Monday 21 November 2016

I didn’t say you could touch me

The use of biometrics in user authentication is thriving with fingerprint sensors becoming more common and technology evolving for reliable facial and voice recognition being used within apps.  Next generation smartphones may also contain iris scanning capability thanks to micro form factor components that can be included in the existing footprint.   This convenience is driving a wave of innovation in how organisations identify their customers.  As with any trend, a flood of ideas is generated - with associated risks too.

Over the past month I have heard several industry speakers explain how they’ll use these on-device biometric capabilities to verify the identity of new customers.  Which brings the first misunderstanding which can be quickly addressed; unless you have an established link between the biometric and the identity, you can’t verify your customer.  Facial recognition offers opportunities of comparison against the established physical identity documents, such as passport or driving licence.  Though this is nothing new and the quality issues with this are on validating the document and getting a sufficient quality image of the printed photo.



There’s no commercial source of verified voice biometrics, so there is nothing to compare against.  And whilst some physical documents contain fingerprint samples, the ability to access these presents a major hurdle without additional hardware.  The other issue with a fingerprint is that sensors used in smartphones don’t present the fingerprint for comparison.  The device simply signals the authentication has occurred.  The case may likely be the same for other on-device biometric authentications.

Which brings us onto another risk with authentication on a multipurpose device based credential.  The iPhone allows up to five fingerprints to be registered and used to authenticate using TouchID.  I can choose to take prints of my thumb and four fingers from one hand; digits from both hands; or I can register the fingers of myself and four friends; in fact, which digits, from which hands and from which people is entirely my choice.  Authorising others to unlock my phone doesn’t mean that I’m authorising them to sell my car.

Now this is nothing new from any other form of credential.  I can authorise you to use my bank card by giving it to you and telling you my PIN.  With on-device biometrics I can do the same thing though I need to clearly consent to the activities that I’m authorising.  If I normally log into my banking app using a password, they can’t simply enable TouchID authentication without tying the consent back to me first.

Smartphones have revolutionised how we interact digitally with our customers.  Biometrics bring a new realm of convenience.  Before we start implementation, we need to ensure that we understand the implications and get the design right.

We still need to have robust identification of the customer.  We still need explicit consent from that customer.  And we need to ensure that their responsibilities should they delegate authority (whether we encourage it or not) are understood and accepted.  Getting it wrong will lead to accusations of inappropriate touching; and no one wants that.

Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan