HSBC and First Direct recently announced that they are introducing fingerprint and voice recognition authentication for customers of online and telephone banking. In my own research, I first found nearly 20 years ago that people who have a multitude of passwords and PINs cannot manage them as security experts want them to. As the number of digital devices and services we use has increased rapidly, managing dozens of login details has become a headache for most people. We recently reported that most bank customers juggle multiple PINs, and are unable to follow the rules that banks set in their contracts. Our research also found that many people dislike the 2-factor token solutions that are currently used by many UK banks.
Passwords as most people use them today are not particularly secure. Attackers can easily attempt to collect information on individuals, using leaks of password files not properly protected by some websites, “phishing” scams or malware planted on people’s computers. Reusing a banking password on other websites – something that many of us do because we cannot remember dozens of different passwords – is also a significant security risk.
The introduction of fingerprint recognition on smartphones – such as the iPhone – has delighted many users fed up with entering their PINs dozens of times a day. So the announcement that HSBC and other banks will be able to use the fingerprint sensor on their smartphones for banking means that millions of consumers will finally be able to end their battle with passwords and PINs and use biometrics instead. Other services people access from their smartphones are likely to follow suit. And given the negative impact that cumbersome authentication via passwords and PINs has on staff productivity and morale in many organisations, we can expect to see biometrics deployed in work contexts, too.
But while biometrics – unlike passwords – do not require mental gymnastics from users, there are different usability challenges. Leveraging the biometric from the modality of interaction – e.g. voice recognition phone-based interactions – makes authentication an easy task, but it will work considerably better in quiet environments than noisy ones – such as a train stations or with many people talking in the background. As many smartphone users have learnt, fingerprint sensors have a hard time recognising cold and wet fingers. And – as we report in a paper presented at IEEE Identity, Security and Behavior Analysis last week – privacy concerns mean some users ‘don’t like putting their face on the Internet’. Biometrics can’t come soon enough for most users, but there is still a lot of design and testing work to be done to make biometrics work for different interaction, physical and social contexts.
No method of authentication for customers of online and telephone banking services should be encouraged unless it comes with a credible assurance that when customers are charged with making a transaction that they have not made, their bank will not be able to blame them for the fraud of a third party.
Paper-based signatures meet this requirement quite well, because although a forgery may deceive a bank on initial presentation, subsequent scientific examination is generally able to detect a forgery when the customer challenges it. It is an unfortunate property of the PIN and the password that they fail to meet this requirement, and leave many customers blamed for the frauds of others.
It is important to evaluate fingerprints and voice-recognition methods against this aspect of their performance.
Indeed, if biometric authentication is just to protect the bank from fraud then it should (mainly) be up to the bank that how they run their system. However, if the result of biometric authentication is used as evidence against a customer in the case of a disputed transaction (e.g. to argue that the customer was negligent or complicit in the fraud) then problems occur.
The criteria you outlined is Principle 4 in “Security Protocols and Evidence: Where Many Payment Systems Fail” and I agree its important. I don’t know if biometrics have been studied from this respect, but compared to the binary result from PIN or password authentication, I think biometrics have potential for secondary expert examination (provided records are kept of the raw data in addition to the result of the initial automated verification). Of course expert examination of biometrics is far from perfect, as shown by the Shirley McKie case.