BIOMETRIC BANKING: WILL SECURITY SELFIES REPLACE PASSWORDS? 

Xavier Larduinat, CITO Marketing Communications, Gemalto

Could the selfie replace the humble password in the near future? With biometric authentication technology developing rapidly and worldwide e-commerce trailblazer Amazon recently patenting its own ‘pay by selfie’ technology, banking could well be the next sector to follow suit.

The selfie payment is an easy and secure way in which customers can use selfies of their own face in order to quickly approve their mobile purchases from their smartphones. It’s a particularly interesting example, as it has immediately served to get the wider banking and payments industries talking about these technologies and having serious conversations about their potential applications.

Amazon proposes a two-step security selfie authentication system that requires the user’s smartphone to take two pictures to confirm his or her identity. The idea of the system is quite novel: the first picture will confirm the user’s identity, while the second picture will “prompt the user to perform certain actions, motions, or gestures, such as to smile, blink, or tilt his or her head”.It’s an inventive form of two-factor authentication, and of biometric technology, too, but will the humble selfie serve to keep consumers engaged in managing their digital security?

The limits of passwords

Passwords have increasingly come under fire from security experts in recent years, with consumers becoming increasingly confused (and worryingly forgetful) while trying to remember multiple different and secure passwords for their bank, email or online shopping accounts (Top tip: don’t use “password” or “123456”!).There’s a growing realisation that the traditional password is becoming obsolete unless tied in with multiple layers of authentication.

As all of us move more of our social, work and personal lives online and into the cloud, the security danger is clear. One major data breach, such as the widely-publicised 2015 attack on dating site Ashley Madison or the 2012 LinkedIn password leak which is still causing problems for users,can potentially give hackers users’ passwords that allow them to penetrate multiple services. And it’s general access to your online banking that most cyber criminals are after.

So the idea of doing away with passwords entirely, particularly for the banking industry, is gradually becoming more appealing. In fact, a recent MobeyForum survey revealed that the use of biometrics could be on the rise, as most banks intend to implement these controls in the near future – with handset manufactures also planning on integrating these capabilities.

As companies and users become more familiar with biometric authentication methods, using unique aspects of an individual’s biological make-up to identify them can offer a much more secure and robust authentication method for businesses and consumers worldwide. What’s more, according to the report, biometric technology brings added value to other financial services, such as know-your-customer (KYC), e-contracting and insurance.

Many of us are already familiar with using fingerprint scanners on our phones, and iris scanners are becoming an increasingly common sight in today’s stringent airport security processes. Voice recognition will be increasingly used too, as well as innovative technology that can detect specific vein networks and heartbeats. So it is hardly a great stretch of the technological imagination to see businesses and customers adopting selfie-based authentication methods for banking, online retail and access to other services based on protected personal data.

Selfies: the most secure authenticator?

Thanks to the uniqueness of your face or fingerprint, it’s arguable that a selfie-based authentication method could well be far more secure than a password-based one. That’s because this type of unique biometric authentication trumps the easily hacked password, as it’s far more difficult for a hacker to ‘steal’, copy or replicate the complex architecture of your face,fingerprint, voice or pulse.

Biometrics will soon start to replace passwords for banks and other organisations because of their speed and accuracy. And those banks and businesses that are adopting biometric authentication initiatives must ensure they are implementing the appropriate security frameworks necessary, including ensuring everything is encrypted end-to-end, in order for devices like cameras, microphones and fingerprint sensors to be usable with secure apps.

Protecting biometric data is dependent on where it is stored. If it’s hosted on a phone, wearable or tablet device, it’s down to the manufacturer to ensure that the fingerprint or facial scan is encrypted within the device. For businesses that store this data on a server, such as military, government, border control, or general corporations, it’s again down to encryption, so that if a threat-actor gains access to the server via sophisticated methods, the data will still be unintelligible to them.

Organisations would also be well advised to follow Amazon’s lead in developing secure two-stage “pay by selfie” solutions, with the online retailer’s patent for a two-step system adding that necessary second stage of authentication for added security. It’s also highly likely that we will see selfie-authentication used in conjunction with behavioural biometrics (gestures, swipe and pattern predictions) as well as alongside more traditional methods such as passwords or other biometrics such as fingerprints.

The UI revolution

While the selfie certainly ties in a much loved pastime that’s completed on a smartphone, time will tell as to which method of biometric authentication will be most widely used. Sure, the smartphone is an integral part of everyday life today, but for some paying by iris scan may be more convenient than using their fingerprint. When connected devices are no longer ‘in the palm of our hands’, other biometric authentication methods such as voice recognition will also have their part to play.

As we move toward the post-keyboard era, the real market driver will be convenience and even fun, rather than security. Each of the methods already mentioned are vastly more secure than passwords, so rather than this being the differentiator, we’ll see the preference for a particular user interface (UI) ultimately be the decider.

In the end, the use cases of biometrics will match our daily routine. Whether it be selfies, voices or fingerprints, authentication methods that span beyond the password will completely revolutionise the UI of various devices, as well as ensuring that our data is as secure as it can possibly be.

The standalone password’s days are certainly numbered. Whether it’s selfies, voice recognition or fingerprints, more sophisticated security solutions are emerging in a world of constantly evolving cyber threats, and we’ll have to wait to see which method consumers will embrace. While it might well seem like something of a strange novelty at first, biometric technology will soon become a commonplace and accepted aspect of our everyday security regimes.