December 18, 2013 -
Widespread exposure of the new Apple iPhone and the new biometric feature has certainly caused a stir. Comment has been driven as to whether its biometric fingerprint scanner is ultimately secure or hackable. But haven’t they missed the point?
The innovative means by which users have attempted to overcome the biometric check are certainly worth a read, for example Germany’s Chaos Computer Club claimed to have found a method by which they take a fingerprint of the user, photographed from a glass surface, and then create a ‘fake fingerprint’ which could be put onto a thin film and used with a real finger to spoof the TouchID sensor. Many have read such stories and presumed that this is the perfect example of why biometric technology doesn’t stand up to attack by fraudsters. This view appears flawed.
The use of the fingerprint scanner for the iPhone is ideal as an improvement for user experience, and Apple is clearly concerned about ease of use rather than secure access. Yet this detail has been overlooked and now appears judged purely from a security perspective. Ultimately the key to using biometrics is to apply them in a way that is appropriate to the context. When used more for a security driven means, in financial services for example, a biometric is really effective when used as part of a ‘multi-factor’ approach to authentication of a user.
For the iPhone scenario, the static biometric use with the finger scanner is perfectly workable yet when we move into the area of financial services sector, in which risk levels are increased, a dynamic biometric needs to be used, proving more difficult to hack and therefore providing a stronger form of authentication. To take this a step further and if we integrate a dynamic biometric as part of a larger ‘multi-factor’ system a much more refined approach to strong authentication is possible.
By using additional factors the chances of legitimate customers being denied access becomes reduced, the weakness of traditional biometrics in pure isolation being is that they provide solely binary results. The financial services industry is leading the way in using biometrics as part of a multi-factor approach. Opus recently highlighted in its latest report a multi-factor authentication model that uses voice, provides all the innovation that biometrics offers yet provides other factors at the same time.
The key to the multi-factor approach is to use a solution that is secure yet flexible, in which different layers of security can be invoked depending on the channel or device in question. For instance a high value mobile payment may require all factors in the solution to be used where a low value activity may only need simple 2-factor authentication. Security is certainly important yet this needs to be matched with an effective user experience if biometrics is going to succeed.
Biometrics on their own will never provide a security panacea, regardless of whether it’s used for consumer use, large enterprise or to secure transactions. When considering the launch of new biometrics, the industry must provide a complete overall solution that utilises context and applies the biometric accordingly. Once this approach is achieved, biometrics — and voice biometrics in particular — will really start to prove successful.