Did you hear about the Russian hackers that have stolen over 1 billion passwords and user profiles?  It demonstrates the over-arching driver for biometrics.  Passwords aren’t just dead…they are a liability.  Of course, we have all known this for some time, IBM stated such in 2012; but the gravity of the situation is mindboggling and alarming.  Nothing is secure and that means what we, as a society, have been using to “secure” things is truly useless.  The password did serve’s it purpose for quite some time as it acted as the security gateway to accessing email accounts or low security applications.  But today’s open platform of personal and business transactions taking place via the internet calls for a stronger authentication solution, such as biometric fingerprint software.

The main obstacle to mass adoption today is a general resistance or reluctance to tear out and replace sunk-cost infrastructure.  The market for fingerprint biometrics is huge thus one of three focus areas for us; identity and access management including healthcare where we continue to make progress in building out our partner network.  There are many economic research firms that estimate a market that is measured in multiple billions of dollars annually.   Sometimes the forecasts are even higher.  Well, this is a massive upgrade cycle, a replacement cycle.  Industry doesn’t like spending billions of dollars unnecessarily.  So there is reluctance to make large expenditures.  It’s inevitable, though.  The statistics are overwhelming and there is no choice.

A recent a NY Times article that suggest we use 14 character passwords to avoid having them compromised but even go as high as 25 characters to insure a higher level of security……all ridiculous by any standards.

There is an industry study that stated 79% of British consumers would ditch passwords for biometric security measures like fingerprint scanners. Fingerprint technology was voted as the most popular biometric method according to the new index and 53% of UK banking customers want banks to integrate fingerprint scanners into their digital banking services. The least popular method was found to be voice recognition, popular with 27% of customers.

The Future Password Index was determined from an online survey of 2,000 UK consumers, which was commissioned by Intelligent Environments following the company’s findings that 51% of UK banking customers expect their bank to introduce more innovative security measures.

Biometric authentication

Biometric fingerprint is your password

As for mobile banking it would seem that anchoring someone’s identity on a device like a phone that is vulnerable to hacking, brings some risks.  As we have pointed out, enrolling an identity on a phone without vetting the identity before enrollment could effectively enroll a fraudulent identity in the phone or service.  If that fraudulent identity is successfully enrolled in a phone, and the phone becomes the “trusted source” of that individuals identity data, then there is no way to prevent that individual from committing frauds.  Importantly, this same risk exists in any situation, where an identity is enrolled as the ‘trusted source” of identity data.  It doesn’t matter if that identity is enrolled in a large database, as within a bank, or on a phone, like with the Apple 5s, Samsung S5 or other FIDO Alliance deployment.  Now there is different jargon to describe this “vetting of the applicant”.  Some call it Identity Proofing, for example.  The point is the same.  Bad data in equal’s bad data out.  If you don’t know who you are enrolling in the service, you might be enabling a fraud and the market place is beginning to understand this and is looking for alternative architectures because what has been done does nothing to solve for this problem.

One important aspect of “vetting the applicant” is to ensure that applicant is not already a customer, potentially under a different name or other falsified identity information.  Well, quite frankly, this type of identity proofing is effectively impossible within a system design where the phone is the primary source of user identity data.  And yet, biometrics are deploying on device, first, and those that advocate this have gained much attention and notoriety.

We have seen some interesting behavior in the biometrics and mobile industries within the context of these risks associated with “identity proofing” and weak authentication systems.  What’s interesting is that the primary sponsors promoting various device-centric system architectures, like PayPal in the FIDO Alliance architecture, appear almost dismissive of security vulnerability concerns cited within their promoted architectures.

After the Samsung s5 fingerprint sensor was spoofed within 24 hours of release, PayPal’s reaction was to shrug it shoulders and point to other security features that offset the fingerprint vulnerability.  Within the last couple weeks, however, additional written articles describe how PayPal’s two-factor authentication systems are also actually quite weak and vulnerable.  Again, the shrug.

It all begs the question “Why?”

Why wouldn’t an entity like PayPal seem to care more about the security vulnerabilities?  Well, is it possible that the early adopters of biometrics, like the phone manufacturers and FIDO stakeholders, are actually more concerned with promoting user convenience than with user identity security?  If there is no inherent risk can anyone blame them?

risk1

According to Goode Intelligence: “Following on from the successful launch of fingerprint authentication for mobile payments on the Samsung Galaxy S5, PayPal are reportedly working on an app to leverage the Touch ID fingerprint environment once Apple releases iOS 8.”  So we can see that we are closer to fingerprint authentication becoming the standard for mobile authentication and mobile banking but foresee that additional R&D is ahead as all mobile providers seek to find a fingerprint algorithm that can offer the perfect balance of security and convenience.  We believe it will be a matter of time before the manufactures and the customers themselves vet out the right technology and at that point the password will go the way of the dinosaur.