Blog: Goodbye Passwords, Hello Biometrics
By George Avetisov, HYPR Corp.
Consumers are embracing the ability to shop anywhere, at any time, from any mobile device. The Goldman Sachs Group Inc. estimates that mobile commerce sales for 2018 will reach $626 billion, up from $298 billion today. That’s a more than 100 percent increase within three years.
It’s unsurprising, then, that mobile wallets also are gaining steam. Although the technology has been around for some time, Apple Pay re-ignited the conversation last year, as eWallet, Gyft and others bid for market share. Google is trying again after a tepid response to Google Wallet, with last month’s announcement of Android Pay. And Samsung isn’t far behind. The “Global Mobile Wallet Market 2015-2019“ report forecasts that the use of mobile wallets will grow at a CAGR of 36.8 percent through 2019.
Consumers and merchants aren’t the only ones interested in mobile wallets’ appeal—so are cybercriminals. Fraudsters unceasingly update their attack methods and exploit every vulnerability they can find. The newer and more untested the technology, the greater its potential vulnerability.
Ongoing Authentication Difficulties
The need for greater security has become a priority, especially in light of the increasing number of calamitous data breaches worldwide. However, organizations repeatedly fail to secure data as it transitions to the cloud. The complexity of mobile payment types should compel all stakeholders to focus on security. But as vendors—or relying partners, as they are called—rush mobile wallets to market, absent industry standards, there’s no guarantee that security best practices are being implemented. A big part of the problem, when it comes to mobile wallets, is how some of the providers are enabling partnering banks to authenticate users.
|“The desire for expediency also is the Achilles’ heel behind using usernames and passwords or PINs for authenticating access to digital assets, including mobile wallets. That’s because most of the time, in lieu of strong passwords, users choose easy-to-recall simple passwords and reuse them for all of their applications.”|
It’s always been a struggle to authenticate users, and it’s becoming increasingly difficult. Authentication in the age of Internet of Things, BYOD (bring your own device) and cloud services introduces challenges not addressed by usernames, passwords or tokens. As the consumer demand for remote login and flexibility continues to rise, organizations are struggling to find and deploy authentication methods that are effective, easy to use, impervious to theft and scalable. The reality is that some financial services organizations prioritize the “easy to use” qualifier, and enable cardholders to simply telephone a call center for authentication. The problem with this is that fraudsters buy stolen consumer identities with credit card information, add the information to a mobile wallet and then convince the call center staff they are indeed a legitimate user. Although there are checks in place to prevent fraud, it becomes much easier to pull the wool over staff’s eyes when you have more than just a credit card number.
Why Go Past Passwords?
The desire for expediency also is the Achilles’ heel behind using usernames and passwords or PINs for authenticating access to digital assets, including mobile wallets. That’s because most of the time, in lieu of strong passwords, users choose easy-to-recall simple passwords and reuse them for all of their applications. With the rise of mobile computing, inputting complex passwords is onerous and often results in users choosing easy-to-type passwords that fraudsters find easy to guess.
Two-factor authentication (2FA) software-based solutions, such as time-based software token applications and SMS codes, have gained some traction, but they’ve shown to be vulnerable to malware attacks that plague many user devices. 2FA schemes fail to address the security problem they’re trying to overcome by performing on-device authentication, which is still susceptible to the same attack vectors as passwords.
The Biometric Option
Once the stuff of science fiction or spy thrillers and relegated to central booking and border access, on-device biometrics are becoming commonplace. Late-model Apple and Samsung mobile phones—as well as modern computers—have integrated biometric sensors, often a fingerprint sensor. These devices also include a trusted platform module (TPM) or trusted execution environment (TEE) that handles the verification of biometric information separately from the primary device’s core operating system, which is susceptible to malware.
The reason that, until recently, biometrics remained outside the consumer realm is that previous mobile devices that are convenient to use were not powerful enough to evaluate biometric information easily. Equipped with biometric sensors, these new devices have the ability to change the way users authenticate to services they use every day such, as email, social media and banking. More importantly, with such devices now widely available, the platforms providing these services have a major incentive to make biometrics-based authentication available.
The genius of biometrics is that each person possesses and employs a wholly unique physical signature. However, mobile wallet providers and financial services providers must exercise caution, as using biometrics is not a panacea for the security problem. Organizations should implement a security program that uses biometrics as one tool for proving user identity and ensures that sensitive data are only accessible by the individual to whom it biologically belongs. This means TPMs and TEEs are where a person’s unique biometric signature should be stored. Other security tools should include robust encryption and tokenization schemes.
Strong and Scalable Security
Cybercriminals are lurking everywhere, eager to exploit poor security standards as well as users’ good nature and lax password usage. 2FA solutions have exploitable issues of their own, and hardware tokens don’t pass the ease and convenience criteria consumers demand. As on-device biometrics gain traction, though, this part of authentication is proving to be a strong and conclusive component of a well-rounded security strategy.
George Avetisov is the CEO of HYPR Corp., a biometrics security platform provider. A former Webmaster, George has been interested in improving the Internet experience since building his first Website at the age of 11—a fan page dedicated to his favorite childhood anime. At 19, he co-founded an online store generating more than $6 million in annual revenue at the time of his departure. George can be reached at [email protected].
In Blogs & Viewpoints, prepaid and emerging payment professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.