It was once the stuff of science fiction: iris scanners, fingerprint readers, voice recognition software. But a growing number of enterprises are now banking on biometrics – the measurements that make each person unique – as the next generation of security.
In a report from research firm Ovum, 34% of retail banks named biometric technology as a priority for tackling fraud in 2016. As consumers go mobile, some see it as a reliable way to make authentication slick and easy, without compromising security. Others see it as an opportunity to eliminate the bad passwords of the world – the infamous ‘123456’, ‘qwerty’ or simply ‘Pa55w0rd’ – for good.
“I certainly am sick of passwords. The end of the password, the end of the PIN – we see biometrics as something that can help get us there,” Isabelle Moeller, chief executive of the Biometric Institute, told Tech City News.
While passwords and PINs rely on what you know (or often don’t, as the case may be) and tokens rely on what you have (a key, for example), biometric data relies on what you are. In other words, the physical or behavioural quirks that make you unique; anything from the shape of your ear to your smell, your gait, or the way you hold and press your phone.
Biometric systems work by matching a digital representation of your data, known as a template, against all the templates of everyone who’s been logged in the system before. There are two outcomes: you’ll either be a ‘match’ or a ‘non-match’. Just how similar two templates need to be to ‘match’ will vary depending on each system’s security level, so stricter systems will require a higher percentage match.
Advanced biometric security systems can also account for the variations within each person’s data. While everyone has a unique heartbeat, for example, each beat itself is different. Belfast firm B-Secur, the team behind a prototype debit card that ‘signs off’ high-value payments using an electrocardiogram, say their technology can differentiate one beat from the next – and tell if it’s really you at the end of their sensor.
“If someone had somehow stolen your heartbeat and was playing the same heartbeat over and over again … we would be able to say ‘that’s likely to be someone doing a replay attack’,” explained Simon Read, B-Secure’s head of product.
Though the technology has become synonymous with Apple following the release of Touch ID, its origins lie in the late 1800s, when police began indexing criminals using their fingerprints. Since that period, biometrics have become increasingly automated and real-time – also expanding to human features beyond the iris, palm and finger. In 2011, alongside DNA techniques, the CIA used facial recognition software to identified the body of Osama Bin Laden with 95% certainty.
Until recently, government agencies like the CIA and the FBI had been the biggest spenders on biometric technology, but that’s changing, and fast. Consumer and enterprise spending is expected to eclipse that of governments by 2017, with the technology becoming a ‘standard feature’ for mobile devices in just three years. And first in the queue? The banks.
“Certainly in the last two years we had a large take up from financial institutions, mostly here in the UK … but also some of the US banks have started to come on board,” said Moeller.
Her organisation, whose 192 members now include MasterCard, Facebook and Barclays, promotes public awareness and best practises in the industry. It is also developing a trust mark for biometric products and services.
While anti-fraud biometrics have been on banks’ radars for a long time, for example using ‘voice prints’ to authenticate customers at call centres, mobile innovations such as ApplePay and SamsungPay have changed the game.
“The banks suddenly have these new players and the consumers use it so they need to respond to it … and see how you still maintain that trust and that security,” said Moeller.
RBS and NatWest customers can already use their fingerprint to sign in to their mobile banking dashboard. Meanwhile, Barclays rolled out a finger scanner, manufactured by Hitachi, for its corporate banking clients in 2015. Others, such as Halifax, are rumoured to be further back in the testing pipeline.
It’s not just the big players getting involved. Atom, the digital-only ‘challenger bank’ gearing up to launch in the UK later this year, is integrating biometric technology – including face and voice recognition – from the get go. As chief innovation officer Edward Twiddy put it, the idea is to “make something secure by design rather than by default”.
He went on to say the banking industry has been slow to adopt ID technology, compared to other sectors.
Other startups, like B-Secure, are taking a different tack. The company aims to license its ‘heartbeat’ solution to different companies in order to fit their needs. Besides a handful of banks, the firm is currently in talks with a large construction company to manage site access and coordinating a pilot with an airport security integrator.
“We’re going out to the end businesses which could potentially be customers and partners that would help us to build the end solution,” Read said.
As with any security technology, there are drawbacks. Biometric authentication is by no means foolproof. Nicholas Dryden, CEO of Sthaler, the firm behind ‘Fingopay’ – a finger scanner that uses near-infrared light – explained it is easy to spoof fingerprint technology.
Real-life hackers have shown ways to dupe biometric sensors by lifting old fingerprints using a series of household items.
When Apple released its iPhone 5S in 2013, German hacker collective Chaos Computer Club were able to bypass its fingerprint scanner after just two days by taking an image of the user’s fingerprint, printing it out on transparent film, and applying wood glue along its pattern. As a final flourish, the fake print was breathed on to make it slightly moist.
As the NSA points out, there’s also the factor of false positives and false negatives, known as the ‘False Accept Rate’ and the ‘False Reject Rate’. It says these may be much higher than advertised as attacks on biometric systems are not always random. For example, as an attacker you may guess ‘intelligently’ by a process of elimination with rejected samples.
The way to get around this, the startups say, is to test for more than one biometric. Sthaler, Atom and others like AimBrain are doing just this: adding multiple variables or ‘modalities’ into the mix, for example how you behave and how you sound. Internal biometrics, often referred to as ‘next generation biometrics’ are also harder to spoof, as they employ ‘liveness testing’ which is much harder to fake.
Also, like many emerging technologies, there is a tendency among companies who are pushing to innovate that they end up adding biometrics into a solution that needs other assurances, or without due consideration to other vulnerabilities in the implementation.
“For physical access control applications, we almost always recommend using the biometric system in conjunction with other security mechanisms, such as card readers, PINs, and/or an attentive guard,” the NSA’s guidance reads.
Isabelle Moeller added: “Like any security technology … when you put biometrics in place you have to consider what you put around it. I like to use the example if you have an old house with an old front door it probably doesn’t make sense to put a biometric fingerprint [lock] on that door.”
Perhaps the biggest challenge of all is winning consumer trust. Apple has gone some way to familiarise users with the technology, but with high-profile data breaches still commonplace among large corporations, some may take longer than others. After all, you can replace a password, but you can never replace your biometric data. As the startups roll out their pilots in 2016, time will tell how biometrics fair outside of the lab and in the wild.