The latest news from RBS and NatWest spells great news for the mobile banking industry. Stephen Keenan comments
Banks drive industry security with mobile phone biometrics
The news that RBS and NatWest are introducing fingerprint authentication to their mobile banking offerings was a monumental stepforward for the industry in improving online security of its services.
Lost and stolen passwords remain the single biggest way systems are compromised. According to the Verizon 2014 Data Breach Investigations Report, two out of three data breaches are attributable to lost or stolen user names and passwords, or both. Wecontinue to see user names and passwords fail as a secure way to log in, no matter how complex the password.
Biometrics offers a great alternative to authenticate individuals. The reasoning is simple: everyone has a unique biological identity, soapply it to cyberspace to establish trust. Fingerprint biometrics usually afford the easiest user interface – simply place your indexfinger or thumb on a reader.
Historically, the primary challenge with tying a biometric to a cyber-identity has been the cost associated with the additional ‘read’ device; especially on the scale that would be needed to equip all of a bank’s online and mobile banking customers.
However, the evolution of smart devices and systems like Apple’s Touch ID has significantly reduced this barrier. Consumers can now
use a device they already have to perform the biometric reading. However, biometrics should not be used in isolation, and should instead contribute to what’s called a "multifactor" authentication scheme, as this can vastly improve identity proofing by pairing "something you know" such as a username and password combination with "something you are", making it much more difficult for a criminal to appropriate.
Here, the user would use a username/password/PIN combination and then be asked to use a biometric, such as a fingerprint. If the authentication fails to establish trust using this combination, the user would be asked to authenticate utilising a previously registered second form factor. This could be the person’s mobile device with a securely loaded one-time password generator. Indeed, many banks have already rolled out this form of authentication.
There are several other technologies becoming reliable enough to be viable alternatives, such as asking for a passphrase, essentially establishing a question and corresponding challenge response. The software verifies the accuracy of the answer, as well as determining the speed between each letter being typed, and other variables. The more the user interacts with the biometric system, the more accurate it becomes. Another method is utilising an individual’s cognitive abilities, for example, presenting a set of pictures and asking the user to choose the combination that only they would know. Whichever way the industry moves next, this news is an important step in the journey to strengthening online identity and authentication in the banking industry.