Sirpa Nordlund, Executive Director, Mobey Forum
For years authentication has been a thorny issue for banks and financial institutions, particularly in the world of mobile services.
To date, these organizations have focused on building two of the three primary sources of authentication data into their products and services, namely “something you know,” like a password, and “something you have,” like a payment card. The desire to raise the level of user convenience for mobile authentication is now driving banks to explore the third source, namely “something you are,” in the form of biometric solutions.
Already, consumers all over the world are using their fingerprints, voices and faces to access their devices and authenticate to a wide variety of value-added mobile services. Reliability, familiarity and ease of use are driving consumer trust and adoption for these authentication models.
This is good news; the populist suspicions that have surrounded biometric security are largely unfounded and their integration with mobile services is finally putting them to rest.
But convenient as these may seem, there’s a sticking point: popular forms of biometric authentication, such as fingerprint and vein ID, still require active user input; a thumb on a sensor, for example. They are not “frictionless” and, as a result, interfere with the intuitive mobile user experience that was originally intended.
Blended Biometrics for authentication
But this is just the beginning, biometrics need not be limited to physiology. Behavioral ID, which analyses the unique traits of each device user, has the potential to remove friction from the authentication process entirely.
Keystroke patterns, mouse movements, key locations and a range of other identifiers are being explored, both for identification and fraud prevention, some of which have delivered 97% accuracy in trials. Even then, a 3% margin of error is not acceptable for the mass deployment of mobile financial services.
The future lies in combining biometric forms. A layered approach should drive long-term adoption by delivering the right blend of convenience and security. It’s easy to envision a mobile banking and payments world where a behavioral metric may grant user access to an account statement, for example, but a physiological validation, like a fingerprint, is needed to authenticate a payment or permit deeper access to account information.
Needles, Pills & Tattoos – PayPal’s PR gimmick
A recent announcement from PayPal caused quite a stir. The over-the-top payments giant suggested a number of possible future replacements for the password, including ingestible technology and computer chip tattoos.
The sentiment is noble; passwords are notoriously unsecure and a thorn in the side of so many industries. But such radical approaches would require both popular consensus and industry standardization before they can be taken seriously. Who is going to want to swallow pills, suffer injections each morning or have their arm embossed with chip-based tattoos? These radical methods may have a place in high security facilities, for example, but certainly not yet in the payments market.
News that a flaw in the Galaxy S5 has enabled hackers to clone fingerprints made recent headlines. In the same way that PC’s and laptops have been prone to keylogging attacks, data collected by the S5’s sensor was monitored, and replicated, in real-time.
Encouragingly, however, credentials stored in Samsung’s trusted execution environment, Samsung KNOX, remained out of reach, highlighting the need to protect a device’s input and output components with TEE technology, in addition to the user’s secure credentials.
Options here could include a trusted user interface as part of the TEE, so that the information displayed to consumers together with their method of data entry — fingerprint sensor, in this case — are protected, meaning the information captured and transferred cannot be hacked.
When dealing with financial and biometric data it is absolutely essential that all potential points of failure are addressed. There is little point in building an impenetrable iron door if it is secured with a plastic lock.