Passwords and PINs took a step closer to extinction today after RBS and NatWest announced that mobile banking customers would be able to access their accounts using the iPhone’s Touch ID fingerprint scanner.
The banks claim they are responding to growing demand from customers for quicker and easier access to their online accounts – with nearly half of their 15 million customers using internet banking and three million using the mobile app each week.
Although RBS claimed to have 1.8m active iPhone users who use the app on average 40 times a month, it didn’t clarify how many of those actually use Touch ID – which is available only on the iPhone 5S, iPhone 6 and iPhone 6 plus.
“This was an idea that was submitted to us by our customers, by our ideas bank, and it's great to be able to respond so quickly to that idea and get something launched,” said Stuart Haire, managing director of RBS and NatWest Direct Bank.
“That’s actually our intention going forward to offer more and more choices for our customers in what’s becoming an absolute revolution in banking.”
However, Touch ID has had a pretty torrid time from the hacking community since its launch a couple of years ago.
Chaos Computer Club famously managed to hack the system in 2013 just days after its launch by revealing a way of making a mold of the user’s fingerprint.
When the iPhone 6 came out last year researchers reported the security blind spot still existed – although to create a fake fingerprint would require a great deal of skill and patience, they admitted.
Roy Tobin, threat researcher at Webroot, claimed security should trump ease-of-use, with two-factor authentication including a strong password the ideal form of access.
“The sheer amount of prints the average individual leaves behind day-to-day means that this data can relatively easily be compromised,” he added. “There are a vast issues around data protection; who can access these fingerprints and how that data can be used are all real concerns.”
However, extra verification steps will be required for some higher risk in-app tasks, while three failed log-in attempts would necessitate a passcode re-entry, the banks told the BBC.
“Actually using fingerprints in combination with passwords is a good thing,” argued Kev Pearce, CTO at account protection firm Osirium. “Although they can be technically spoofed, the attacker has to gain access to the source fingerprint.”
A strong password remains a good form of security, but it’s not always that simple, he told Infosecurity.
“The issues arise when we mix people and passwords, that's when they get copied into plain text files or changed to simplified weaker passwords,” Pearce added
Keith Graham, CTO at two factor authentication firm SecureAuth, argued that smartphones finally appear to be driving adoption of biometrics.
“Owners of these devices are only looking to do more with this biometric functionality, while the security community continues to question whether it’s ‘strong enough’ and can hold up as a replacement for the password or PIN,” he told Infosecurity.
“Arguably, it’s a good balance of convenience, usability and security, rather than being a ‘strong’ method of authentication. As this debate rages on, the challenge for organisations will be again, striking the appropriate balance between user experience and strong authentication.”