Thomas Bostrom Jorgensen - CEO, Encap Security
After fingerprints, faces, heartbeats, voices and even ears, what is next for biometrics? What new part of the body could be pressed into service as a unique signifier of who we are – without breaking indecency laws?
Biometrics do offer a high level of security, but it’s not an infallible system. In the U.S, 5.6m government employees have had records of their fingerprints stolen. Hackers can reconstruct fingerprints from a high-definition photo. And it has been possible to subvert a facial recognition system simply with a photograph.
Biometrics: Evolution not revolution
This means that the biometric technology we have now will have to continue to improve and defeat hackers, but the advances we will see are likely to be evolutionary rather than revolutionary – unless someone figures out a radical new way to identify someone. Also, the tech embedded in devices will get cheaper and easier to embed, but the forecast here is for gradual changes rather than huge leaps.
For device manufacturers, this creates a problem: It’s trickier to make a device tempting to consumers by telling them that it’s only “slightly better”. It’s a situation somewhat akin to cameras in phones – initially cameras were a point of differentiation, as were subsequent substantial improvement in technology, but improvements are now minor and mostly unnecessary; the promise of 52 megapixel cameras is unlikely to be a deal breaker to anyone but the most enthusiastic photographer.
All under one roof
If rumours are to be believed, the next step in smartphone authentication will be the combination of different biometric elements: ‘All-in-one’ biometric authentication. As an example Synaptics has partnered with KeyLemon to create its Fusion Engine, and has been testing all-screen smartphone designs where the fingerprint reader is embedded into the display and works with face or iris recognition so that more than one biometric data point can be used to unlock the device. The iPhone 8, due to be released later in 2017, is said to have a similar system in the works, but it’s unclear if this is the same system or its own proprietary software.
This is how biometrics will work in the future – no longer will a device manufacturer decide which single biometric technology to embed into a device, but will be able to provide many without creating a device with an unwieldy form factor. Want to unlock your device with a fingerprint? No problem. Prefer facial recognition? That’s fine too. Want your device to demand both factors if behavioural biometrics or location flags a potential issue? Simple.
PSD2: Capitalise on compliance
It’s clear that Touch ID and Android’s fingerprint scanner is no experiment, set to disappear from the handset in a couple of generations. Instead, biometrics looks set to be as integral to mobile devices as messaging and voice. Hardware, software and cloud-based analysis will get ever-more sophisticated and give anyone relying on this method of authentication far more confidence in the user’s identity. The mobile device will be what proves who you are.
Financial service providers should be paying close attention to this trend.
Payment Services Directive 2 (PSD2) regulations demand that transactions need Strong Customer Authentication – essentially, at least two-factor – and while there are exceptions, these are currently ill-defined. The embedding of multiple biometric authentication technology creates the opportunity for financial services to leverage this technology. Consumers will appreciate the convenience of authenticating with a simple “tap OK”, and the possibility of stepping up authentication with a fingerprint, selfie or iris authentication if a transaction is particularly risky. This approach also limits the impact of future regulation that may demand different methods of approaches to authentication.
All-in-one authentication means that financial service providers can have complete confidence in relying on device-based authentication for their services. Its likely adoption by the iPhone pretty much guarantees that it will become mainstream, meaning that more devices will boast biometric technology, and more than one type. It also means that financial service providers don’t have the worry and huge expense of issuing their own technology for biometric authentication – with the added risk of being ‘locked in’ to a technology that is quickly obsolete.
Banks and other providers do, however, need to be careful about how they use biometrics. If the fingerprint or iris scan is used to unlock a password - for example one stored on the iOS keychain - then this is not truly two-factor authentication, and won’t meet the demands for Strong Customer Authentication. Just using biometrics is not enough – biometrics need to be bound to the user, not the device.
When consumers have sophisticated biometric-enabled technology they carry daily – and update at their own expense every couple of years - it’s the obvious path for any service that demands a high level of security.