Biometrics Is Only PART of the Answer!

The time will come when you will be able to walk into any shop, chose what you want, pay for it where you are standing, and walk out with it without having to go through the nonsense of lining up. The same will apply to getting through airport security/immigration, into a concert, onto public transportation and so on. Each of these ‘transactions’ will happen in the background.

The time will also come when whom you are is enough to make all of these transactions happen almost seamlessly, and biometrics will be an enormous part of that. However, WHAT you are does not equal WHO you are, and that’s where biometrics vendors miss the point. No form of static authentication (of which biometrics is one, same as passwords) can encompass your entire identity. Your likes, dislikes, hopes, fears, ambitions, friends & family interactions, even your reputation. The things that make you human, and 100% unique.

Also, what biometrics cannot do is replace every other form of authentication in the near term. Certainly not the authentication of payments for example when you consider that all payment card schemes globally are united behind the PIN.

“But that’s already happening!” you may say, and you’re right, you can authenticate payments with a fingerprint via your mobile device (Apple Pay for example). Then again, I can spend £20 (£30 from this September) at a time with my Visa / MasterCard contactless card with typically no authentication at all.

Ultimately, what we’re trying to get to is the universal demonstration of the one thing upon which all the transactions above rely; trust.

No single form of authentication (biometrics included) is going to get you a car loan, or a mortgage, but it WILL get you a cup of coffee, because authentication is just a sub-set of the overarching principle related to the demonstration of trust; Identity Management. The who you are, or more to the point, who you have been, is what gets you the mortgage, all your face is going to do is give the lender reasonable assurance that they are talking to the right person.

Authentication is not the answer that addresses the trust challenges we face today in a distributed world. Trust is not built on how you authenticate, it’s built on a irrefutable representation of your life; your credit history, criminal record, work history, references, social media profile, public statements of opinion (blogs, etc.) and so on. You are not going to place trust in someone you will likely never meet in person until you are reasonably satisfied that they will keep their end of the bargain.

Even multi-factor authentication is only going to give more certainty that the person you’re dealing with is the person you expect, it does nothing to ensure that your transaction will go as planned. Only identity can give you that kind of assurance.

Every transaction in the future will be a combination of identity management and authentication, and how much you need of each will be agreed by both sides, up front. This is a complete departure from today where trust is mostly one way, and should address the majority of the current challenges we have related to fraud.

[Ed. Written in collaboration with]

Biometrics in Payments – Irresponsible Demand Generation

Demand generation is defined as; “The focus of targeted marketing programs to drive awareness and interest in a company’s products and/or services.”

Done responsibly it can be a very effective tool in any organisation’s marketing/PR tool-set, and I applaud anyone doing it well. Done irresponsibly it can lead target organisations to make very poor decisions that they will end up bitterly regretting. Yes, each organisation is responsible for making their choices, and for performing proper due diligence, but in an industry as complex as payments, vendors are often seen as the experts.

This position must NEVER be abused!

The example of demand generation that I invariably use is that of the smartphone. Until I saw one I had no idea I needed so much functionality in a mobile device. Now, quite literally, I cannot do my job without it.

Off the bat, that suggests 3 things:

  1. Smartphone manufacturers were justified in their aggressive marketing efforts …eventually;
  2. The drive by each vendor to win the entire market for themselves, while promoting competition, has left us with an enormous variety of devices and technologies that are difficult to adopt for fear of backing the wrong horse, and;
  3. I’m not smart enough to be a futurist.

But what if they had worked together on standardisation in the beginning (like with bloody power adapters for example!), how much better off would we be?!

Now biometrics vendors are the vultures over the kill, and the password is the corpse (harsh I know, but the alternative is wolves, but they work in unison for the good of the pack).

Biometrics companies are spending vast sums on marketing and PR resources to become the next big thing in authentication, All the while completely ignoring the fact that they are offering something little different (single-factor, static authentication), and side-stepping the most basic of practicalities; ease of adoption, and future-proofing.

The FACT remains that implementation of effective biometrics is extremely difficult. Distribution, false positive rates, disability support, privacy issues and a plethora of other challenges will continue to ensure that single-factor authentication with biometrics will not replace the 4 digit cardholder PIN any time soon. Nor should it.

It’s not about replacing the PIN, it’s about seamlessly combining the PIN with other forms / factors of authentication like biometrics. Anything else is irresponsible in the extreme given that most smart phones are capable of all 3 authentication factors multiple times each! Passphrase, PIN, fingerprint, voice recognition, iris, geo-fencing, device registration, device profiling, social media profiling you name it, can all be entered into a mobile device through normal and already established consumer use.

The following is not necessarily an endorsement of Fast Identity Online (FIDO) Alliance, but you can see from their Mission that they fully appreciated the importance of evolutionary change, not revolutionary change:

“The Mission of the FIDO Alliance is to change the nature of online authentication by:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
  • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.”

Reliance on single factor authentication with biometrics is a mistake, so avoid any organisation who adopts the ‘password is dead’ stance and just do your homework based on a business need, not a buzz-phrase.