The acceptance and adoption of biometrics as a primary or second factor in multi-factor authentication has been considerably slower than expected. There are signs now, however, that it is finally gathering pace. Apple has long included TouchID with the iPhone, and has now added FaceID to the new iPhone X. It is particularly strong in the financial sector: HSBC and MasterCard allow selfies; Barclays allows voice authentication; and the Bank of Montreal allows selfies or fingerprints.
Now, payment giant Visa has announced the launch of a new platform, Visa ID Intelligence. It will allow Visa card issuers, acquirers and merchants to adopt new biometric methods of their own preference. Users are becoming more comfortable with using biometrics; but the technology is not without critics.
Passwords alone are no longer considered adequate: they are too easily stolen or guessed. Furthermore, they do not prove the identity of the user, only ownership of the password. One-time passwords sent to the user via a separate channel are more secure, but very inconvenient with a high friction factor for the user.
Biometrics solve many of these problems: they prove identity and have a very low user friction factor — but they can still be stolen if stored in an external database. “Traditional methods for authenticating a customer can create frustration or are simply not designed for the new ways people are shopping and paying,” explained Mark Nelsen, senior vice president of risk and authentication products at Visa. “We built Visa ID Intelligence to help accelerate smarter and easy-to-use authentication solutions for any commerce environment — to better protect against fraud and to move closer to a world without passwords.”
The platform currently has two features: ID documents and biometrics. The document side can prove identity by matching a ‘selfie’ to a photo ID (such as a driver’s license, a passport or a military ID). The purpose is to allow financial institutions to make faster and smarter decisions. Uses include creating new accounts, requesting and issuing replacement cards, and an alternative to support calls for password resets.
The biometrics feature allows Visa’s clients to choose and use biometric authentication such as eyes, face, voice or fingerprints for consumer authentication. The intention is to increase speed and reduce user friction while improving security.
Visa ID Intelligence is currently partnering with Daon, a privately held biometric software firm. “Visa ID Intelligence is revolutionary in both scope and implementation, and will benefit consumers who are growing more and more frustrated by an antiquated password system,” said Tom Grissen, CEO, Daon. “Visa understands it is critical to provide both security and convenience, and that’s what Daon delivers through our proven biometrics platform, IdentityX.”
However, not all security experts are completely happy with biometrics as a form of authentication. One problem is that they may not be as secure as we are told. “The security and reliability of biometric authentication,” Tom Van de Wiele, F-Secure’s principal security consultant, told SecurityWeek, “has being overplayed by industry for quite some time.” One concern is that all biometrics can be spoofed.
“Biometric authentication as part of the ‘something you are’ property of access control,” he said, “can be used against you. For example, asleep on the plane someone can re-use your finger; your picture might be taken from Facebook and used against a facial recognition technology; and your voice can be recorded from any source the attacker has access to.” His concern is that biometrics (something you are) still needs to be supported by a PIN or password (something you know).
Van de Wiele points to a further problem with biometrics. Biometrics shifts the burden of security onto the user. It is “asking the customer to keep their iris/fingerprints/voice safe and that is not something people care about or even think about.”
Another problem is persistence. “Biometric data, unlike a username or password, is persistent: we carry it with us for life,” explains Kaspersky Lab’s principal security researcher, David Emm. “There’s one major downside to its use – stored by a service provider, biometric data is just as valuable as a database containing usernames and passwords. However, any security breach resulting in leakage of this information is likely to have much more serious consequences than the theft of a password: after all, we can change a weak password, but we can’t change a compromised fingerprint, iris scan or other biometric.”
The recent Equifax breach illustrates the cybersecurity quandary. Although the primary cause of the breach is linked to a failure to adequately patch a vulnerable system, Comodo subsequently reported, “From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement.”
This demonstrates the weakness in password authentication — but it also demonstrates its primary strength. If those executives were aware that their passwords had been stolen, they could very easily change them. However, the danger in the data stolen from Equifax is primarily in the persistence of the data: birthdates, Social Security numbers, addresses, last names. None of these are easily changed, and criminals can use them as part of identity theft for many years to come. The same applies to biometrics.
The bottom line is that financial institutions need to be easier to use than their competitors or lose customers to those competitors. “The trade-off is between security and usability, and this is a hard choice,” says Van de Wiele.