Biometric authentication, such as retina scans, finger-print scans and voice recognition, holds a lot of promise for identity and access management. Industry analysts laud the new technology and jostle to take the stand as the authority on the subject.
“Secondary authentication like facial recognition or biometric retina-vein recognition to authorise a higher value transaction… can revolutionise fraud management,” said Andras Cser, VP principal analyst at Forrester, in April 2013.
His peers at Gartner agree. Jackie Fenn, vice-president and Gartner Fellow Emeritus, and Hung LeHong, research vice president, said in a research note: “Biometric authentication will enable a near-cashless world scenario.” In May 2013, Ant Allan, research vice president, was similarly excited but more cautious, saying biometric authentication methods, “promise better accountability and superior user experience, yet remain a niche choice.”
But read between the lines. All of these analysts are making predictions. They are talking about the future. No-one is recommending using biometric authentication now. It simply isn’t ready.
The gold-standard for any authentication method is at least 99.9 per cent reliability. Chip and pin has it. Typing a preloaded passcode from a mobile phone has it. Biometric authentication, as yet, does not and varies between 40% and 95% depending on the level of security required, the latter being low security.
Two major companies in the ultra-risky fields of payments and banking, PayPal and Barclays, have begun trials of biometric authentication. PayPal’s system in 12 Richmond stores is the first instance in the UK to use a customer’s photo to authorise payments. The app for iOS, Windows OS and Android phones highlights nearby shops and restaurants that accept PayPal before the customer checks in by clicking on the required retailer and sliding an animated pin down on their screen. The customer's name and photo then appears on the shop's payment system and the retailer charges them by clicking on customer’s image.
Meanwhile, Barclays Wealth & Investment Management division is trying voice recognition on a portion of its customers. The system requires the customer engage in “natural” speech with a call-centre agent for 20-30 seconds until a computer can verify the voice calling against that held on file for the customer. According to the bank, around 95 per cent of customers are verified during the first call; those that aren’t then have to go through the usual rounds of security questions on their first pet, best friend at school, etc, and so voice recognition adds to the already lengthy process.
Using face or voice recognition to authenticate quick and convenient transactions in shops, cafes and banks seems ideal in our ever-busy lives. However, in both cases there are risks that drag the reliability of the methods below the crucial 99.9 per cent line.
In the case of face/photo recognition, completion of the transaction relies on the shop assistant verifying the customer’s face, which could easily be subject to human error however using a real person is far more reliable than using a computer. If the process is automated, there seem to be more documented cases of face-recognition failures than successes, from phone apps amusingly recognising distorted knees and other body parts as faces to the system used by the US Government, which cost millions of dollars but failed to pick out the Boston bombers.
Voice recognition is not new, but, like face recognition, is still in its infancy. We are not even yet at the stage where computers can reliably recognise what we’re saying, let alone who is saying it. The 99.9 per cent reliability is at least a decade away.
From a social side, people are wary of authentication methods which involve their own body parts - perhaps as a result of James Bond-esq movies in which if a terrorist wants to use someone's finger print, they might just take the whole finger! It is difficult to imagine a day when the public would be happy to put themselves in this position for the sake of their job.
The foundation of secure authentication is the identity of the user – the real user must match the digital representation of the user; essentially, the right person needs to be accessing the right digital information. Two-factor authentication using mobile phones to authenticate processes such as payments and banking remains the way forward.
This uses two factors – first, something we own: a mobile device; second, something we know: a PIN. The mobile phone replaces something like a card reader and smart card, which is easy to misplace and less likely to be carried around at all times. Using technology within a device already owned by the individual, such as preloaded SMS or soft token app authentication through mobile phones, is a more secure and cost effective method for organisations. It has a higher reliability rate and is far less prone to faults or replication from unwanted users trying to access an individual’s details.
SMS technology turns any mobile into an authentication device and is currently the most novel and effective solution. Combining this with end-user choice of an app or SecurEnvoy’s patented preloaded SMS depending on convenience means the user is in control and mitigates the need for a help desk. This means the solution is as hassle free as a password but doubly secure.
By contrast, face and voice recognition are only just learning to stand without falling over. We know not to run before we can walk but first, we have to stand firm – and two-factor authentication currently stands on the firmest ground there is.