The use of biometrics in user authentication is thriving
with fingerprint sensors becoming more common and technology evolving for reliable
facial and voice recognition being used within apps. Next generation smartphones may also contain
iris scanning capability thanks to micro form factor components that can be
included in the existing footprint. This convenience is driving a wave of
innovation in how organisations identify their customers. As with any trend, a flood of ideas is
generated - with associated risks too.
Over the past month I have heard several industry speakers
explain how they’ll use these on-device biometric capabilities to verify the
identity of new customers. Which brings
the first misunderstanding which can be quickly addressed; unless you have an
established link between the biometric and the identity, you can’t verify your
customer. Facial recognition offers opportunities
of comparison against the established physical identity documents, such as
passport or driving licence. Though this
is nothing new and the quality issues with this are on validating the document
and getting a sufficient quality image of the printed photo.
There’s no commercial source of verified voice biometrics,
so there is nothing to compare against.
And whilst some physical documents contain fingerprint samples, the
ability to access these presents a major hurdle without additional hardware. The other issue with a fingerprint is that
sensors used in smartphones don’t present the fingerprint for comparison. The device simply signals the authentication
has occurred. The case may likely be the
same for other on-device biometric authentications.
Which brings us onto another risk with authentication on a
multipurpose device based credential.
The iPhone allows up to five fingerprints to be registered and used to
authenticate using TouchID. I can choose
to take prints of my thumb and four fingers from one hand; digits from both
hands; or I can register the fingers of myself and four friends; in fact, which
digits, from which hands and from which people is entirely my choice. Authorising others to unlock my phone doesn’t
mean that I’m authorising them to sell my car.
Now this is nothing new from any other form of
credential. I can authorise you to use
my bank card by giving it to you and telling you my PIN. With on-device biometrics I can do the same
thing though I need to clearly consent to the activities that I’m
authorising. If I normally log into my
banking app using a password, they can’t simply enable TouchID authentication
without tying the consent back to me first.
Smartphones have revolutionised how we interact digitally with
our customers. Biometrics bring a new
realm of convenience. Before we start
implementation, we need to ensure that we understand the implications and get
the design right.
We still need to have robust identification of the
customer. We still need explicit consent
from that customer. And we need to ensure
that their responsibilities should they delegate authority (whether we
encourage it or not) are understood and accepted. Getting it wrong will lead to accusations of
inappropriate touching; and no one wants that.
Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business AnalysisJust in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity
Connect with Bryn on Linked In: Bryn Robinson-Morgan
