By Philip Dunkelberger, President and CEO, Nok Nok Labs Prepared for Global Banking and Finance Review, May 2016
The bulk of today’s consumers have reached a level of comfort when it comes to storing and accessing their banking information online. Connected mobile devices are commonplace and consumers no longer think twice about making payments, checking bank accounts, trading stocks and performing a multitude of other transactions with their devices.
FinTech innovation with new forms of banking and payments is increasing, and transactions that would previously have taken place in other domains are now moving to mobile – largely a result of comparative convenience and ease of use, as well as the backing of players such as Apple, Samsung and leading financial institutions around the world.
While online applications are protected by a combination of usernames and passwords, this traditional method of authentication has taken a big hit over the last few years from both a usability and a security perspective. While usernames and passwords might be manageable on a desktop computer, fumbling to enter them on mobile device results in a poor user experience that holds up business.
In terms of security, recent data breaches have resulted in the exposure and subsequent online dumping of millions of online credentials that are now for sale on the dark web. Password reuse means that your password security may only be as good as the weakest site on the web. Similarly, multiple studies have outed consumers for selecting weak, easy to guess passwords such as ‘12345’ or ‘password’. In short, authentication is no longer as simple, secure and convenient for the user, and we need to rethink current methods to keep consumers secure, as more of our daily tasks are carried out online.
Innovations in biometrics offer a way to step beyond the usability and security limitations inherent in the username/password approach. Biometrics, the use of a distinct body attribute such as a fingerprint, voice or heart rate, provide a compelling way to prove one’s identity. The advantage is simple – biometrics are easy to use, don’t have to be remembered, and can provide superior security. Fingerprint sensors have become standard fare across most smartphone devices. Earlier this year, Amazon, MasterCard and HSBC hit headlines with their plans to use photos or videos of a user’s face as a way to approve their online purchases, dubbed ‘selfie pay’. Because of how intrinsic it is to an individual and its uniqueness, biometric data is particularly sensitive and efforts must be made to keep this data secure and avoid having it become a lucrative and worrying new currency for cybercriminals.
We have already seen incidents of large-scale breaches of biometric data. At the end of last year, the US Federal Government Office of Personnel Management (OPM) revealed that it had suffered a breach that included more than 5.6 million sets of fingerprints at all levels of sensitivity from US federal employees, contractors, and other subjects of federal background checks. In the Philippines, personal data of up to 55 million voters was lost in a cyber-attack on the Philippine Commission on Elections, and the data included more than 15.8 million fingerprint records. The lesson is clear: if organisations continue to build large databases of biometric information, we will likely see further breaches. Canada and the EU strongly advise against the storage of biometrics on large databases unless absolutely necessary, for this very reason.
As a result of its uniqueness and how intrinsic it is to a specific person, biometric data is generally considered extremely sensitive personal data, so organisations must now urgently assess ways in which to keep it secure, as well as the global privacy implications of processing it. While some jurisdictions have specifically called out biometric data in privacy legislation, most countries do not yet have specific laws addressing its collection and use.
The first involves comparing an individual’s biometric data against a database of biometric information to find a match. This is known as ‘one to many’ or server-side biometric matching. The second involves comparing an individual’s biometric data against a single biometric identifier – perhaps a fingerprint, voice sample or face scan – that is stored on a single device. This is known as ‘one to one’ or device-side biometric matching.
Device-side biometric matching eliminates the need for large repositories of biometric information, as well as the need to transfer data from the device to a remote database, which could impact compliance with laws governing cross-border transfers of biometric data. Avoiding the retention of biometric data eliminates the need to hold data that could be an appealing target for hackers. Since each device retains its user’s biometric data, any hacker would need to target each individual device rather than execute a scalable attack against a large repository of information – a rather unappealing prospect for cybercriminals.
Unsurprisingly, this authentication process is fast becoming standardised through the likes of the FIDO (Fast IDentity Online) Alliance, which has a rapidly growing base of member companies across an ecosystem that includes biometric authenticator vendors, device makers and deploying organisations including leading financial institutions. When one considers how to deliver the convenience and ease-of-use provided by biometrics, device-side biometric matching provides privacy advantages that make it the strongest option from a global privacy perspective, affording consumers more control over their personal data while enabling financial institutions to minimise their security exposure.