Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
  2. Its false and irresponsible claims to its security, and;
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

Biometrics Advocates, Get With the Bloody Program!

In just the last week, these are two of the articles paraded by the ‘Biometrics For eCommerce’ group on LinkedIn, both of which are taken from;

Is Biometrics Putting The Nail In The Password’s Coffin?

Is It Time To Cash In PINs For Biometrics?

My question is; Just how dumb do you have to be to wage a war against your own side? You don’t see The Times and The Sun slagging each other off, or Lexus and Toyota competing for the same demographic, do you? And why not? BECAUSE THEY ARE ON THE SAME DAMN TEAM!

So why is it that biometrics advocates feel the need to pick on passwords / PINs? I can only imagine it’s something like a school bully who only picks fights he thinks he can win, or perhaps they realise that biometrics is nowhere near the panacea they want it to be so they have to compare it against the lowest common denominator.

And let’s face it, that’s exactly what PINs are; the lowest form of password, which is the simplest of the 3 forms of authentication. That’s why it’s so prevalent, and orders of magnitude more accepted and consumer friendly than any form of biometric. But it is also the cause of all of their limitations, which are not inconsiderable.

However, instead of trying to kill the password /PIN, what’s wrong with taking the position of collaborative support? PINs are inadequate for some scenarios, just as biometrics are wholly inappropriate for others. Addressing the factor of authentication outside of the context of risk is no different from asking how long is a piece of string.

What about consumer preference? Is ANY financial institution or bank going to enforce a ‘biometrics-only’ stance? Not unless they are irretrievably stupid.

What about device capability? Are we going to force all 7.3 billion people on the planet to buy the latest smartphones? More than 2/3 of all mobile phones are still not biometrics enabled, do you really see passwords / PINs going away ANY time soon? No, nor do I.

Even for those with smartphones, who’s to say that the something-you-know has to be a passWORD? A picture of your own choosing will suffice. Or special characters in place of numbers perhaps? How many people out there speak Klingon? All you have to do is remember SOMETHING, and the smartphone could not make that easier (especially for those with learning disabilities).

Clearly my blog’s limited reach will have no impact on those too short-sighted or just too plain greedy to adopt a collaborative approach to authentication and identity management, but like almost all FinTech’s disruptive innovators, those going it alone will fail. Biometrics has finally, and rightfully, taken it’s place in the arsenal of weapons used against the bad guys, but for now advocates seem Hell bent on using them against their own friends.

In the end, only multi-factor authentication will win the day. Biometrics will be a big part of that, but the mobile phone (something-you-have) itself will be even bigger, and something-you-know will never go away.

Nor should anyone want it to.

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with]

No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

Mobile Authentication: Exceeding Card Present Security?

Looking at this as objectively as I can (given my current career focus), I fail to see how the sheer number of authentication factors a mobile devices is capable of doesn’t make authentication of card-not-present transactions at least as, if not more secure than card present transactions.

Well, they SHOULD be more secure, the technology is available, but the payments and mobile industries cannot seem to get out of their own way.

Let’s examine the card present transaction: I walk into a shop, choose my items, then go the counter. The shop assistant rings in my stuff, I place my chip & PIN card into the terminal, enter my PIN and I’m done.

The only things ‘guaranteeing’ that I’m an authorised user of the card is that I have the card in my possession, and a 4 digit PIN number. Yes, some cards have photos on them, but they are few and far between, so the real security in a card present environment is the difficulty of obtaining the card and the PIN from the true owner. I will not underestimate just how difficult this is, but other that the true owner finding the card missing and reporting it, there are very few checks and balances.

Now let’s consider what you currently have to do to buy something online, and everything a mobile phone COULD be doing to provide security. Traditionally:

  1. To create a new account with most e-commerce retailers, you just need a valid email address – May or may not require confirmation from email address used.
  2. To add a payment card you need a valid billing address, and a mobile phone number – May or may not be validated in the back-end.
  3. To make a purchase, you log into your account, choose your stuff, then go to the checkout. You select the saved payment card you wish to use, then enter your CVV2 code and / or your 3-D Secure password.

All of this is far easier to fake / bypass than in card present environments, hence the higher rates of fraud.

Now, imagine a scenario where you have registered your mobile phone and tied it to the payment card in question. At your disposal you have all of these available to you;

  1. PIN / Password – the most ubiquitous form of authentication on the planet, and while it’s not the best, it most certainly adds a significant layer of complexity for the bad guys.
  2. Fingerprint – If you have an iPhone 5/6 or a later version of Samsung, you have fingerprint biometrics. This facility will only increase as time goes on.
  3. Voice Recognition – Nowhere near as prevalent as fingerprint, but gaining ground.
  4. Retina / Face Recognition – Combine these two because they both use the camera in a very similar way. Not a huge fan of these so far, they are rather ungainly.
  5. Geo-Fencing – a transaction request comes in from a Nigeria-based IP address and your phone is in Wandsworth, is that legit?
  6. Social Media Profiling – Not common at all …yet, but you could choose to add your social media profile to the purchase decision. e.g. you’re a rabid Arsenal (UK folks) / Redskins (US folks) fan, would you really be buying Spurs or Eagles merchandise respectively? Maybe, but I assume only to burn it.
  7. Reputation Profiling – Again, not common, but another growing form of identity management.
  8. Device Profiling – App layouts and such.

…and so on.

The vast majority of these will require an initial set-up and configuration, but will then be largely invisible to the user during use. Innovation without practical use is just a dream, and in this case practical use means that everyone can use it without inconvenience.

Done correctly, the integration of all of these factors during a transaction will take no more effort than a user expends in the normal use of their mobile device, but so far the individual vendors of each service and mobile device are trying to corner the market for themselves.

Digital transactions account for trillions of €/£/$ annually, there is room for everyone in the EVOLUTION (not revolution) of payments from Plastic & PIN to Mobile & Multi-Factor, and disruptive innovation will do nothing but delay the end goal;

Frictionless and ultra-secure mobile payments.