With the rise of biometrics within financial services, could you become your own password? Bill Gates claimed the password could not meet the challenge of keeping information secure and predicted its demise. That was back in 2004. Thirteen years later, passwords are still very much alive.
The average person has about 90 passwords, according to password management company Dashlane. That is just too many to remember, which leads to poor ‘password hygiene’ — choosing weak, easy-to-remember passwords, reusing them across websites and writing them down.
Given recent high-profile password compromises, such as Yahoo, LinkedIn and Dropbox, biometrics is emerging as a credible alternative.
BODY OF EVIDENCE
Biometrics involves using measurable physical characteristics as a way of establishing or verifying identity. Examples include fingerprints, facial, voice or iris recognition, eye prints and heartbeat. Within banking, biometrics is increasingly being used to enhance security and reduce fraud, drive efficiency, improve customer experience and promote financial inclusion.
As a snapshot of recent biometric activities, Barclays has rolled out voice recognition to UK personal customers telephoning the contact centre, removing the need for security questions and cutting call times. Japan’s Ogaki Kyoritsu Bank is expanding the use of palm vein authentication from selected ATMs to all branches. Mastercard is rolling out its fingerprint and facial recognition application in Europe to verify a cardholder’s identity and simplify online shopping.
Standardisation work is also underway to help organisations measure, compare and combine authentication mechanisms. Speaking at the Biometrics 2016 conference, Paul Grassi, senior standards and technology advisor, National Institute of Standards and Technology (NIST) confirmed that his organisation was working on a common framework to measure biometric authentication strength. Work commenced on the strength of function for authenticators – biometrics (SOFA-B) in early 2016 and a discussion draft of the proposal is open for consultation.
Banks have been trusted to keep people’s money safe for centuries, but what about their identities? Perhaps there is a new role for banks as stewards of digital identity and identity-as-a-service offerings.
When asked who they would trust to offer biometric authentication as a service to confirm identity, the majority of respondents in a Visa survey said banks ahead of payment networks, online brands and smartphone companies. 80-86% of those surveyed in France, Germany, Italy, Spain and UK trusted banks.
However, banks are not the only organisations capable of providing identity-as-a-service. Smartphone providers could also play in this space. Some smartphone models are able to capture biometric data from users. This transfers the hardware costs of biometric enrolment from the bank or retailer to the consumer in the price of the phone.
Smartphones are also able make multi-modal biometrics possible (e.g. fingerprint, face and voice), as well as serving as a trusted device for extra security. This enables smartphone providers to offer federated services just as consumer-facing web companies do via use of login credentials on partner websites.
DEATH OF THE PASSWORD
So, how will we identify ourselves in 20 years from now? Many are predicting the death of the password, but is this premature? “Passwords won’t die soon. Passwords add an authentication factor. They could be considered complementary to other authentication factors, especially biometry,” says Guillaume Yribarren, vice president, marketing, digital security & authentication, Safran Identity & Security. “Passwords are still a very efficient way to add a security layer on top of biometry. You could access some very secure areas on your smartphone with a selfie as well as a password,” he concludes.
“Biometrics are one part of the answer to replacing passwords,” agrees Mike Lynch, chief strategy officer, at risk management and authentication vendor InAuth. “Another is identifying a device, such as a smartphone, and using that trusted token as another factor. To use the mobile device as a trusted token, you must assess that it is low risk, and that is where analysis of many [device-related] factors is important.”
Whilst biometrics, trusted devices and Big Data authentication techniques will influence their decline. Passwords are likely to live on for a few more years yet as a secondary or fallback authentication factor.
Plus, different companies are on different timelines. Implementing new authentication methods takes time and budget. Many companies will adopt a phased approach and are unlikely to migrate their entire customer base to a new authentication method quickly.
Passwords as part of digital identification and verification are set to be alive a while longer, even for the most progressive organisations.