Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

HSBC Allows Selfies for User Authentication

HSBC bank has become the latest financial institution to adopt smartphone-based biometrics as a form of user authentication. Institutions already doing so include MasterCard (selfie), Barclays (voice) and Bank of Montreal (selfie or fingerprint). HSBC’s chosen method is the selfie.

HSBC bank has become the latest financial institution to adopt smartphone-based biometrics as a form of user authentication. Institutions already doing so include MasterCard (selfie), Barclays (voice) and Bank of Montreal (selfie or fingerprint). HSBC’s chosen method is the selfie.

Phones have been a key element in providing two-factor user authentication for many years. The usual method has been to send the user a one-time password via SMS. The advantage of the SMS approach is that it can be used whether the user has a standard mobile phone or a screen-based smartphone. But there are three primary disadvantages: firstly it is unliked by consumers because of the additional effort (friction) required; secondly, it ultimately only verifies the device, not the user; and thirdly, in combination with the second issue, it is a method that can be compromised by malware.

NIST recently made it clear that it does not support SMS-based authentication, while studies have shown that users are ready to accept biometrics.

Biometric authentication goes a long way to solving the problems with SMS-based authentication. In terms of ease-of-use, there is minimal user friction — the user does not have to remember anything nor enter an additional passcode via the keypad. In terms of security, properly functioning biometric authentication verifies the user and not just the device.

For now, the HSBC selfie is purely for opening new accounts, and clearly aimed at attracting new, young customers. It works with HSBC’s selfie mobile app available for both Android and iOS. The user must upload a photo ID document, such as a driver’s license or passport. The selfie is then compared to the verified photo image to confirm the identity of the user.

“Through simplifying the ID verification process, we’ll be able to save our business customers time and open accounts quicker,” said Richard Davies, HSBC’s Head of Global Propositions for Commercial Banking. “We also expect the convenience and speed of a ‘selfie’ to become the verification method of choice for our customers, who no longer need to visit a branch to complete the process.”

This same ease-of-use argument is being considered by the wider corporate community. Making authentication difficult for the user (for example, by insisting on frequently changed long and complex passwords) invites them to find insecure ways to simplify the process; or simply complain about the difficulties. While corporates have a history with their own employees and can include behavioral analysis to verify the user, banks have no such prior history with new customers. Straightforward biometrics is a useful solution — and since there is a necessary consent contract with opening a bank account, banks don’t have the privacy issues that could be involved with companies storing biometric records of their employees.

This doesn’t mean that facial biometrics are without problems. Historically they have been prone to false positives, depending on the angle of view and lighting. Repeated false positives would generate as much user friction as other methods of authentication, including visiting the local branch. We can assume that HSBC’s trials and studies have concluded that its expected false positive rate falls well within acceptable bounds.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Identity and access governance vendor Saviynt has closed a $205 million financing round.