Biometrics: the death of the password?

by James Holt, Senior Consultant, Financial Services

Passwords… passwords have been around since the dawn of computing, and used even before then to allow or prevent access. The concept of a password is simple but the more our personal data is moved online, the more value this shared secret protects. In the early days of the internet, a password might have granted you access to a simple message board, but now passwords protect vast databases of your personal information: from family photos to medical records, via bank accounts and cloud storage.

Passwords… upon reading that word your brain probably jumped to fussy sign-up screens asking for an inane combination of special characters, numbers and letters, with requirements differing from website to website. You probably thought back to countless password resets and security questions which could be bypassed with a quick Google search. We have been told we shouldn’t use the same password for multiple sites, but we do. Companies mandate a password change for employees every few months, with the same stringent requirements each time.

So what do we do? We make patterns, we reuse or – whisper it – we write down. All behaviours which might make life easier for us but which circumvent the very thing complicated password requirements are trying to create – security.

In their current form, passwords give the illusion of security; it is something we know, something we are familiar with. The starred out field cloaking our favourite sports team, the asterisks covering our last holiday destination. But what else is that field hiding… it is hiding an uncomfortable truth – passwords are hard for us to remember, but easy for computers to guess.

Hackers can attempt to crack passwords using dictionary words and previously leaked passwords to speed up the process. To make matters worse, most passwords are not unique – from a survey by SplashData in 2015 the most popular were “123456” and “password”.

Even if a strong password is chosen, advances in computing power mean they can be cracked in a diminishing period of time. We are playing into the hands of the hackers. But there is another way, a better way…

Biometric authentication is the process of controlling access using something you are: something you always carry with you and something that is unique to you. This could be your face, your voice or your fingerprint, or a combination of these.

Signing in using a biometric identifier is quick, taking a second or two. This is especially relevant in a mobile environment, where typing out a password on a small or virtual phone keyboard can often be slow and inaccurate. Biometrics also offer flexibility to the user – different identifiers can be used in different situations. You wouldn’t want to use voice recognition on a crowded train, and you wouldn’t be able to use face recognition in a darkened room, so by offering multi-modal biometrics, the user can stay secure without any inconvenience.

Multifactor authentication is the process of using more than one identifier to log-in. This is often implemented as a password plus a one-time code sent to your device. This approach significantly improves security and is increasingly being adopted by online services and corporations. Biometrics can integrate perfectly into this multi-factor approach – with a biometric being either the primary or secondary authentication factor. In addition, thanks to the speed of the biometric authentication process, customers could be asked to ‘step-up’ security to perform certain functionality. For example, a customer could log-in to online banking using a 4 digit PIN, which would provide only simple functionalities: the account balance and last transactions. However, to make a payment or set up a new payee, the customer could be prompted for a fingerprint, voice or face sample to provide the required additional security.

A customer’s biometric can also be combined with behavioural analytics to further strengthen security. Behavioural analytics takes user metadata like location and typical log-in times to determine the likelihood that an action is genuine. But more on that in another post…

Biometric authentication has applications beyond simple integration into a mobile application. A voice recognition function could be introduced in a call centre environment to verify customers before they are put through to an advisor, removing the need for lengthy security questions. This technology is smart too: analysing different aspects of a customer’s voice – pitch, emphasis, pronunciation, even throat and mouth shape. In addition, this technology can detect if the caller is speaking under duress or panic. It can be implemented in a passive and non-intrusive way – a customer is authenticated in the background whilst having their conversation with an advisor.

Biometric technology also has a significant use-case for authorising online payments. Currently, just knowing the card details can be enough to defraud a consumer, with a ‘3D Secure’ password prompt like SecureCode (MasterCard) and Verified by Visa only happening in certain situations. According to a MasterCard survey of 10,000 people, 53 percent of shoppers forget crucial passwords more than once a week, losing more than 10 minutes while they reset their accounts. As a result, more than a third of people abandon an online purchase, while 60% said that having to reset a password led to missing a time-sensitive transaction like buying concert tickets. More than half of people want to see passwords replaced by something more convenient, but which still delivers the same levels of protection and peace of mind.

As verifying your identity using a biometric is so quick, it is a natural fit for online transactions. Furthermore, with many modern phones featuring biometric hardware such as a fingerprint sensor, consumers are already comfortable with the process. MasterCard has recently announced their ‘IdentityCheck’ app which authenticates payments using either facial or fingerprint biometrics. Pilots in August last year proved successful with a global rollout happening early 2017.

When new technology reaches consumers, is it often adopted by the young, tech-savvy demographic who are more accustomed to learning abstract interfaces and complex operations. However, with biometrics, the process is intuitive and simple, making life easier whatever your age group or background. There is also the equality and accessibility angle – biometric identifiers provide options for those who are unable to remember passwords or struggle to type on their mobile devices.

If the user experience is slick and easy, customers are more likely to use a service and access it more frequently. With registration/signup commonplace on many websites, users have lots of passwords to remember: this represents a substantial opportunity for a biometric authentication solution.

At the end of 2014, USAA – a Fortune 500 company – offered biometric authentication to 1.4 million customers and by October of the following year, over 1 million had registered to use it. Their headline statistic shows how popular the option has become – 80% of customers have now chosen to authenticate using a biometric identifier over a PIN.

User expectations of banking are changing. Consumers expect functionality to be available using mobile apps, without the need for traditional, face-to-face banking. Security guards and vaults provide peace of mind in the physical world, but maintaining security in the digital world is more challenging. Biometrics provide the means, the assurances and the simplicity for better authentication, safeguarding our future.

What do you think?  Leave a reply below or contact James by email.

Read more about Sopra Steria’s Biometrics offering.