No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

[If you liked this article, please share! Want more like it, subscribe!]

Is Authentication of Identity Even Possible?

Before I can answer that questions, I need to define what I think Identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.

In its most basic terms, authentication is the what-of-you, identity is the WHO-of you. You can authenticate via password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for a loan.

Example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this hypothetical] that they are both who they say they are, but do you feel equally comfortable lending them your car?

I would assume the answer is no, you would NOT be comfortable loaning a stranger your car, so what’s the difference? Trust, pure and simple. You trust your friend because you know WHO they are, not WHAT they are.

Unfortunately you will never be able to know everyone on the planet as well as your friends, so how can you assure a sufficient level of trust to do business of any sort? Currently, authentication is enough, but it’s almost entirely one way. If you want to buy something on the Internet YOU have to complete the login details (often including a permanent account), you have to enter all of your payment details, and you have to accept the risk that the merchant will send the goods as promised.

With an identity, built over the course of time and receiving input from many sources, every individual and every organisation can build a demonstrable level of trust so that both sides have the assurance they need to conclude the transaction. Fraud in e-commerce is rampant because we simply don’t have this 2-way assurance.

From the individual side: Credit score, confirmation of available funds, payment history, and any number of other factors can build a Trust Assurance Score (TAS), and it will be up to both the buyer and the seller to agree on the level of score required to complete a purchase. e.g. on a scale of 1 – 100 (100 being a perfect TAS) the merchant needs a score of 5 to buy the ubiquitous cup of coffee, but a score of 50 to rent a car, and a score of at least 75 to get a mortgage.

From the merchant side: Time in business, corporate credit rating, ratings and reviews and so on can build their TAS, so you can decide up front the level of risk you are prepared to accept to conduct the business at hand.

Clearly there are many challenges with this; How do you build a rating in the first place (the young and new businesses should not be unfairly advantaged)?; How do you provide instant access to this rating without exposing all of the detailed information behind it?; How do you tie in the level of authentication required to even request a TAS? And so on.

I’m not proposing a way to fix this, I’m simply trying to demonstrate that the reason we don’t HAVE identity built into transaction authentication is that these issues have not been addressed yet. And until we have identity built into transactions, we won’t have the levels of trust required to make significant change. Payments for example will move from plastic to mobile, but authentication (even multi-factor) is not enough to significantly reduce fraud.

I suspect block-chains (the technology behind crypto-currencies) has a big chunk of the answer, but I can’t even conceive on how this will be done. I just know it needs to.

[If you liked this article, please share! Want more like it, subscribe!]

Biometrics Hype

Anyone Else Getting Sick of Biometrics Hype?

I am in no way against biometrics, they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management in general. What I’m completely sick of is the “Password is dead, biometrics is here!” hype perpetrated by those with a blatant self-interest.

If the password was dead, we would not have a multi-TRILLION £/$/€ industry currently predicated on the 4 digit PIN; the branded payment card. Organisations up and down the payment card food chain, from the schemes to the end merchants would not be spending billions on the perpetuation of the technology if the password was actually dead.

The payments industry is not trying to reach the < two billion people with biometric-enabled smartphones, they are  trying to reach the SEVEN billion people with money, half of whom have no access whatsoever to formalised banking as we know it, let alone a £400 mobile device.

Yes, there are ongoing fraud issues, and yes there are viable alternatives, but ask the average person on the street if they need mobile payments authorised through some form of biometrics and they will simply ask what’s wrong with their credit card? Too many biometrics companies are trying to change the world without applying common sense to the real issues. They are not solving a problem, they are trying to create a demand.

The challenges the payments industry face are myriad, and include;

  • Enormously complex and expensive infrastructure geared towards current payment methods and protocols – [There’s no starting over from scratch]
  • Global acceptance of current operational standards by all country’s financial authorities – [Requires amendments to most laws and regulation]
  • Older technology that does not port securely onto consumer controlled mobile devices – [You cannot exclude the card brands from this move.]
  • Difficult transition path from legacy infrastructure to new – [Where do you start, and what direction do you go in?]
  • Increasing pressure from retail to provide improved customer journey / experience –[Retail and consumers expect more.]
  • …and so on.

Fraud due to poor authentication is not the problem, it’s an inconvenience, the real problem is that payments are heading from ‘plastic & PIN’ to ‘mobile and multi-factor’ whether we like it or not, and the only practical and secure way of doing so is to do it properly from the beginning. This will be an industry wide effort or it will fail, and no biometrics company on the planet has the answers alone.

Battling fraud is not just about proving that you are the one attempting a transaction, it’s about being able to attribute your entire identity into the desired result. Just because I can prove I’m trying to buy a TV does not mean I have any intention of paying back the loan I took out to get it.

So smart phones have the ability to turn the industry standard Personal Identification Number (PIN) into a Personal Identification Vector (PIV), one that is not only TRULY personal (i.e. fully consumer customisable) but builds in a multitude of other authenticators into each transaction. It is here that biometrics really comes into its own; being able to seamlessly add the something-you-are authentication factor to EXISTING processes.

Biometrics tells us what you are, is does not define WHO you are, and it’s the who-of-you that defines the future of your payment options.

[If you liked this article, please share! Want more like it, subscribe!]

Shopping Cart Abandonment, Authentication to the Rescue

According to Business Insider, approximately $4 TRILLION worth of merchandise will be abandoned in online shopping carts this year, of which only 63% is recoverable for those retailers with the necessary “savvy”.

The reasons behind this abandonment are as myriad as the individuals making the purchases, but to truly understand the root cause, you must examine the people themselves. From an online purchasing perspective, they fall roughly into these 5 categories:

  1. Mind-Changers – People change their minds all the time, which is much easier when you’re online than when you’re face-to-face with a sales rep. The longer the purchase process, the more time retailers are leaving open for this category to have second thoughts;
  2. Distractors – For those who don’t really care about their purchase, the slightest distraction will cause them move on. Long and complicated check-out processes will see these folks following the next shiny thing;
  3. Impatient – Again, long check-out processes will see the impatient group give up fairly quickly even though it means starting again. The issue is that they will undoubtedly start again on a competitor’s site;
  4. Private – Asking a significant number of questions unrelated to the transaction itself, or forcing them to create an account first is not an option for this category.; and
  5. Frustrated – Too many steps and customers become frustrated and lose interest in purchasing the item.

Other reasons include hidden fees, unreasonable shipping & handling cost, loss of bandwidth and a multitude of others, but these are mostly issues with the merchant, not with the buyer.

The simplest and quickest checkout process helps mitigate these all-too-common behavioural flaws. However, it’s just not that easy when both the merchant and their underpinning acquiring bank(s) have responsibilities that go far beyond customer convenience.

Anti-fraud, anti-money laundering, and significant numbers of industry specific regulations mean that sellers must be reasonably sure that the purchaser is who they say they are. Currently this is performed by authentication; payment card details including the Card Verification Value (CVV) etc.

However, as a direct result of increasing online fraud rates banks now require digital shoppers to prove who they are with more than just their card details. For example, 3D Secure was introduced in 2005 to help combat this fraud by adding another layer of authentication, but the oft-quoted “significant abandonment rates” experienced as a direct result have forced many e-commerce retailers to turn the service off during peak seasons (e.g. Christmas), or even cancel the service altogether.

So far the uncertain balance between convenience and security has only been good for the bad guys.

The Holy Grail of digital commerce is a frictionless checkout. This is only possible if the many disparate inputs are seamlessly integrated and made invisible to the consumer. The only device that has a chance to combine all of this into a process that basically mirrors the every-day behaviour of the consumer is the mobile device. It also just happens to be the one thing that can combine many forms of authentication that far exceed every regulation in the industry.

No-one doubts that e-commerce and m-commerce will continue to enjoy enormous growth, but it is only by getting the convenience vs. security balance right that the full potential of these markets can be reached.

Only authentication holds all the cards.

[If you liked this article, please share! Want more like it, subscribe!]

[Ed. Written in collaboration with]

Biometrics Is Only PART of the Answer!

The time will come when you will be able to walk into any shop, chose what you want, pay for it where you are standing, and walk out with it without having to go through the nonsense of lining up. The same will apply to getting through airport security/immigration, into a concert, onto public transportation and so on. Each of these ‘transactions’ will happen in the background.

The time will also come when whom you are is enough to make all of these transactions happen almost seamlessly, and biometrics will be an enormous part of that. However, WHAT you are does not equal WHO you are, and that’s where biometrics vendors miss the point. No form of static authentication (of which biometrics is one, same as passwords) can encompass your entire identity. Your likes, dislikes, hopes, fears, ambitions, friends & family interactions, even your reputation. The things that make you human, and 100% unique.

Also, what biometrics cannot do is replace every other form of authentication in the near term. Certainly not the authentication of payments for example when you consider that all payment card schemes globally are united behind the PIN.

“But that’s already happening!” you may say, and you’re right, you can authenticate payments with a fingerprint via your mobile device (Apple Pay for example). Then again, I can spend £20 (£30 from this September) at a time with my Visa / MasterCard contactless card with typically no authentication at all.

Ultimately, what we’re trying to get to is the universal demonstration of the one thing upon which all the transactions above rely; trust.

No single form of authentication (biometrics included) is going to get you a car loan, or a mortgage, but it WILL get you a cup of coffee, because authentication is just a sub-set of the overarching principle related to the demonstration of trust; Identity Management. The who you are, or more to the point, who you have been, is what gets you the mortgage, all your face is going to do is give the lender reasonable assurance that they are talking to the right person.

Authentication is not the answer that addresses the trust challenges we face today in a distributed world. Trust is not built on how you authenticate, it’s built on a irrefutable representation of your life; your credit history, criminal record, work history, references, social media profile, public statements of opinion (blogs, etc.) and so on. You are not going to place trust in someone you will likely never meet in person until you are reasonably satisfied that they will keep their end of the bargain.

Even multi-factor authentication is only going to give more certainty that the person you’re dealing with is the person you expect, it does nothing to ensure that your transaction will go as planned. Only identity can give you that kind of assurance.

Every transaction in the future will be a combination of identity management and authentication, and how much you need of each will be agreed by both sides, up front. This is a complete departure from today where trust is mostly one way, and should address the majority of the current challenges we have related to fraud.

[Ed. Written in collaboration with]