Biometrics is Dead, Long Live Mobile!

In my continuing crusade against greedy and self-serving biometrics vendors – which is absolutely NOT all of them – I figured I would give them a little taste of their own medicine with a ridiculous assertion in the title.

Of course biometrics isn’t dead [I believe it’s still in its infancy] and of course it will only continue to grow in distribution and influence. Its adoption will sky-rocket as mobile devices take over the world and IoT makes thinking for yourself redundant, and I for one am more than happy for it to spend time more in the sun.

What I cannot / will not accept from biometrics:

  1. Its growth at the expense of ANY other form of authentication (without appropriate justification),
    o
  2. Its false and irresponsible claims to its security, and;
    o
  3. Its blatant disregard for its ultimate benefactor; the mobile phone

Put to one side for a minute that not ONE legislation / regulation in payments actually requires biometrics (where “strong authentication” is primarily defined as 2-factor), and focus for a second on how biometrics has even made it as far as it has. Simply put, without the mobile phone, there would BE no biometrics in the mainstream.

It’s not like we would all carry around a separate device to perform biometric authentication, would we? No, we wouldn’t, so it’s only because biometrics is so readily available that we even consider it an alternative to passwords. That’s right, an ALTERNATIVE, and for the foreseeable future, one completely driven by consumer preference. No financial institution in their right mind will make biometrics mandatory, probably ever. I certainly wouldn’t.

So if the mobile phone is so all-powerful, why aren’t they attacking passwords? Simple, a) they have no need to, they are the dominant factor, and b) they are smart enough to realise that without the OTHER two factors they are not providing the best solutions possible.

In other words, they get it.

Rather a bleak picture, isn’t it? 1) not required for regulatory compliance, 2) will never be mandatory, only a consumer preference, 3) will never be suitable for some forms of authentication due to false ‘positives’, and; 4) it completely reliant on something else for its distribution. But even with all of this against it, I will embrace biometrics, in all its forms, if it provides me the convenience I crave, with ENOUGH security to transfer the risk to someone else (my bank for example).

And that’s really what it all boils down to; risk. A simple word but one completely misunderstood, and usually handled poorly. Bottom line; if the effort to steal something is greater than its value, it’s safe …enough. That’s all biometrics and passwords provide; security enough, and the amount of security you have to provide for a transaction is directly proportional to the value of the transaction.

For example, why would you use Apple Pay when it requires authentication that the contactless card does not? Is it more convenient? No. Does it provide more value-add services? No. Does it have anywhere near the distribution of plastic? No. Do YOU have to care about the security of contactless? No, you don’t.

Biometrics is, and will always be only a player in the game. While mobile holds most of the cards, any form of biometrics will be beholden to it, so they should play nice.

Biometrics Advocates, Get With the Bloody Program!

In just the last week, these are two of the articles paraded by the ‘Biometrics For eCommerce’ group on LinkedIn, both of which are taken from PYMNTS.com;

Is Biometrics Putting The Nail In The Password’s Coffin?

Is It Time To Cash In PINs For Biometrics?

My question is; Just how dumb do you have to be to wage a war against your own side? You don’t see The Times and The Sun slagging each other off, or Lexus and Toyota competing for the same demographic, do you? And why not? BECAUSE THEY ARE ON THE SAME DAMN TEAM!

So why is it that biometrics advocates feel the need to pick on passwords / PINs? I can only imagine it’s something like a school bully who only picks fights he thinks he can win, or perhaps they realise that biometrics is nowhere near the panacea they want it to be so they have to compare it against the lowest common denominator.

And let’s face it, that’s exactly what PINs are; the lowest form of password, which is the simplest of the 3 forms of authentication. That’s why it’s so prevalent, and orders of magnitude more accepted and consumer friendly than any form of biometric. But it is also the cause of all of their limitations, which are not inconsiderable.

However, instead of trying to kill the password /PIN, what’s wrong with taking the position of collaborative support? PINs are inadequate for some scenarios, just as biometrics are wholly inappropriate for others. Addressing the factor of authentication outside of the context of risk is no different from asking how long is a piece of string.

What about consumer preference? Is ANY financial institution or bank going to enforce a ‘biometrics-only’ stance? Not unless they are irretrievably stupid.

What about device capability? Are we going to force all 7.3 billion people on the planet to buy the latest smartphones? More than 2/3 of all mobile phones are still not biometrics enabled, do you really see passwords / PINs going away ANY time soon? No, nor do I.

Even for those with smartphones, who’s to say that the something-you-know has to be a passWORD? A picture of your own choosing will suffice. Or special characters in place of numbers perhaps? How many people out there speak Klingon? All you have to do is remember SOMETHING, and the smartphone could not make that easier (especially for those with learning disabilities).

Clearly my blog’s limited reach will have no impact on those too short-sighted or just too plain greedy to adopt a collaborative approach to authentication and identity management, but like almost all FinTech’s disruptive innovators, those going it alone will fail. Biometrics has finally, and rightfully, taken it’s place in the arsenal of weapons used against the bad guys, but for now advocates seem Hell bent on using them against their own friends.

In the end, only multi-factor authentication will win the day. Biometrics will be a big part of that, but the mobile phone (something-you-have) itself will be even bigger, and something-you-know will never go away.

Nor should anyone want it to.

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with www.myPINpad.com]

No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

Anyone Else Getting Sick of Biometrics Hype?

I am in no way against biometrics, they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management in general. What I’m completely sick of is the “Password is dead, biometrics is here!” hype perpetrated by those with a blatant self-interest.

If the password was dead, we would not have a multi-TRILLION £/$/€ industry currently predicated on the 4 digit PIN; the branded payment card. Organisations up and down the payment card food chain, from the schemes to the end merchants would not be spending billions on the perpetuation of the technology if the password was actually dead.

The payments industry is not trying to reach the < two billion people with biometric-enabled smartphones, they are  trying to reach the SEVEN billion people with money, half of whom have no access whatsoever to formalised banking as we know it, let alone a £400 mobile device.

Yes, there are ongoing fraud issues, and yes there are viable alternatives, but ask the average person on the street if they need mobile payments authorised through some form of biometrics and they will simply ask what’s wrong with their credit card? Too many biometrics companies are trying to change the world without applying common sense to the real issues. They are not solving a problem, they are trying to create a demand.

The challenges the payments industry face are myriad, and include;

  • Enormously complex and expensive infrastructure geared towards current payment methods and protocols [There’s no starting over from scratch]
  • Global acceptance of current operational standards by all country’s financial authorities [Requires amendments to most laws and regulation]
  • Older technology that does not port securely onto consumer controlled mobile devices [You cannot exclude the card brands from this move.]
  • Difficult transition path from legacy infrastructure to new [Where do you start, and what direction do you go in?]
  • Increasing pressure from retail to provide improved customer journey / experience [Retail and consumers expect more.]
  • …and so on.

Fraud due to poor authentication is not the problem, it’s an inconvenience, the real problem is that payments are heading from ‘plastic & PIN’ to ‘mobile and multi-factor’ whether we like it or not, and the only practical and secure way of doing so is to do it properly from the beginning. This will be an industry wide effort or it will fail, and no biometrics company on the planet has the answers alone.

Battling fraud is not just about proving that you are the one attempting a transaction, it’s about being able to attribute your entire identity into the desired result. Just because I can prove I’m trying to buy a TV does not mean I have any intention of paying back the loan I took out to get it.

So smart phones have the ability to turn the industry standard Personal Identification Number (PIN) into a Personal Identification Vector (PIV), one that is not only TRULY personal (i.e. fully consumer customisable) but builds in a multitude of other authenticators into each transaction. It is here that biometrics really comes into its own; being able to seamlessly add the something-you-are authentication factor to EXISTING processes.

Biometrics tells us what you are, is does not define WHO you are, and it’s the who-of-you that defines the future of your payment options.