First the good news. Passwords are finally being shown the door by some major retail banks. The bad news is that for many, the new choice is a biometric-based system. But I do not believe they have a place in authenticating us as customers. I want to use my brain when I bank, and not a biometric.
In recent months, Barclays has implemented voice biometrics in its call centre, meanwhile ING in the Netherlands, OCBC Bank in Singapore, NatWest and RBS in the UK have all hit the headlines for allowing owners of the iPhone 5s, 6, 6 Plus, iPad Air 2 and iPad Mini 3 to use the fingerprint sensor (launched by Apple in 2013 and known as Touch ID), to logon to their banking apps. Meanwhile, the latest ‘innovation’ from Halifax, is the trial of a heartbeat recognition wristband (a wearable token if you will!)
On face value, Touch ID makes perfect sense. The hardware is already ubiquitous, residing on millions of devices (combating the issue of achieving rapid widespread on-boarding and adoption), customers will love the convenience, and it addresses the universal loathing of the password. After all, a biometric is something you are, and you can’t forget that. But you can’t remember it either! And this one of the major flaws in making use of biometrics for authentication. As a customer, I want it to be a two-way process, where I am challenged to share something that only I could know, and in doing so, I prove that I am who I say I am, and that I am authorised to access my account.
I also cannot forget that almost while customers were still queuing at their local Apple store to get hold of an iPhone 5s, the now famous hacker Starbug demonstrated how a fingerprint could be ‘lifted’ and used to fool the Touch ID sensor and in turn unlock the device. Since then, I do not doubt that the techies in Cupertino have markedly improved the function, but it is still unrealistic to assume that high-grade biometric sensors will find their way on to an iPhone, or any other mass market consumer device, it would not make economic sense.
The now famous hacker Starbug demonstrated how a fingerprint could be ‘lifted’ and used to fool the Touch ID sensor and in turn unlock the device
In reality, very few opportunist criminals will have the time, inclination or resources to go to the lengths of Starbug in order to hack an iPhone or iPad that they manage to ‘procure’, preferring to sell the device on quickly. However, in my experience they don’t need to. As a self-confessed Apple fan, I found myself toying with Touch ID on my new iPhone and over dinner flippantly challenged a friend to get in to my phone. It wasn’t until later that evening that I realised he had been successful. As far as I am aware he was not concealing a high-resolution scanner, or a jelly baby! I do not know how he did it, but I have not used Touch ID since. What concerns me even more though, is the speculation in some publications of Apple’s intention to store fingerprints in iCloud to ‘help’ customers make payments. Now that is likely to be even more appealing to a cybercriminal than a bunch of celebrities in the nude.
I lived in South Africa for a few years and here I faced a daily problem with biometric scanners - what is the fall-back position? I lived in a gated community and to enter and exit I would drive up to the gate and scan my finger. But if it failed, as it often did, the security guard (usually a person who did not know me) would scan his own finger to open the gate. I would then go and have my fingerprints rescanned. Not convenient at all. The fact the people need to be enrolled is one of the biggest challenges (aside from the huge hardware infrastructure investment required) in rolling out biometrics across ATM networks. It is also a challenge for voice biometrics as laws regarding ‘passive’ enrolment are different in each country.
The only possible conclusion is that Apple is offering convenience and not enhanced levels of security
If you use Touch ID and it fails to recognise your biometric, it invites you to login using a password. Thus begging the question why have the biometric in the first place? The only possible conclusion is that Apple is offering convenience and not enhanced levels of security, after all, usability is the basis for its entire ecosystem. So, where does this leave the Halifax’s wristband idea? It is arguably a little more secure than Touch ID as you now have separate ‘token’ and the bank does not store the customers biometric information, but it certainly isn’t convenient. Who would want to wear such a wristband and advertise where they bank? Or, have to put it on every time they want to make a transaction? What’s more, it still doesn’t engage my brain, as this solution wants my heart to rule my head!
So, if passwords are a pain in the neck, and biometrics are convenient but not reliable and do not offer any significant security benefits in their current guise, what is the alternative?
I suggest that organizations should not throw the baby out with the bathwater when replacing their password-based authentication. The use of something you know and using our brains is still a powerful security technique, so a password alternative that is easier to remember, harder to crack (and that means not giving it away every time you log in) would surely be a better way forward for everyone.. The move away from traditional passwords is well overdue and I applaud those early adopters of new technology who are blazing a trail in banishing them. However, I cannot help but think that biometrics is a stepping stone on the path to a brave new world without passwords, and not the ultimate solution.