Users of Touch ID are therefore only a small proportion of mobile users. Those who use Android or Windows Phone devices will need to rely on device manufacturers implementing the hardware necessary – and even then it will only be available to anyone upgrading their device. But what all of these users have in common is that they own a smartphone, and high smartphone penetration means that technology that leverages smartphones is internet-scale. Banks should be looking to the many features that are already part of devices that are capable of authentication without the addition of extra hardware. Identity can be verified through such factors as location and behaviour, and smart devices are already monitoring this data for us.
The key will be balancing security and usability. Biometrics are popular partly because of the novelty, but remain popular because it both feels very secure while offering an excellent user experience. Simply touch your fingerprint to the device, or look into an eye scanner, and you have access. Alternatives that do not have the disadvantages of biometrics will need to be as frictionless as possible in order to gain wide adoption. Proportionality of challenge remains an area yet to be fully explored – bank apps tend to use the same authentication challenge whether the user is checking their balance or making a large transfer. Instead of a universal challenge, the factors used to challenge the user should be determined by the risk of the transaction taking place.
Biometrics may be gaining popularity, but I believe they are not the solution but a part of it. Banks need to be sure that they are investing in a technology that will help all of their customers and deliver on its promise of security.
