Heartbeat, iris, face, vein…every one is a potential identifier of you. So can biometric authentication rescue us from the hell of remembering passwords?
Passwords and PINs are a nightmare. Criminals can phish for them or use ‘brute force’ attacks to try millions of combinations in split seconds until they find the right one. Meanwhile, consumers are encouraged to use passwords composed of long strings of digits, which they inevitably forget.
According to a study from Cyber Streetwise, the average British consumer needs to recall 19 passwords to access all his or her logins for email, social networks, e-commerce and banking. It’s ridiculous. And it’s why so many people choose just one password and make it something memorable. Like ‘password’. Clearly, passwords are not the best solution for digital activity.
Which is why there’s so much interest in biometrics. Biometric authentication uses ‘something you have’ rather than (or as well as) ‘something you know’ to identify you. That makes it hard to steal. Of course, biometric tech has been around for decades, but it’s the age of the mobile that has really pushed it into the mainstream. It’s not easy to attach iris, fingerprint or voice scanners in the PC. The mobile handset, with its in-built microphone, camera, touchscreen and finger scanner? That’s a different story.
So it is that biometrics has moved from something we used only rarely – at secure locations – to every time we unlock our phones.
According to Goode Intelligence, 3.4 billion users will have biometric authentication features on their mobiles by 2018, and by 2017, there will be over 990 million smartphones, phablets and tablets with fingerprint sensors. Furthermore, Acuity Market Intelligence reckons this will generate significant market revenues. It thinks mobile biometrics alone will power 126n transactions worth £34.6bn in 2020. That’s nearly 65 per cent of all m-commerce transactions generating more than $1.1 trillion in consumer purchase value.
As so often, it was Apple that started the ‘mainstreaming’ of biometrics. After it bought the biometrics company Authentec for $356 million in 2012, it was a matter of time before it used the latter’s fingerprint scanning tech in its devices. That began with the iPhone 5S, which offered a Touch ID fingerprint sensor as an alternative to the PIN for unlocking the phone. Users loved it. A year after iPhone 5 launched, Apple said that 83 per cent of owners used a fingerprint scan to unlock the phones. This compared with the fewer than half who used a passcode before Apple introduced Touch ID.
Observers expected the unlocking function of Touch ID to be a precursor for more ambitious use cases. Consumers were certainly ready. In 2013, a trial in France by National Security found that 94 per cent of users felt comfortable about using fingerprint authentication to pay for in-store purchases, and when the iPhone 6 launched with NFC, the fingerprint became a key component of Apple Pay. Meanwhile, developers started to support Touch ID in their apps too.
Inevitably, Android device makers followed suit. High end devices by Huawei Samsung, HTC, Oppo, OnePlus and more now come with a reader (which, of course, forms part of the Android Pay service). What’s more, the powerful FIDO Alliance – a non- profit consortium made up of companies including Microsoft, Google, VISA, MasterCard, PayPal and Bank of America – is working hard to standardise how biometrics is deployed in phones.
And then there’s the tech itself. With weaker systems, there are obvious flaws. A criminal could hold a photograph in front of a facial recognition scanner. Her or she could harvest a fingerprint from a surface and then recreate a finger using some kind of malleable material (in one memorable test, a gummy bear).
Consumers may have embraced mobile biometric authentication but there have been dissenters. The fact is, authentication doesn’t work 100 per cent of the time. ‘Human’ questions remain. What happens to facial recognition if you grow a beard? Or to fingerprints if you burn your finger? Or suffer some kind of disfigurement? And can voice recognition work if you catch a cold that makes your voice husky? This has happened with Touch ID, for example, to much uproar.
However, the scare stories are probably exaggerated. Any criminal clever enough to do this would only be able to take control of a single phone. That’s surely of little interest. What fraudsters really want is to harvest thousands of credentials, so the real danger is in companies storing unencrypted digital copies of users’ biometric signatures. What makes this even more dangerous is the fact that, unlike passwords, people can’t change and re-set their irises, faces and fingers. So securing biometrics arguably requires the same attention to time-honoured basics like encryption, tokenization and education of users around the dangers of phishing.
That said, there are now dozens of products, services and technologies advancing the cause of biometric authentication. Here, in no particular order, are a few worth watching:
Company: Behaviosec
Authentication method: keystrokes
Here is this Swedish startup’s big idea: it’s not what you type, it’s how you type it.
Its software tracks how the user interacts with a device or browser, analysing the rhythm of typing, the key pressure, swipe speed, finger positioning and typing velocity. It then embeds its software in a bank’s website or app in order to flag suspicious activity.
In a pilot trial with Danske Bank, the product distinguished between legitimate users and imposters in 99.7 per cent of cases. Most Nordic banks now use its system and further launches are under way with financial firms across Northern Europe.
Company: SayPay
Authentication method: voice
Voice-recognition tech is pretty common now thanks to Siri and ‘OK Google’, so it’s unsurprising that startups should try to pitch it as an authentication method. Voice-recognition tech is pretty common now thanks to Siri and ‘OK Google’, so it’s unsurprising that startups should try to pitch it as an authentication method.
SayPay’s tech generates a one-time code displayed on the screen that the user speaks. Then they press “Pay.”
Company: Alibaba, MasterCard
Authentication method: facial recognition
At the CeBit show, the CEO of Alibaba Jack Ma took a selfie and claimed his pic alone had processed a live payment. The facial recognition technology, called Smile to Pay, is still in beta and will be usable not just on Alibaba but on any transaction using the Alipay Wallet service.
Just weeks ago, MasterCard confirmed it was working on facial recognition trials. And there are plenty of startups, such as UK based iProov working on safer ways to secure the process.
Company: iProov
Authentication method: facial recognition
This London startup claims to have created a tech – Verifier – that gets past the usual wrinkles with facial recognition.
For example, it bypasses user vanity by displaying an outline of the face and uses multiple flashes to detect movement (thereby rejecting still photos held in front of the camera).
Company: Biyo
Authentication method: veins
Biyo (formerly PulseWallet) has created a physical reader that integrates with a retailer’s own POS systems. Shoppers enter their card details then save a hand on the terminal. This links the palm to the card and thereafter, they can pay merely with their hand.
The system is based on Fujitsu’s PalmSecure tech, which uses sensors to capture a user’s palm vein pattern. It looks for flowing blood, and is therefore not affected by cuts or dirt on the palm.
Company: Bionym/Nymi
Authentication method: heartbeat
Bionym’s Nymi bracelet authenticates the wearer by her unique electrocardiogram (basically, the heartbeat pattern). The idea is this – you strap on your bracelet, and it knows it’s you. Then, when you approach any linked device – door, laptop, phone – and it will automatically unlock. When you take off the device, it re-sets. If someone else puts it on, it won’t work. In 2014, Bionym raised $14 million.
The Royal Bank of Canada and MasterCard are testing the tech.
Company: Sign2Pay
Authentication method: signatures
Signatures may seem like the oldest of old school forms of ID. But Belgian-Dutch startup Sign2Pay doesn’t look at what a signature looks like. Rather, it assesses the way the signature is written.
It analyses over a thousand data points like pressure, number of keystrokes and where and when the finger/stylus leaves the screen.
Company: Fujitsu/NTT DoCoMo
Authentication method: Iris
Phone maker Fujitsu and mobile operator NTT DoCoMo teamed up to make the Arrows NX F-04G smartphone – apparently the world’s first to offer iris recognition for phone unlocking, mobile wallet payments, and web logins.
It uses a combo of LED light and infrared camera to read the pattern of your iris to match it to your pre-registered pattern.
On