Tuesday, 9 February 2016

Top Trends for Biometrics in Financial Services

Biometrics is certainly a technology that is rapidly being adopted by the Financial Services industry and this is not just confined to mobile deployments. Mobile is a growing channel for the delivery of financial services and will start to dominate most financial sectors over the next five years but other channels are still a vital part of any delivery strategy.

This is an important message that I have learnt after spending the second half of 2015 researching how biometrics is becoming an important tool within the security toolbox that can be utilised in the fight against financial fraud and identity theft.

In a series of analyst reports that I authored in 2015 that were published in June, October and December 2015 by Goode Intelligence, I was able to carry out a deep-dive  into the adoption of biometric technology in financial services. This included banking, payment and mobile-based biometric services.

In the reports I identified five key trends that are currently shaping this market.

Bye Bye PINs for ATM Security

ATMs are unattended and when I type in my PIN I am always uber-aware of who is standing behind me in case they may be attempting to steal my PIN. Being a paranoid sort of person I go through a series of checks that includes checking for ATM skimmers or evidence that a camera may be pointing at the keyboard. Banks have installed awareness notices and stuck-on mirrors to help me protect my PIN but it shouldn't have to be like this. 

Things are changing and banks are modifying their ATM technology to phase out PINs and to embrace biometrics. There is also choice in the biometric deployment method; a bank can either integrate a biometric sensor into the ATM itself (fingerprint, palm-vein, finger-vein and Iris are being used) to go either cardless (my biometric replaces the plastic) or keep the card (the biometric is stored on the card and a biometric is captured at the ATM and then matched against the stored template on the card). There is also a mobile biometric solution that also replaces the need for a plastic bank card or integration of specialist sensors at the ATM; Hoyos Labs has a neat solution where the mobile device interacts with an ATM using a combination of barcode and mobile biometric authentication technology.  And if you like plastic cards then there are solutions as well; a number of vendors, including Zwipe, have integrated a fingerprint sensor into plastic cards to replace PINs. The plastic bank card will only work if the authorised user's fingerprint is first placed on the sensor. 

Authenticated Contactless Mobile Payments

One of the more visible success stories for biometric adoption in financial services has been the development of mobile biometric contactless payments. Apple Pay and Samsung Pay both use integrated fingerprint sensors to secure contactless mobile payments in physical locations. The PIN was adding friction to the physical payment experience so you can either forget about user authentication and limit the transaction amount (tap and pay for low value payments) or replace the PIN with a method that doesn't slow down the experience but still adds a level of security. 

How to tackle rising levels of Card-Not-Present Fraud?

Technology does reduce fraud. The deployment of EMV chip cards has led to a reduction of fraud at the physical point of sale. This has led criminals to move online and attack commerce channels that the EMV chip cannot protect. The rise of Card-Not-Present (CNP) fraud, especially for eCommerce transactions, and the movement towards mobile commerce has created the need for secure and convenient user authentication and transaction verification. Biometrics offers a viable solution. Expect to see the payment networks start to roll-out mobile-based biometric solutions that aims to tackle the CNP fraud problem and even support in 3D Secure 2.0. 

Wearable Payments to support Biometric Authentication 

It is early days for wearables; the market is too fragmented and there are too few devices currently being used by consumers. This will change and as more and more apps are developed to support the delivery of financial services to bands and smart watches then the need to validate identity and to protect commerce will become critical. For wearables, it is important to pick a biometric modality that suits the device and the application so expect to see technology such as heart-rate (ECG), behavioral and vascular being integrated into the next generation of wearable devices. Biometrics that can be captured when a device is close to the skin of its wearer. Brainwave for Glass perhaps?

Financial-Grade multi-modal biometric authentication to become de-facto for mobile banking apps

The final trend that I am pulling out of these reports is part of a movement to increase security of mobile-based biometric solutions without adversely effecting convenience and ensuring that financial services providers maintain ownership of identity. The industry needs to ensure that the biometric technology is hard to spoof, that the protocols cannot be compromised and that the vulnerabilities seen in existing 2FA solutions (including replay and man-in-the-middle attacks) are not introduced. And at the same time being easy to use, scalable and fit into existing identity lifecycle management tools (can I revoke a credential?). The use of more than one biometric modality, face and voice for instance, in a banking app can increase security and also provide choice for consumers. A service provider can also match the right biometric modality to the context of the login or transaction attempt; fingerprint may open the app but a challenge using another modality may be needed to send a payment to a new beneficiary. 

To conclude; both established financial services organisations, challenger banks and the emerging FinTech providers now understand the importance of choosing the most appropriate user authentication and transaction verification technology that can work across all finance channels and can meet the needs of convenience and security. Biometrics certainly ticks the boxes for convenience with millions of customers around the world paying for products and accessing mobile banking with the touch of the finger or by taking a selfie. A number of biometric platforms are also being introduced that also tick security, regulatory and privacy boxes including IEEE's Biometric Open Protocol Standard (BOPS)

What is exceptional about this market is the sheer scale of deployment that has already taken place and the enormous potential that is yet to come. From millions of Brazilians daily withdrawing cash from biometrically-enabled ATMs, to mobile banking customers accessing their accounts with the touch of a finger or by taking an image of their face, the use of biometrics for financial services is improving security, reducing financial fraud and removing the need for cumbersome authentication solutions that are not fit for purpose in today's hyper-connected world.










Monday, 19 October 2015

Innovation in Biometrics Enables Alternative Payment Methods

Payments have been the major driving force for the wide-scale adoption of biometrics in the consumer market. Today, millions of customers (Goode Intelligence forecast 350 million plus during 2015) are using biometrics on a daily basis around the world to provide secure convenient user authentication and transaction authorisation and this theme is set to continue with a forecast of over three billion users by 2020. 

Biometrics for payments is increasingly a vital part of a payment service providers’ toolkit in the never-ending task of reducing financial fraud and ensuring that their customers can conveniently prove their identity and authorise transactions.

The adoption of biometrics for payments is also leading to wide-scale disruption in the payment industry, enabling alternative methods for consumers to pay for goods and services in a variety of payment scenarios. This is not simple replacing one authentication mechanism with another; the finger replacing the PIN. Biometrics is allowing alternative payment methods to be introduced, some of which are being supplied by non-traditional payment service providers. 

HYPR Corp has developed a biometric security protocol that provides digital payment platforms, including Bitcoin, with a solution to secure access to their digital payment assets.

One of the core security concerns around Bitcoin and other digital currency platforms is that unlike with credit cards, transactions are irreversible.

HYPR was founded to solve the core fraud problem by providing a definitive answer to the question of “Am I who I say I am?” 

HYPR answers the question of “Am I who I say I am?” through a three-factor authentication protocol that creates a biometric authentication bridge between the user and their mobile wallet. The cryptographic algorithm that HYPR uses is the same as the digital signature algorithm that the Bitcoin protocol uses. Because of this similarity, future iterations of the HYPR biometric security platform could be used to biometrically validate Bitcoin transactions.

Another company looking to secure Bitcoin transactions is Nymi with their heartbeat-enabled wearable band. The Nymi band can be used to store a users Bitcoin in a native biometric wallet with the private key tied to a unique ECG biometric signature. I recently demoed the capabilities of the Nymi band at a presentation I gave on the future of biometrics for wearables at the Biometrics 2015 conference in London. I even use the Nymi band to log me into my office computer and have been impressed at how natural it feels to allow me access to my computer. 

It is also enabling new ways in which consumers can use traditional payment methods, even cash (still the preferred payment type for many people). Hoyos Labs has developed a smartphone-based biometric authentication solution that aims to reduce the increasing amount of fraud at the ATM, negating the problem of bank card skimming. Their 1U ATM product is a software platform that allows bank customers to access their accounts via ATMs using biometrics on smartphones. There is no need for cards or for the customer to enter in a PIN at the ATM as the entire authentication occurs on the customer’s smartphone.

The Hoyos Labs solution is compatible with existing ATM platforms and does not need any hardware to be installed on the ATMs.

These are just three examples of how the latest biometric solutions are protecting payments and enabling alternative ways in which we can pay for a wide range of goods and services in a variety of payment scenarios; from Bitcoin to the humble bank note

I explore many more examples of biometric payments, including the rise of the mobile wallet, in an analyst report recently published by Goode Intelligence; "Biometrics for Payments; Payment Security Gets Personal"
 



Wednesday, 9 September 2015

The Top 10 Features for a Modern Authentication Solution

Back in 2009 I wrote an analyst report for Goode Intelligence on the mobile phone as an authentication device. It predicted that the mobile phone would become the prime user authenticator and enable people to securely access digital services delivered across a wide range of endpoints; used as an out-of-band authenticator for web services and as a seamless authentication tool for mobile apps. 

Roll forward to 2015 and these predictions have proved to be pretty accurate. The smartphone has become the remote control of our digital lives with user authentication being one of the main go-to buttons on our remote controls. All of the major authentication platforms are transitioning away from delivering strong authentication through sole-purpose hardware. Traditional stronger authentication technology, such as the smartcard and OTP token is largely being replaced by smart and agile forms of mobile-based authentication solutions some of which (Apple's Touch ID biometric authentication technology) is being embedded into mass-market consumer technology. It has never been as easy to deploy strong mobile-based authentication. But which authentication and identity management solution should an organization choose and how should they measure them?

In the years that I have been covering the authentication industry I have worked with my colleagues, both at Goode Intelligence and through our many consultancy engagements, to develop a checklist of where an authentication solution needs to excel in order to be market leading. 

The result of this work has been the recently launched Product Evaluation service that provides an independent analysis of information security products and services, including authentication and identity management solutions. We define that a modern authentication solution should have the following ten features to be successful in meeting the latest demands. These ten features are listed below.


We have used this criteria as part of a product evaluation of the Encap Security Smarter Authentication Platform in a recently published free-to-download report. The evaluation concludes that Encap's mobile-based authentication platform meets the requirements of a modern authentication platform and Goode Intelligence has awarded the product a ‘Highly Commended’ rating (Goode Intelligence’s top rating for Authentication and IAM). 



This rating has been awarded as the Smarter Authentication Platform is a highly customizable, adaptive and risk-based platform that meets the needs of highly-scalable connected digital services. It has the ability to be quickly integrated and rolled out to millions of end-users and is available for all smart mobile devices. 

Organizations can apply the same measurement criteria when evaluating authentication and identity management solutions for their own use and Goode Intelligence shall be publishing further product evaluation reports in the coming months to assist organizations in choosing the most appropriate technology for their use.






Thursday, 2 July 2015

A guide for banks in choosing the most appropriate biometric system

Banks are racing ahead in deploying biometric systems in an attempt to control rising levels of financial fraud and to reduce friction on inconvenient forms of authentication and fraud management. 

There are many different competing biometric modalities that banks can implement but what criteria do (or should) they use to ensure that the biometric system is appropriate.

Through Goode Intelligence, I have been involved in a number of consultancy engagements with banks and suppliers to assist them in assessing and choosing the most appropriate biometric system to meet their requirements.

Based on this experience, and engagements with a wide range of biometric and authentication technology companies, we have devised an assessment methodology that banks and systems integrators can use to ensure that the most appropriate biometric system is chosen. 

The Goode Intelligence Banking Biometric System Assessment (BBSA) tool is based on four interlocking parts, biometric performance, usability, regulation and security. It is also applicable to other highly regulated industries including healthcare, government, telecommunications and utilities. 


The methodology provides guidance to banks in assessing biometric systems and exactly how a bank weights the assessment criteria is dependent on their own set of circumstances such as budget, security policy, bank channel, regulatory environment and risk and privacy models.

There will obviously be other technical and non-technical assessment criteria that a bank will use including integration, scalability and support models etc. 

Biometric Performance: The assessment of the biometric performance and accuracy of a banking biometric system includes measurement of False Reject Rates (FRR), False Acceptance Rates (FAR) and Failure to Enrol Rates (FER). The accuracy of a banking biometric system is expressed as an Equal Error Rate (ERR). It is important to be pragmatic when assessing biometric systems using these standard biometric performance measurements as 'lab conditions' may not match those experienced by a banks' customers when they are using the technology. It is important for a bank to ensure that they can continuously measure the performance of a live  biometric system and banks must ensure that their suppliers can meet this requirement.

Usability: Today’s app-driven world means that getting usability right across a wide-range of devices is essential. What might be an appropriate biometric modality in terms of usability at an ATM might not be appropriate when a bank customer is authenticating themselves via a mobile app or via an Interactive Voice Response (IVR) solution. A pilot or proof-of-concept (POC) provides an opportunity for banks to evaluate a biometric system and different biometric modalities. Financial institutions should build usability measurement into these pilots and POCs and to gather feedback from users in reference to how easy the biometric systems are to use. Regional differences also play an important part in the usability choices of a bank; a biometric system that is suitable for one region may be inappropriate for others.

Security: When evaluating a biometric system for banking, banks should ask whether the system is secure and able to meet internal and external (regulatory) security requirements. Biometric systems must adhere to security policy and regulation and biometric data, including templates, should be securely captured, encrypted and stored. 

Regulation: Banking (industry) regulation is the fourth main component of the assessment of a biometric system for bank use. Biometric systems in banking is currently controlled by a mixture of data protection and privacy regulation, such as the EU’s Data Protection legislation, technology-based guidelines including the US’s FFIEC guidance on the use of authentication in an internet environment, and specific financial services regulation including the EU’s Payment Services Directive II (EU PSD II). 

We have published more information on our banking biometric system assessment methodology / tool in our recently published report; Biometrics for Banking; Market & Technology Analysis, Adoption Strategies and Forecasts 2015-2020. Goode Intelligence's biometric advisory and consultancy service aims to assist organisations in choosing the most appropriate biometric systems - contact us for more information. 

Friday, 17 April 2015

Biometrics for Banking Gets Going

I was talking with a senior manager responsible for authentication strategy at a leading retail bank recently about their views on biometrics for user authentication and whether they were thinking of adopting it. I remember a similar conversation with the same person in 2013 and remember them declaring that biometrics was simply not a possible solution for them; a combination of hardware and software OTP tokens was still the favoured solution. 

Moving forward two years and there has been quite a turn-around in their perception of biometrics for providing authentication to bank customers when accessing digital banking services. Biometrics is definitely on the agenda for them and they have a number of live and pilot projects that are leveraging biometrics on mobile devices including the support of Apple Touch ID for mobile app authentication. 

So what has changed in two years for them? 

I think the fundamental reason is the need for convenient privacy-aware authentication across a number of banking channels with the emergence of mobile as the prime banking channel (not forgetting the start of a wearable banking strategy). A hardware OTP token works well enough when a bank customer is accessing banking services from a desktop computer at home but simply does not cut it when that same customer is using their mobile phone or calling up their bank using a telephone-based service. These 1980s two-factor authentication technologies are also susceptible to Man-in-the-Middle (MitM) and Phishing/Malware attacks.

This has led banking security professionals to look for alternatives that meet the needs to strongly authenticate across a wide range of existing banking channels. The explosion of FinTech-led financial services has also meant that challenger banks are looking at other innovative ways that customers can interact with their banks; biometric authentication gives them the potential to offer their customers a usable and secure method to protect their financial assets when accessing financial services from a range of endpoints.

The use of integrated fingerprint sensors is just one method of providing convenient banking user authentication and will continue to grow as more devices become available. However, I believe that the solutions will evolve and increasingly incorporate other authentication factors and biometric modalities to provide strong security and convenience. For instance, by combining face and voice in a multi-modal biometric authentication solution that can work across a range of banking channels. USAA's recent deployment of Daon's IdentityX multi-modal mobile authentication platform is a great example of this. 

Depending on the context of the transaction/interaction then you can either use a single modality - voice in an IVR interaction - or a combination of modalities - face and voice for mobile or desktop banking services. The combination of context and security risk will dictate the most-appropriate modality or factor to use.

There has also been a lot of debate as to the choice of biometric architecture that a bank should adopt; device-centric, where the biometric data never leaves the device, or server-centric, where the user enrols their biometric and then is stored by the financial institution. For verification; the matching is performed on the device for the device-centric model and against a stored template within a network database (Cloud) for the server-centric model. I think that both models have their merits. I believe that the decision to adopt one over the other (and there will be scenarios where a mixture of both will be adopted) will be driven by a combination of privacy/trust requirements and specific business drivers (some of which will be moulded by culture decisions, i.e. availability of national biometric database). 

For on-device biometric authentication services, I believe that the best approach that meets privacy and trust requirements is to utilise embedded security within mobile devices; Secure Enclave for iOS and TrustZone in ARM-based devices. A great example of this is voice biometric specialist AGNITiO's KIVOX Mobile solution that leverages TrustZone embedded hardware security using a FIDO-Ready implementation developed by Nok Nok Labs. In this model, the bank customer would enrol their biometric voice print on their smart mobile device and then be able to access mobile banking services securely using their voice for authentication. AGNITiO also support the server-centric and IVR-based models ticking the boxes to support multi-channel banking. 

Apple's Touch ID has certainly changed the perceptions of the decision makers in banking security, allowing biometrics to be a serious contender in providing authentication for banking services. There is also a role that biometrics could play in reducing the amount of fraud that is occurring for Apple Pay. There seems to be no problem with Apple's biometric authentication services itself, rather a problem with the card activation (provisioning) process that allows fraudsters to enrol stolen credit cards into Apple Pay and then cash out by purchasing thousands of Dollars worth of Apple kit in-store. Biometrics could close this loophole by allowing the card issuer to validate a legitimate card and its owner using an enrolled voice biometric. Tied in with the card issuer's fraud management system, a customer who was attempting to enrol a credit card into Apple Pay would receive an automated voice call that could verify the legitimacy of the card holder by verifying an enrolled biometric voice print. I don't feel that it would add much friction to the process and have the positive result of reducing this type of credit card fraud. 

I expect to see a lot of innovation in this space where bank-controlled multi-modal biometrics will compliment integrated mobile biometric solutions that have been deployed by the mobile OEM to enable customers to securely access full-banking services from a wide variety of end points. 




Friday, 6 March 2015

Sensory Overload at Mobile World Congress 2015

I had a serious case of sensory overload whilst at Mobile World Congress (MWC) in Barcelona earlier this week. I was lucky enough to attend the annual mobilefest as a GSMA Global Mobile Awards Judge. Congratulations to Samsung's Knox Workspace solution for winning the Best Security / Anti-fraud product or solution category.

The world's largest mobile show has morphed into a serious CES competitor. It no longer showcases purely mobile technology but now has everything from wearables, virtual reality headsets, connected cars, home automation devices and even smart toothbrushes. This is because the smartphone has become the remote control and smart hub of our lives - the prime device for all of our digital interactions. As such, proving identity on mobile devices has become an essential building block for enabling our ability to securely transact and communicate. 

Biometrics is quickly becoming an essential component for strong and convenient authentication on smart mobile and wearable devices and this was very much in evidence at MWC during my visit. 

I cannot mention all of the biometric technologies that were being showcased at MWC 2015 as it would take me an age (it is an indication of how strong the appetite is to integrate biometrics onto mobile and wearable devices). What I can do is to give you a flavour of what I was able to see and brief thoughts on what I think of them.

I met up with Fingerprint Cards (FPC) who were showcasing their latest generation of small area size touch capacitive fingerprint sensors. Along with Synaptics, they are one of the few fingerprint sensor manufacturers to be actually integrated into the current crop of smartphones and phablets. Their latest touch sensors are available in a variety of form factors and meet the needs of mobile OEMs who want choice in how they integrate the sensor; either in the home button, at the front of a smartphone, at the rear below the camera or even in the side of the device. I was particularly impressed at the sensor located on the side of a smartphone; it felt natural to use and even doubled up as slide volume controller. 

The mobile fingerprint sensor sector is really heating up with competition from manufacturers all over the world, from China, Taiwan, Korea and Norway. I am also seeing potential disruption from a couple of US-based sensor designers who are using ultrasound technology to create a 3D fingerprint image for authentication. I witnessed the demonstration of Qualcomm's Snapdragon Sense ID ultrasonic 3D fingerprint sensor and believe that it could offer a realistic challenge to the current crop of optical and capacitive sensors. Qualcomm claim to have devices with the Sense ID being shipped Q3 2015. A competitor to the Qualcomm ultrasonic sensor is Florida-based Sonavation, who were not at MWC 2015 but whom I spoke with recently. I am looking forward in meeting them and finding out more about their technology whilst speaking at the Connect ID conference in Washington later this month.  

Fingerprint biometrics has been the dominant modality for mobile integration so far but my belief is that they will be joined by other technologies; either directly competing against or being combined as part of a multi-modal implementation. Evidence of this trend was on show at MWC 2015 with announcements from EyeVerify, whose Eye Vein technology was being integrated onto the latest ZTE smart mobile device, the ZTE Grand S3. I had a demo of EyeVerify's Eyeprint ID on the ZTE stand and was impressed at its accuracy and performance. The majority of phones now being shipped have a front-facing camera that is good-enough to support EyeVerify's technology which means that you are not reliant on the mobile OEM to integrate a dedicated biometric sensor. 

Voice is another modality that is successfully being integrated into mobile devices for authentication and I met up with one of the leading vendors in this space, Agnitio. They were showcasing the latest version of their KIVOX Mobile solution, 5.0. Voice can have a problem with replay and spoofing but Agnitio's solution has built-in anti-spoofing features that prevent these types of attack. Being one of the first members of the FIDO Alliance means that their device-centric (strong privacy) model ensures that voice templates never leave the device. The solution can also support natural-speech modes meaning that the user interaction for authentication is as natural and frictionless as possible. 

The ability to securely store biometric data on a smart mobile device is an essential facet of trust for the biometric authentication system. Trustonic leverages a device's in-built Trusted Execution Environment (TEE) (based on ARMs Trustzone architecture) to allow sensitive biometric data to be stored. It also supports secure execution of any biometric functions away from the more open (and easily accessible) parts of the device's operating system. I met up with this UK-based company who walked me through the company's Developer Program; an initiative that supports service providers and authentication vendors by allowing them to create mobile apps that utilise the TEE in supporting devices. 

Another year over at MWC and another trip to my local shoe repairer to get the soles of my shoes replaced. Hopefully they will be in good working order for Connect ID in Washington later this month and another monster show in late April - RSA Conference 2015. The authentication and identity revolution gathers pace and I am excited to be a part of it.











Monday, 2 February 2015

The Impact of Privacy and Data Protection Legislation on Biometric Authentication

As more and more biometric solutions are deployed to mainstream digital services, questions surrounding the privacy and security implications of biometrics are increasingly being asked.

With the growth of biometric technology and its expansion on to consumer digital services, privacy and security concerns are correspondingly growing.

As biometric data is being captured and stored on a wide range of smart mobile devices (SMDs) including Apple’s iPhone and iPad, Samsung Galaxy and Huawei smartphones, or stored in cloud-based biometric databases there are inevitably questions as to how this incredibly personal data of ours is being protected.  

There is much debate about the relative merits of these two trust models; is the device-centric approach that Apple and FIDO employed too restrictive a model? And can I trust the security of a database (cloud-based) biometric solution?

How, and where, is my biometric data being stored? Who has access to it? How well is it protected? When I enrol my fingerprint on my smartphone, is it stored in secure hardware and does it ever leave the security enclave? What legislation and regulation is in place to cover the privacy and security aspects of biometric technology?

These are all valid questions that citizens, service providers, biometric technology vendors, governments and hardware manufacturers need to answer.

Regulation is still playing catch up with the proliferation of biometric authentication and identity systems and in many regions there is little control on how biometric data is captured, stored and accessed. This is an alarming situation.

In a number of regions including the European Union (EU), biometric data is beginning to be considered as personal data and as such, is governed by data protection and privacy legislation.

In the case of the EU, protection of privacy and personal data is covered by the Data Protection Directive of 1995 (officially Directive 95/46/EC). The directive relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In April 2012, the Article 29 Working Party issued an ‘Opinion’ in biometric technologies with particular attention to fingerprints, vein patterns, facial, voice recognition, DNA and signature biometrics.[1] The Opinion aims to provide a framework of recommendations and guidelines for the implementation of data protection rules in biometric applications.

The Opinion has a number of recommendations (legal and technical) related to biometric data. These include suggestions on user consent, contract and the concept of “privacy by design” for biometric systems.

In other regions including Australia, Canada and the USA, there is federal and state data protection legislation that could be applied to biometric data but nothing specific (although there have been attempts to integrate biometric data into general data protection legislation in Australia).

In addition to federal and state data protection legislation there must be specific regulation and guidelines from a sector perspective. The financial services market is one sector that has a decent track record on data protection and identity (including authentication) matters and there are references in the EU’s Payment Services Directive II. The Payment Service Directive II regulates payment services and payment service providers such as banks within the EU and recommends “various due diligence procedures in regard to the safety of personalised security features of payment authentication instruments.”

The new Directive on Payment Services II which might possibly be approved in 2015 suggests that a biometric authentication system is deemed secure and advisable. The Directive recommends the use of `strong user authentication’ which is defined by the European Central Bank (ECB) in its “Recommendations for the security of internet payments” document.[2] The report defines strong user authentication as “a procedure based on the use of two or more of the following elements– categorised as knowledge, ownership and inherence: (i) something only the user knows, e.g. static password, code, personal identification number; (ii) something only the user possesses, e.g. token, smart card, mobile phone; (iii) something the user is, e.g. biometric characteristic, such as a fingerprint".

Fingerprint biometric authentication has been one of the fastest growing authentication technologies ever, offering a convenient method for authenticating users especially on smart mobile devices. It is not the only biometric method that will gain widespread adoption. I am a big fan of behavioral biometrics, especially for financial services as it fits well into existing anti-fraud and risk management solutions that are often used by financial companies. It can also complement existing authentication and biometric authentication solutions in enabling service providers to have a much more accurate mechanism of proving that a particular device or web session is actually being used by the legitimate user; rather than in the hands of a fraudster. 

Behavioral biometrics is based on a behavioral trait of an individual and includes how individuals uniquely interact with a device – be it a smartphone or a laptop accessing a website. Behavioral traits include keystrokes and interactions with a touchscreen.

Goode Intelligence has just published a white paper commissioned by behavioral biometrics specialist, BehavioSec investigating the impact of privacy and data protection legislation on biometric authentication and it is available free to download here.

As always, I welcome your thoughts and opinion on this blog and on the contents of the white paper.







[1] Opinion 3/2012 on developments in biometric technologies, 0072012/EN/WP193, 27/04/2014, Article 29 Data protection Working Party: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf