“Will Biometrics Replace Passwords?” is the Wrong Question

by Tim Sloane 0

It is clear that users will flock to biometrics, such as face recognition on a mobile phone, as a replacement to passwords because biometrics offer greater convenience. But a more important question is “are biometrics safer?” The face recognition software that I enabled on my Samsung device made it crystal clear; it isn’t!

This blog in MobilePaymentsToday.com written by Peri Kadaster the Director of Strategy & Marketing at Monitise clearly identifies the problem from the consumer perspective:

“We use passwords constantly to log into dozens of systems and services every single day. And as the number of systems and services we subscribe to grows, the more we have to remember.
According to a study from Cyber Streetwise, the average consumer in the U.K. needs to recall 19 passwords on a regular basis for desktop and network logins, email, social networks, e-commerce and banking. As the number of online services increases, so too does the complexity of the passwords as users now often are prompted for alphanumeric combinations while also being mandated to change passwords on a regular basis.
While this process is frustrating, authenticating consumers quickly and securely is critical to all industries, none more so than financial institutions. The challenge is to guarantee effective security without harming the user experience.
Consumers demand a balance between security and simplicity. This is where the use of biometrics comes into the picture by providing faster, easier and more robust authentication in a seamless way.”

Peri explains what a biometric is and then identifies recent obstacles to adoption:

“Cost has been one of the biggest historical challenges of deploying biometric security technology. A combination of complex sensors, devices or cameras is needed to deploy this technology. It relies on hardware that has previously been priced prohibitively. However, with the advances in computing over the past decade, such technology has become table stakes. Indeed, today every smartphone is already equipped with sensors which facilitate biometric authentication. These can include fingerprint authentication, voice recognition via microphones, or facial/iris recognition via cameras.”

While it is true that mobile device technology has drastically reduced the cost associated with implementing biometrics, it is also true that most of the devices are not designed for collecting biometric data that is designed to support biometrics – the face recognition solution as just one example. There remains a large range of issues that make the use of biometrics a questionable replacement for authentication protocols widely in use today. Perhaps the top three issues are these: 1) what is the value of the data being protected, and 2) how easily can the biometric be duplicated?, and 3) How can biometric authentication be standardized to assure quality and prevent the consumer from being locked in to a single vendor because all data is tied to that vendor’s unique authentication mechanism.

For example, ignoring for a minute the specific accuracy of Apple’s Touch ID, it is clear that the higher Apple establishes the sensitivity to protect against a false positive, the more likely it is that the Touch ID user will experience false negatives and eventually stop using the fingerprint biometric.

So how should Apple adjust Touch ID, to protecting my phone contact list or to protect my bank account? Today, Apple had to pick just one (I assume my contact list, so I expect my bank to take efforts to enhance authentication for accessing my bank account!). Tomorrow Apple might make Touch ID risk metrics adjustable and perhaps incorporate multiple types of biometrics to improve the authentication accuracy.

Regarding standardization, Peri offers information regarding the FIDO Alliance:

“The FIDO Alliance, a non-profit consortium comprised of several big companies including Microsoft, Google, Visa, MasterCard, PayPal, Bank of America and more, recently published its final specifications to “kill” traditional passwords.
Their aim is to establish an open standard for online authentication in order to create an open, scalable, interoperable, seamless and strong authentication system for end users. More importantly is the FIDO Alliance’s focus on leveraging existing biometric capabilities within mobile devices such as fingerprint sensors, iris scan, voice recognition and facial detection.
The move by more smartphone manufacturers to embed biometric capabilities on their devices alongside interoperable authentication standards will contribute a rapid and widespread adoption of biometrics authentication technologies. According to a prediction by MarketsandMarkets, the overall biometric market is increasing with a CAGR of 17.6 percent until 2020.
As more banks, financial organizations, and governments become aligned with tech providers on the topic of security innovation, we’ll continue to see a shift away from traditional passwords toward biometric authentication.”

As already suggested, consumers will take the easiest path and so Mercator expects significant growth rates for biometrics usage. Mercator is less comfortable with how effective the FIDO Alliance will be in establishing standards that are adopted broadly by device manufacturers and remain up-to-date with technology. The FIDO Alliance is attempting the good fight, trying to align suppliers to assure competent biometrics are implemented in a fashion that doesn’t lock the consumer in. Through no fault of its own, the FIDO Alliance is trying to accomplish this in an environment of insane technological advancement that will almost certainly make any recommended standard unable to address all of the new technologies that will greatly increase the accuracy of authentication.

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the full story

Featured Content