Biometrics is the new craze, but is it really that secure?


Srivatsan Srinivasan is the product marketing manager for Nexmo Verify and Number Insight. In this article, he discusses the risks and benefits of using biometrics as a mobile banking security method.

The recent spate of high-profile data security breaches has changed the face of mobile security in recent months.

It has also evolved the definition of the term biometrics. Once considered solely as the “application of statistical analysis to biological data,” the term has now been broadened to encompass the current state of mobile security in banking.

HSBC recently announced plans to offer biometric technology security in the form of voice recognition and fingerprint authentication to approximately 15 million UK customers by the summer, which would see the biggest implementation of biometrics security to date.

This shows that companies are keen to incorporate biometrics as an integral component of its security plan despite the opportunity it presents to hackers to steal people’s personal data.

In fact, according to a study conducted last year by Juniper Research, more than 770 million biometric authentication applications will be downloaded per annum by 2019, up from just six million in 2015.

With 600 million biometric smartphones already in use today, biometrics as a security method is becoming an increasingly universal solution.

What is the level of risk at play?

Ever wondered how easy is it to replicate a person’s fingerprints or retina scans?

If history is anything to go by, then not very difficult.

In 2013, hackers from Germany effortlessly bypassed the newly-released Touch ID from Apple just two days after it was launched by re-creating a fingerprint found on a glass surface.

Fast forward 12 months to a press conference featuring German politician, Ursula von der Leyen. On this occasion, the hacker re-created the fingerprint of the then German defence minister simply by using a high resolution photograph of her hand, which had been taken from a distance.

Just recently, researchers at an American University have been able to copy fingerprints in 15 minutes using a £350 inkjet printer.

The research

Research states that 600 million biometric smartphones are in use today, a figure which represents 28% of the global base of smartphones. If more apps continue to implement biometrics technology, then the number of locations or server farms where these fingerprints are stored are also likely to increase.

Biometrics may still be at the introductory phase, but if this method of security were to flourish and get the full attention of the sophisticated hacker community – then who knows what the repercussions could be.

Biometrics may sound like a more secure, hi-tech method when compared to other forms of authentication, but the complications facing biometric security and the more traditional methods of password protection or phone number verification are different.

Not only can hackers steal passwords, but they can also steal fingerprints. If your password is stolen, you change it. But if your fingerprints are stolen, then what?

Biometrics, alone, is not enough

No single system is absolutely safe. Two-factor authentication (2FA), or multi-factor authentication as it is sometimes referred, is the process of creating two levels of security to ensure maximised security.

In fact, last August The European Banking Authority (EBA) ordered that strong authentication must be put in place for online transactions – a move introduced to ensure high security protocols were met without impacting customer usability.

The EBA suggested using two of the three security methods:

• Something only the user knows, e.g. a static password
• Something only the user possesses, e.g. a phone or a token-generator
• Something the user is, e.g. biometric authentication (such as fingerprints or retina scans)

Businesses must address two important issues when considering biometrics: security and the customer journey.

Interestingly, 61% of the UK population believe biometric identification is either just as secure, or more secure, than the current system of passwords with 40% happy to use fingerprints to access online accounts.

With modern society evidently willing to place their trust in biometrics, and with the rapid increase of smartphones with biometric facilities, it is important that businesses adopt this multi-factor method to ensure a maximum amount of security.

Standardisation – would this weaken security?

In terms of standardising the use of biometrics, especially in the case of biometric sensors, this would not solve the problem of security.

In fact, it is not the sensors that should be called into question when judging the validity of biometrics, but rather the devices being used to scan biometrics and where this data is stored once it has been accessed.

Large corporations, such as HSBC and MasterCard, have the means to manage biometric security, should the technology continue to thrive.

But what if smaller vendors, social networks or venues begin using it? It is unclear what will happen when biometrics becomes a universal form of security.

Passwords used to be novel, now they are ubiquitous and flawed in terms of security.

What is certain is that companies need to implement not just one form of security but multi-factor authentication for their customers.