For years, passwords have been the most widely used tools to protect data and systems. As technology has evolved to a greater extent in recent times, it has been found that passwords can be easily broken. System security professionals agree to the fact that passwords are too weak an authentication technique. So what are the alternatives? Biometrics, for one, can be used as a replacement for passwords. Biometrics measure, store (or encrypt and store), use biological characteristics of an individual for identification or verification purposes.
First let’s have a look at what "individual" biometric solutions are available today:
Fingerprint biometric technology refers to the use of a person's fingerprint characteristics to identifying that person. Fingerprint payment, based on finger scanning, is the most common biometric payment method. It was made popular by Apple Pay and now expected to be adapted by other systems in the future. Touch ID by Apple works on fingerprint recognition. MasterCard along with biometrics company Zwipe are bringing world's first fingerprint authenticated payment card for contactless payments.
Voice biometrics offers the highest levels of security, convenience and privacy. Voice biometrics authenticates a user based on numerous vocal characteristics like vocal tract geometry, harmonics, pitch and range. Voice biometrics is more cost-effective – it doesn’t require any hardware investment by the user. Microphones in mobile phones, tablets or PCs can be used, so there are no additional costs. MasterCard successfully trialed a new app which uses voice for payment authentication. Many banks across the world have done pilots based on voice biometrics.
The blood vessels at the back of the eye have a unique pattern with regard to every individual. Developed in the 1980s, retinal scanning is one of the most well-known biometric technologies, but it is also one of the least deployed. You must have at least seen it in a movie by now.
- Japanese telco NTT DoCoMo and handset maker Fujitsu have already launched a smartphone that authenticates users for mobile payments by scanning their irises.
- EyeLock’s myris solution is now being used by multiple companies and associations for payment authentication purposes.
Heartbeat or ECG scanning is more complex and even beyond some other forms of biometric authentication such as fingerprints.
- Halifax, the high street bank owned by Lloyds Banking Group, has trialed technology which uses a customer's heartbeat as security authentication for its digital financial services.
- Bionym, the company behind the Nymi Band authentication wristband, did a pilot test along with RBC and MasterCard for payments.
Facial recognition technology is widely used globally for security and payments authentication purpose. Biometric facial recognition uses skin biometrics and the uniqueness in skin texture for better recognition.
- Uniqul, a Finnish company, has already developed a payments system which uses first facial recognition for payments purpose.
So the question is: Why can't they just use one of the above biometrics technique?
The common belief that fingerprints are unique is false because families can share elements of the same pattern. It has been found from research that many people across the world can have the same (or a very close) fingerprint. Recently at a conference, a payments expert explained that over-reliance on fingerprints for authentication might not be a good idea. In the case of Apple’s fingerprint system, there is no central repository or clearinghouse of Touch IDs. The ability to quickly touch a finger on the button and take an action that is relatively hard (not impossible) for someone else to replicate provides enough assurance to the average consumer that it’s “good enough.” Neither Apple nor the banks supporting Apple Pay pitch it as more secure, but consumers might have understandably assumed that to be the case. Note that Apple requires the actual (alphanumeric) password to be entered when the phone is turned off and on. This mis-assumption of Touch ID security does not cost the consumer anything because the banks offer zero liability protection as a historical cost of doing business. So the onus is on the banks to create a foolproof system. For that, there should always be more than a one-factor authentication technique. And here comes the multifactor approach that many banks are considering.
Wells Fargo Tests Payments Authentication Feature That Uses Two Biometric Techniques (Voice and Face)
Wells Fargo is the first US-based financial institution to pilot a fusion of voice and face biometrics to authenticate customers, a feature that is being rolled-out to CEO Mobile iPhone app users in 2016. By identifying business customers’ faces, voices and mobile devices, biometric authentication makes it extremely difficult to spoof the true user.
“Biometric technology is emerging and accelerating change in financial services,” said Danny Peltz, Executive Vice President and Head of Treasury Management at Wells Fargo, at a press release. “We continue to explore and test new safeguards for our business customers.”
Wells Fargo is piloting the face and voice authentication system with 100 business customers using its mobile app on their iPhones. If the pilot is successful and if the bank decides to make it mainstream in the future, passwords are going to be history.
Currently, Wells Fargo is also testing another biometric authentication technology that scans the veins of smartphone users’ eyes to verify their identity. This additional security feature will also be available to CEO Mobile iPhone app users in 2016.
Let me change gears here. I think that banks should work with technology firms, developers and startups to create great authentication systems. A foolproof authentication system will be key to a great mobile banking and mobile payments experience.
There are few start-ups in this field that are worth looking at:
Last year Bionym, RBC and MasterCard did a dry run of payments using biometric wristband
The heartbeat data linked individuals to a MasterCard account issued by the Royal Bank of Canada and some other banks.
The Nymi wristband, which authenticates identity by using a person's cardiac rhythm, was designed to eliminate the need for passwords, PIN codes and even keys.
PulseWallet’s solution already enables users to pay for products with just their finger but according to the company, the problem with this setup is that the fingerprints can potentially be lifted. PulseWallet partnered with Fujitsu Frontech to make use of their PalmSecure biometric technology. The integrated PalmSecure vein imaging technology allows merchants to provide a secure payment option, whilst giving users an all-in-one payment system for them to access their eWallets.
Y Combinator-backed startup PayTango seeks to enable customers to pay via fingerprint scans. PayTango’s system links a form of payment such as a debit/credit card to a user’s fingerprint. The user will then have to place the index and middle finger on the biometric fingerprint scanner to make payment, and the software immediately recognizes the user.