VIDEO: Winfrasoft CEO, Steven Hope Explains Why the Time Has Not Yet Come for Biometrics

Last week our CEO, Steven Hope, joined leading privacy, identity and security experts from across  Europe to present at Building Trust on a Hyperconnected World, an event hosted by EEMA and OASIS at the EMEA headquarters of CA Technologies, Ditton Manor.

In the session entitled ‘Biometrics: the time has come?’, Steven was joined by Professor JJ Nietfield from the University Medical Centre in Utrecht, the Chair of the OASIS IBOPS Technical Committee, Abbie Barbir and Executive Director of EEMA, David Goodman. During his presentation and the panel debate which followed, Steven shared his perspective on the hype surrounding the use of biometrics. He explained that whilst the technology does have the potential to have a place in the identification and authentication process, there is a reason why it has not yet taken off in the way many experts had expected.

Steven argued that the proliferation of biometrics on the latest smart devices is focused on delivering a convenient user experience, and is not about delivering tight security, despite the worrying efforts of some large organisations (especially those in the banking sector) trying to find ways to exploit the likes of TouchID for authentication purposes. He also observed how the word ‘biometrics’ has wrongly become synonymous with security, and explained how smart devices operating consumer-grade biometric sensors, could not and should not be expected to deliver the accuracy and reliability of high-end biometrics equipment used in the commercial world.

You can watch Steven's full presentation here...

Passwords won’t be gone in the blink of an eye

I truly believe we are about to turn the corner in finally replacing password-based authentication, but I am concerned that many organisations (some vendors and some end-user businesses) are getting a little distracted with the current flavours of the month.

Last month I posted a blog explaining why emojis are not the future of authentication. This week I find myself having similar conversations about selfies, following MasterCard’s announcement that it is experimenting with a mobile app, through which the customer poses for a selfie, blinks and hey presto they are authenticated!

Many of us use emojis and take selfies everyday (as well as using social networks which is another method being considered), so on face value it would seem to make sense to try and find ways of adopting them as authentication tools. However, passwords have been with us for a long time and don’t think that they are going to go in the blink of an eye!

From an end-user perspective passwords cause us headaches, because they are overused and as we all do so much online, we need to remember so many of them. Most of us solve this problem by using the same password (or variations of it), causing organisations major headaches as we compromise their security protocols. The thing is, we all want to be secure and protected but we are also impatient and don’t want to be inconvenienced, so we look for short cuts

.

Now, imagine this brave new world where passwords have been replaced by the headline hitting gimmicks. As it is the start of July you want to login to your online banking to check you have been paid. To do so you are asked to provide a fingerprint (biometric). Great news you have money in your account and it is time to renew your car insurance and they want you to prove you are who you say you are with a selfie. Next you decide to do your weekly shop but before you can arrange delivery you need to use your secret combination of emojis. Three different methods to authenticate. Suddenly passwords don’t seem so bad!

For all their failings passwords are ubiquitous in our society. There is an encouraging ground swell of support to displace them, but if they are to be usurped it needs to be with something that has the potential to become just as prolific and lasting, and crucially doesn’t cause the people who use them pain.

Author: Fred Astfeldt, Winfrasoft

Reducing Customer Friction with Better Authentication

Retail banks around the work are trying to get to grips with a difficult challenge. How to make their identification and authentication processes secure enough to protect them and satisfy the regulators, but at the same time balance that with the desire of customers to have a frictionless experience. This was one of the key issues that was debated at a one day conference held at the Department of Business Innovation and Skills in London last week.

Attended by experts in e-identity and authentication, those working in some of the largest banks in Europe, as well as representatives from the European Commission and the European Banking Association (EBA), the event was held a few weeks after 24 out of 28 authorities from EU member states signed up to the new EBA guidelines for online payment security. Coming in to force from 1st August 2015 these guidelines require banks to have stronger authentication whereby a customer must provide non-reusable security details. So, unsurprisingly online payments was a red hot topic of conversation.

The problem with online payments today is when consumers buy something online they reach for their debit or credit-card. However, these cards were introduced when there was no Internet and where designed to be presented at the point-of-sale. As a result banks are having to deal with huge amounts of fraud from online card payments, costing huge sums of money and draining resources.

Since their introduction cards have evolved, such chip-and-pin, and more recently contactless payment technology for low value transactions, but the later makes these cards more, rather than less susceptible to crime. So it is interesting to see how the rapid uptake of this innovation, which suggests customers are willing to trade a level of security for convenience, in much the same way as they opt for easy to remember passwords for their online accounts.

The problem for banks is that whilst customer may be happy with a trade-off, the banks and its regulators are not. However, they know that to gain and retain customers they need to find ways of delivering a more frictionless online experience. Hence, whether you are a business or a retail customer you may have seen the need to for your card reader or key-ringer number generator (otherwise known as a hard-token) diminish in favour of more convenient methods of online authentication. Of course, this is also great news for banks as the cost to administer these devices is very high indeed.

However, during the conference it was clear that banks are eager to find ways to strengthen their identification and authentication processes in a friction free manner, and worryingly many explained how they are investigating the use cases of biometrics in all its forms.

In my opinion, there are a number of significant stumbling blocks when it comes to biometrics. Not only the level of investment and management that is required, and the sophistication of biometric readers on the current crop of ‘smart devices’, but also the challenge and cost of on-boarding all new and existing customers. This is far from the frictionless experience that customers are wanting, and banks are replacing one costly technology with another! Also, these readers currently feature on the higher end devices, alienating the majority of customers. And, as one speaker was quick to point out – what happens if a customer using biometrics is a victim of fraud? Criminals will undoubtedly find a way to cheat the system. So, how does a victim then go about proving they are who they say they are?

One of the most insightful observations of the day was that banks can choose to add as many ‘layers’ of security as they wish, but if they are going to satisfy the customer they need to make the customer feel like they are using just one, any more and they feel like barriers. So, whether they are logging on or transacting via a website, on a desktop PC, a browser on a smartphone or tablet, or via an app, the process needs to be convenient, reliable and of course trusted.

This is why the username, password and memorable information approach has been well adopted as it is device agnostic. So, if you want to have stronger security (and whilst this approach it strong it could be stronger) you need to find a solution that can also work in this environment, and currently biometric readers are neither robust nor ubiquitous enough to satisfy these requirements.

However, there was unanimous consensus that using smart/mobile devices was undoubtedly the way forward. Using these devices presents a way to improve the authentication process for banks, without adversely impacting or burdening the customer. Yet, rather than biometrics, these device can be used to replace card-readers or key-ring tokens, by augmenting the username and password login in with a one-time code generated through an offline app residing on the device.

From the banks perspective this approach is relatively inexpensive when compared to hard-tokens and biometrics. It can be rolled out rapidly at a regional, national or international level and it ease the possible friction for the customer.

Another great benefit of this approach is that as well as being used for logging on to online bank accounts, it can also be used for swift online transaction verification, meaning online card payments can be afforded a far greater level of protection, which is great news for the banks who can save millions in reduced fraud incidents and the customers who are less likely to be innocent victims.

Author: Steven Hope, CEO, Winfrasoft

Would you use Touch ID for your mobile banking?

You will likely have seem the news that RBS and Nat West are planning to use Apple's Touch ID. On the face of it would seem to make perfect sense to make use of this latest innovation in smartphone technology, however in my opinion Touch ID for banking is not a good idea. 

Firstly, when this technology was launched it was hacked within days and with relative ease, and that was not a big surprise. After all, it simply isn’t commercially viable to place high-quality biometrics technology on a mass-market consumer device costing a few hundred pounds.

I myself am an iPhone user and stopped using Touch ID when I challenged a friend over dinner to get access to my device. It wasn’t until I got home later in the evening that I realised he had succeeded in changing some of my settings.

We do need to move away from passwords and what they are replaced with must strike a balance between delivering security and usability if they are going to become ubiquitous. For me whilst this latest news from RBS and Nat West is great headlines grabber but is ultimately they latest gimmick on the biometrics bandwagon.