Passwords are so “last century”. They have to go… so deal with it!

January 28, 2016 - 

This is a guest post by Steve Cook, Director of Sales EMEA for Daon

Many of you feel very strongly about passwords, but the fact is … they have to go because of the large volume of hacks or frauds taking place putting you and also your money at risk!

It is true, strong passwords cannot be defeated but the facts are that very rarely do we use them. Companies or your employer insist on them, but in most cases we generally use the same ones time and again and it is impossible for us to continue using this ancient format. We have to move on and biometric technology allows us to do that.

The weakness in the chain is the human factor. Ask yourself, as an international global traveller, how many airline accounts do you have? The average is around six-eight accounts, all requiring different passwords for authentication. Yet, I bet many of you use the same or a slight variation of the same password in order to remember each one of them. Or in case you can’t remember the last time you used American Airlines or British Airways, you ask for a password reset, which then makes your personal details extremely vulnerable to potential fraudsters, especially if there is malware on your device which you don’t know about! Why? Have you ever dealt with a cloned website or what is known as an “Evil Twin” network. Yes, you think you are using the correct website when in fact it has been cloned. Plus all those calls or emails you get from your bank saying your account has been compromised, therefore they need to re-set your password for you. A scam which many people fall for! First of all, your bank would never do that, yet people are lured into thinking their bank is protecting them when fraudsters are sitting behind those communications. It is so easy to believe that your bank cares about you that much it personally calls you to change your password! Dream on!

Take Uber (the taxi booking app) for example. The press went mad to say Uber had been hacked last year. When in fact fraudsters just used people’s passwords from other accounts and hit the Uber service with the same details. The fraudsters got in because people used the same passwords across many of their accounts. The weakness in the system is that humans cannot be relied upon to make strong passwords, so we don’t seem to bother about security, then we complain when it happens. Many Uber customers got caught out, but it won’t be the last time unless we protect ourselves better! The average number of passwords we need to remember is around 20 per person but we only use about 4-5 that we can remember regularly. Some people don’t even bother with that many.

There is a better solution to all this. Your body … it is a unique human characteristic! Your face, your voice, your iris, your palm, your fingerprints are all unique to you! Known as your human biometrics.

Biometrics is now being used to access online and mobile apps and accounts. Your unique biometric is authenticating you each and every time. Whether its selfie banking or going through airport security, your face or other biometrics are confirming who you are. Many airports have installed electronic gates with facial recognition. You just turn up with your boarding pass and walk through immigration. If you are a regular passenger, the system recognises you so that you don’t even need to swipe your passport! Simple, convenient and what’s more absolutely no hassle. Not a password in sight! So why do we need passwords for online or mobile services, when our bodies can perform the same tasks to identify us.

Of course, this all depends on the levels of risk because biometrics is not an exact science. There are pros and cons with using this technology such as poor lighting which can possibly affect facial images. Photos can defeat some systems, noisy environments can affect voice systems and casts of finger prints can bypass some TouchID sensors. Yes it is possible for some hackers to clone bits of you! However more security features are being used in what they call “liveness” functionality. In order to prove you are who you say you are, various real-time events take place, such as random face or eye movements in the camera or reading out random numbers or phrases, and as well as detecting which device you are using! Pattern behaviour is another form of liveness biometric test. These security functions are there to protect you to prove you are alive and well, and someone is not impersonating you. Using two or more real-time biometrics for example can also properly validate you! Fraudsters can’t be bothered to take on these challenges if it is too much hassle and will likely go for more easy targets such as using sites with your user name and passwords. Many people fear that biometrics can be compromised too. Once gone, they are lost forever, but this is simply not true. Biometric data, if encrypted properly, cannot be hacked. It is just useless data to any fraudster!

One of the main areas where biometrics will replace passwords is mobile banking. The latest data from Goode Intelligence indicates that currently there are at least 120 million customers using mobile biometrics on a daily basis for their financial transactions. The forecast shows there will be 16 billion mobile biometric payment transactions this year, and by 2020, the number of FinServ consumers using biometrics to authenticate payments via mobile devices will skyrocket to 1.1 billion.

The move to establish identity based on what you have (ie your face, voice, iris, fingerprint) rather than what you know (codes and passwords) is what makes biometrics a worthy substitute for passwords. The biometrics market is expected to expand to $44 billion by 2021 globally. The demand that was driven by law enforcement, border control and governments to issue IDs is now going mainstream and entering the consumer domain where Touch IDs and facial recognition tools are already being used for logins.

Pioneering these efforts is the financial services industry. Last year saw JPMorgan Chase integrated TouchID into their mobile banking app for a seamless customer login that eliminates typing in a password. Similarly, MasterCard announced a “Pay By Selfie” feature that will make it possible for merchants to verify the identity of a shopper by looking at a photo of their face. One of the first mobile services to offer biometric log-ins was the USAA, where they have over 1m customers either using their face, voice or fingerprints. This year, we will also see challenger banks such as ATOM launch in the UK. Every new ATOM customer will set up and enrol using their own biometric profile! Clearly, this is the future in replacing passwords for many banks and financial services providers.

In Europe, there is also new regulation in the form of the EU Payment Services Director 2 (PSD2) which will be a key driver for many financial institutions to adopt biometrics as “something you are” under the SCA (Secure Customer Authentication) guidelines. This new EU directive became law on 13th January 2016, so organisations have just two years to fully implement it. The fines for not doing so are huge!

Yes folks, online or mobile banking as well as retail shopping will never be the same again! So we had better get used to it! This is the biometrics age!

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.

Leave a Comment

comments

About Steve Cook

Steve is Director of Sales EMEA for Daon and has been working in the biometrics industry for over three years. He has a long track record in the online and mobile video gaming and gambling markets with over 20 years’ experience. As General Manager at Sega Europe for 8 years he developed a unique understanding of the industry and was one of the first people involved when gaming moved online. In 2001, Steve developed his own business consultancy company providing European strategic sales, business development and marketing services to fintech start-ups. Today, Steve is firmly established in the biometrics industry having previously worked for Facebanx.