This article is provided by Alan Goode, Managing Director, Goode Intelligence, UK.
It may be convenient to use an OTP hardware token for internet banking at home using a desktop, but what about checking bank balances on-the-go with a smartphone?
Driven by the need to replace clunky single factor (PINs and passwords) and inappropriate two-factor authentication solutions with faster, more convenient authentication, mobile biometric authentication systems (MBAS) were one of the last year’s biggest technology stories.
Fingerprint biometrics drive an initial wave
The two biggest MBAS deployments to-date have been powered by embedded fingerprint sensors, with Apple’s Touch ID and Samsung’s swipe fingerprint equivalent propelling simple-to-use biometric authentication to the masses.
Mobile payments have also been one of the key drivers for the growth and acceptance of mobile fingerprint authentication solutions, with Apple Pay using Touch ID and FIDO-ready implementations emerging on Android (PayPal and Alipay).
Both solutions have a user-centric trust and privacy mode,l where the owner of the device enrols their own biometric (in this case a fingerprint) and the biometric template never leaves the device (stored in secure tamper-resistant hardware that is akin to the security found in payment smart cards).
Payments have been a big initial driver for mobile biometrics and the use of biometrics for speedy user authentication has potential in a number of scenarios outside of smart mobile devices, including:
Biometric smart cards – Adding speedy user authentication at the physical point-of-sale (POS) for contactless payment cards removes the issue of proving identity for high-value transactions in a physical store, and without the burden of inputting a PIN. Zwipe’s pilots with MasterCard will provide interesting data on the viability of this technology.
Smart Wearable Devices (SWD) – Wearable authentication is potentially even more convenient than mobile devices (for physical retailers payment speed can be important). With the combination of short-range radio (NFC and Bluetooth Low Energy) beacons, a consumer need not even have to walk up to a POS device. Biometric technologies that are suitable for wearable authentication include fingerprint and some emerging modalities including heartbeat.
There is also a possibility that behavioral analytics will in future leverage the biometric data being generated by lifestyle and fitness wearable devices. Companies such as BehavioSec are using behavioral data generated by a user’s interaction with a smartphone, and it may be possible to use the biometric data generated by standard consumer devices.
Touch ID drives adoption
Apple’s decision to open up the Touch ID fingerprint system to third parties with the introduction of iOS 8 has led to a proliferation of third-party service providers integrating fingerprint biometric authentication into their mobile apps.
Payments and financial services have led the way, but there has also been activity from other sectors including healthcare with drchrono, file storage and exchange (DropBox and Box), authentication (Encap Security and Nok Nok Labs), and password management (LastPass).
What will happen in 2015?
2015 will see a continuation of these trends with more smart mobile devices supporting biometric technology. There will be more devices with fingerprint sensors, including smartphones, tablets, smart cards and some wearables.
There will also be a move into enterprise driven by the integration of multi-modal biometric authentication into multi-factor authentication platforms. A great example of this is Daon’s IdentityX Authenticator, and InfinityX Platform platform, which supports a variety of biometric modalities in addition to mobile-based authentication factors commonly used by organisations, including support for One-Time-Passwords (OTP). Expect more of the larger authentication providers to follow suit by integrating biometric technology into their platforms, with deployment by enterprises to follow swiftly.
Other biometric modalities will join fingerprint as popular biometric technologies on smart mobile devices. Multiple modalities will complement each other to enhance security and to provide choice to match context and environment.
For instance, a crowded airport lounge may not be an ideal environment for voice, and a very bright sunny day may hamper technologies that utilise the camera (eye and facial recognition for instance). Solutions will also combine more than one biometric modality to enhance security and deter spoofing attacks. Combining voice with facial recognition, as Sensory Inc. have done with their Truly Secure app, adds an element of liveness detection to the technology.
There is evidence of a movement away from the pilot and proof-of-concept towards live deployment; USAA announced in January that it has implemented a multi-modal biometric authentication solution combing voice and facial recognition in a mobile app that it is rolling out to its members. For USAA members, they are given a choice between using either their voice or their face for user authentication.
Behavioral biometrics on mobile devices will start to become a more important modality because this modality can provide continuous authentication while a person is naturally using their device.
By analysing how a person uses their device (touch and movement), companies such as BehavioSec provide a very accurate method of proving identity. The technology can also be combined with other biometric modalities and authentication factors to create an authentication risk scoring that has the ability to reduce fraud. Its ability to integrate into fraud and risk management solutions makes it an ideal technology for financial services.
Biometric authentication on mobile devices has been one of the fastest growth areas in technology since Apple first pushed out Touch ID on the Apple iPhone 5s in September 2013. Other mobile OEMs, including Samsung, HTC, Xiaomi and Huawei have all followed Apple by releasing flagship mobile devices with embedded fingerprint sensors.
As a result of this trend, there are now an estimated 250 million fingerprint biometric-enabled smart mobile devices in the hands of users around the world. This trend will accelerate during 2015 and the rush to deploy biometrics to smart mobile devices will be joined by a similar trend for SWD.
Goode Intelligence forecasts that during 2015, over 150 million smart wearable devices will ship, and approximately one fifth of these will support biometric authentication, enabling these very personal devices to be used for a wide range of identity-based services.
The Nymi band is a good example of what can be achieved with wearable devices. This wearable band developed by Canadian-based Nymi (originally called Bionym) is currently being sent out to developers to create applications based on its unique ‘HeartID’ ECG biometric technology. Nymi are also involved in pilots with MasterCard to trial heartbeat biometric-enabled wearable payments. It is not the physical band that is important here, but the technology that underpins it.
The smartphone has created a multi-purpose mobile computer, packed with sensors and multiple network protocols. The smartphone disrupts sole-use devices, and the strength of Nymi is to prove a new biometric modality that is worn close to the skin and can be leveraged for a variety of physical and logical identity assertion scenarios.
It is quite probable that Nymi technology will find its way into the second or third generation of wearable devices, from smart watches to fitness bands, and will coexist with other biometric-capturing technology to create true continuous human authentication that can open physical and virtual doors with the flick of the wrist.
It could be even possible to leverage the built-in biometric capabilities of standard fitness bands for identity purposes. Biometric data is uniquely tied to an individual, and behavioral analytics could be used to create unique characteristics about the owner of a fitness band that could be used for authentication and identity purposes.
Is mobile identity a reality?
2014 was an eventful year for mobile biometric authentication, and 2015 promises to continue its meteoric rise with fresh impetus from wearable technology. The question is whether the identity industry can emulate authentication’s success and leverage the mobile and wearable ecosystem? Will state-issued identity and employer-issued physical access identity credentials follow suit and move to mobile and wearable devices and adopt biometric technology to replace PINs and passwords?
There are signs that the identity industry is seriously considering utilising the mobile biometric ecosystem. Companies such as HID Global and MorphoTrust have already developed solutions that leverage the combination of mobile and biometrics for identity solutions.
MorphoTrust is working with Iowa State on porting drivers licenses to mobile devices. Initially, it will not replace a laminated driver’s license, but will be used as a kind of identity assurance token (quick checks by law enforcement officers who can validate the license and the license owner) – expect more of these projects and pilots to occur throughout 2015. However, do not expect to see the replacement of card and paper credentials for government-issued identity (passports, national IDs and driver’s license) in the short-term future. When it does come, look at a long implementation cycle, with the roll-out of machine-readable zone (MRZ) in passports as an example.
However, there will be a proliferation of ‘companion apps’ that could be used in a variety of scenarios that enhance the identity experience and attempt to bridge the gap between physical and virtual.
There is probably more mileage in the physical access control (PAC) industry, where the ecosystem is ready to see corporate badges replaced by smartphones and wearable devices. The development of biometric-enabled smartcards also provides an alternative method of providing stronger security for card-based PAC deployments; users cannot access a building with the badge that I have found in the street or stolen from a handbag because the card will not work without the authorised fingerprint.
There are definite synergies between the authentication and identity industries that can benefit both industries and eventually see citizens and employees wearing their identities.