Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

HSBC Allows Selfies for User Authentication

HSBC bank has become the latest financial institution to adopt smartphone-based biometrics as a form of user authentication. Institutions already doing so include MasterCard (selfie), Barclays (voice) and Bank of Montreal (selfie or fingerprint). HSBC’s chosen method is the selfie.

HSBC bank has become the latest financial institution to adopt smartphone-based biometrics as a form of user authentication. Institutions already doing so include MasterCard (selfie), Barclays (voice) and Bank of Montreal (selfie or fingerprint). HSBC’s chosen method is the selfie.

Phones have been a key element in providing two-factor user authentication for many years. The usual method has been to send the user a one-time password via SMS. The advantage of the SMS approach is that it can be used whether the user has a standard mobile phone or a screen-based smartphone. But there are three primary disadvantages: firstly it is unliked by consumers because of the additional effort (friction) required; secondly, it ultimately only verifies the device, not the user; and thirdly, in combination with the second issue, it is a method that can be compromised by malware.

NIST recently made it clear that it does not support SMS-based authentication, while studies have shown that users are ready to accept biometrics.

Biometric authentication goes a long way to solving the problems with SMS-based authentication. In terms of ease-of-use, there is minimal user friction — the user does not have to remember anything nor enter an additional passcode via the keypad. In terms of security, properly functioning biometric authentication verifies the user and not just the device.

For now, the HSBC selfie is purely for opening new accounts, and clearly aimed at attracting new, young customers. It works with HSBC’s selfie mobile app available for both Android and iOS. The user must upload a photo ID document, such as a driver’s license or passport. The selfie is then compared to the verified photo image to confirm the identity of the user.

“Through simplifying the ID verification process, we’ll be able to save our business customers time and open accounts quicker,” said Richard Davies, HSBC’s Head of Global Propositions for Commercial Banking. “We also expect the convenience and speed of a ‘selfie’ to become the verification method of choice for our customers, who no longer need to visit a branch to complete the process.”

This same ease-of-use argument is being considered by the wider corporate community. Making authentication difficult for the user (for example, by insisting on frequently changed long and complex passwords) invites them to find insecure ways to simplify the process; or simply complain about the difficulties. While corporates have a history with their own employees and can include behavioral analysis to verify the user, banks have no such prior history with new customers. Straightforward biometrics is a useful solution — and since there is a necessary consent contract with opening a bank account, banks don’t have the privacy issues that could be involved with companies storing biometric records of their employees.

This doesn’t mean that facial biometrics are without problems. Historically they have been prone to false positives, depending on the angle of view and lighting. Repeated false positives would generate as much user friction as other methods of authentication, including visiting the local branch. We can assume that HSBC’s trials and studies have concluded that its expected false positive rate falls well within acceptable bounds.

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.