Friday, 6 March 2015

Sensory Overload at Mobile World Congress 2015

I had a serious case of sensory overload whilst at Mobile World Congress (MWC) in Barcelona earlier this week. I was lucky enough to attend the annual mobilefest as a GSMA Global Mobile Awards Judge. Congratulations to Samsung's Knox Workspace solution for winning the Best Security / Anti-fraud product or solution category.

The world's largest mobile show has morphed into a serious CES competitor. It no longer showcases purely mobile technology but now has everything from wearables, virtual reality headsets, connected cars, home automation devices and even smart toothbrushes. This is because the smartphone has become the remote control and smart hub of our lives - the prime device for all of our digital interactions. As such, proving identity on mobile devices has become an essential building block for enabling our ability to securely transact and communicate. 

Biometrics is quickly becoming an essential component for strong and convenient authentication on smart mobile and wearable devices and this was very much in evidence at MWC during my visit. 

I cannot mention all of the biometric technologies that were being showcased at MWC 2015 as it would take me an age (it is an indication of how strong the appetite is to integrate biometrics onto mobile and wearable devices). What I can do is to give you a flavour of what I was able to see and brief thoughts on what I think of them.

I met up with Fingerprint Cards (FPC) who were showcasing their latest generation of small area size touch capacitive fingerprint sensors. Along with Synaptics, they are one of the few fingerprint sensor manufacturers to be actually integrated into the current crop of smartphones and phablets. Their latest touch sensors are available in a variety of form factors and meet the needs of mobile OEMs who want choice in how they integrate the sensor; either in the home button, at the front of a smartphone, at the rear below the camera or even in the side of the device. I was particularly impressed at the sensor located on the side of a smartphone; it felt natural to use and even doubled up as slide volume controller. 

The mobile fingerprint sensor sector is really heating up with competition from manufacturers all over the world, from China, Taiwan, Korea and Norway. I am also seeing potential disruption from a couple of US-based sensor designers who are using ultrasound technology to create a 3D fingerprint image for authentication. I witnessed the demonstration of Qualcomm's Snapdragon Sense ID ultrasonic 3D fingerprint sensor and believe that it could offer a realistic challenge to the current crop of optical and capacitive sensors. Qualcomm claim to have devices with the Sense ID being shipped Q3 2015. A competitor to the Qualcomm ultrasonic sensor is Florida-based Sonavation, who were not at MWC 2015 but whom I spoke with recently. I am looking forward in meeting them and finding out more about their technology whilst speaking at the Connect ID conference in Washington later this month.  

Fingerprint biometrics has been the dominant modality for mobile integration so far but my belief is that they will be joined by other technologies; either directly competing against or being combined as part of a multi-modal implementation. Evidence of this trend was on show at MWC 2015 with announcements from EyeVerify, whose Eye Vein technology was being integrated onto the latest ZTE smart mobile device, the ZTE Grand S3. I had a demo of EyeVerify's Eyeprint ID on the ZTE stand and was impressed at its accuracy and performance. The majority of phones now being shipped have a front-facing camera that is good-enough to support EyeVerify's technology which means that you are not reliant on the mobile OEM to integrate a dedicated biometric sensor. 

Voice is another modality that is successfully being integrated into mobile devices for authentication and I met up with one of the leading vendors in this space, Agnitio. They were showcasing the latest version of their KIVOX Mobile solution, 5.0. Voice can have a problem with replay and spoofing but Agnitio's solution has built-in anti-spoofing features that prevent these types of attack. Being one of the first members of the FIDO Alliance means that their device-centric (strong privacy) model ensures that voice templates never leave the device. The solution can also support natural-speech modes meaning that the user interaction for authentication is as natural and frictionless as possible. 

The ability to securely store biometric data on a smart mobile device is an essential facet of trust for the biometric authentication system. Trustonic leverages a device's in-built Trusted Execution Environment (TEE) (based on ARMs Trustzone architecture) to allow sensitive biometric data to be stored. It also supports secure execution of any biometric functions away from the more open (and easily accessible) parts of the device's operating system. I met up with this UK-based company who walked me through the company's Developer Program; an initiative that supports service providers and authentication vendors by allowing them to create mobile apps that utilise the TEE in supporting devices. 

Another year over at MWC and another trip to my local shoe repairer to get the soles of my shoes replaced. Hopefully they will be in good working order for Connect ID in Washington later this month and another monster show in late April - RSA Conference 2015. The authentication and identity revolution gathers pace and I am excited to be a part of it.

Monday, 2 February 2015

The Impact of Privacy and Data Protection Legislation on Biometric Authentication

As more and more biometric solutions are deployed to mainstream digital services, questions surrounding the privacy and security implications of biometrics are increasingly being asked.

With the growth of biometric technology and its expansion on to consumer digital services, privacy and security concerns are correspondingly growing.

As biometric data is being captured and stored on a wide range of smart mobile devices (SMDs) including Apple’s iPhone and iPad, Samsung Galaxy and Huawei smartphones, or stored in cloud-based biometric databases there are inevitably questions as to how this incredibly personal data of ours is being protected.  

There is much debate about the relative merits of these two trust models; is the device-centric approach that Apple and FIDO employed too restrictive a model? And can I trust the security of a database (cloud-based) biometric solution?

How, and where, is my biometric data being stored? Who has access to it? How well is it protected? When I enrol my fingerprint on my smartphone, is it stored in secure hardware and does it ever leave the security enclave? What legislation and regulation is in place to cover the privacy and security aspects of biometric technology?

These are all valid questions that citizens, service providers, biometric technology vendors, governments and hardware manufacturers need to answer.

Regulation is still playing catch up with the proliferation of biometric authentication and identity systems and in many regions there is little control on how biometric data is captured, stored and accessed. This is an alarming situation.

In a number of regions including the European Union (EU), biometric data is beginning to be considered as personal data and as such, is governed by data protection and privacy legislation.

In the case of the EU, protection of privacy and personal data is covered by the Data Protection Directive of 1995 (officially Directive 95/46/EC). The directive relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In April 2012, the Article 29 Working Party issued an ‘Opinion’ in biometric technologies with particular attention to fingerprints, vein patterns, facial, voice recognition, DNA and signature biometrics.[1] The Opinion aims to provide a framework of recommendations and guidelines for the implementation of data protection rules in biometric applications.

The Opinion has a number of recommendations (legal and technical) related to biometric data. These include suggestions on user consent, contract and the concept of “privacy by design” for biometric systems.

In other regions including Australia, Canada and the USA, there is federal and state data protection legislation that could be applied to biometric data but nothing specific (although there have been attempts to integrate biometric data into general data protection legislation in Australia).

In addition to federal and state data protection legislation there must be specific regulation and guidelines from a sector perspective. The financial services market is one sector that has a decent track record on data protection and identity (including authentication) matters and there are references in the EU’s Payment Services Directive II. The Payment Service Directive II regulates payment services and payment service providers such as banks within the EU and recommends “various due diligence procedures in regard to the safety of personalised security features of payment authentication instruments.”

The new Directive on Payment Services II which might possibly be approved in 2015 suggests that a biometric authentication system is deemed secure and advisable. The Directive recommends the use of `strong user authentication’ which is defined by the European Central Bank (ECB) in its “Recommendations for the security of internet payments” document.[2] The report defines strong user authentication as “a procedure based on the use of two or more of the following elements– categorised as knowledge, ownership and inherence: (i) something only the user knows, e.g. static password, code, personal identification number; (ii) something only the user possesses, e.g. token, smart card, mobile phone; (iii) something the user is, e.g. biometric characteristic, such as a fingerprint".

Fingerprint biometric authentication has been one of the fastest growing authentication technologies ever, offering a convenient method for authenticating users especially on smart mobile devices. It is not the only biometric method that will gain widespread adoption. I am a big fan of behavioral biometrics, especially for financial services as it fits well into existing anti-fraud and risk management solutions that are often used by financial companies. It can also complement existing authentication and biometric authentication solutions in enabling service providers to have a much more accurate mechanism of proving that a particular device or web session is actually being used by the legitimate user; rather than in the hands of a fraudster. 

Behavioral biometrics is based on a behavioral trait of an individual and includes how individuals uniquely interact with a device – be it a smartphone or a laptop accessing a website. Behavioral traits include keystrokes and interactions with a touchscreen.

Goode Intelligence has just published a white paper commissioned by behavioral biometrics specialist, BehavioSec investigating the impact of privacy and data protection legislation on biometric authentication and it is available free to download here.

As always, I welcome your thoughts and opinion on this blog and on the contents of the white paper.

[1] Opinion 3/2012 on developments in biometric technologies, 0072012/EN/WP193, 27/04/2014, Article 29 Data protection Working Party:

Thursday, 6 November 2014

Moving from what I carry to what I wear - wearable technology brings biometric authentication closer to us

Biometrics has been creating a tremendous amount of buzz this week at two separate shows, one in Paris - CARTES 2014 - the other in Las Vegas - Money 20/20. Innovative biometric technology vendors such as EyeVerify (Eye Vein) and Agnitio (Voice) have been demonstrating how their respective technologies can bring convenient user authentication to smart mobile devices for a wide range of use cases including banking and payments.

The financial services industry is increasingly turning to biometric technology to solve a number of problems including how to conveniently authenticate mobile banking and payment customers and how to add strong authentication to previously un-authenticated contactless payments (both card and mobile) at the physical point of sale without adding friction to a currently speedy process. The latter point would enable higher value transactions to be supported when using contactless technology - currently shoppers are restricted to around $20,00 per transaction. Zwipe, a biometric card technology company, is partnering with MasterCard to extend its trial for fingerprint biometric authenticated payments for contactless payments. It also solves the problem of what if I lose a contactless payment or transit card that doesn't authenticate people when they use them.

MasterCard is also partnering with another innovative technology company in Canada, They are teaming with the Royal Bank of Canada (RBC) and Bionym, the company behind the Nymi electrocardiogram (ECG) band, to test  electrocardiogram-authenticated payments by the end of this year. The use of wearable devices for biometric authentication is set to rapidly expand over the next five-to-six years. Not only will you have sole-purpose wearables (like the Nymi), being used for biometric authentication purposes but biometric sensors and software technology will also be integrated into consumer wearable technology to sit alongside health and lifestyle applications. The creation of biometric platforms and freely available APIs will accelerate the integration of biometrics technology into a wide range of wearable technology.

The ability to leverage multiple sensors that are continuously collecting biometric data from us will revolutionize how humans are identified to a wide range of digital services and led to synergies between physical and cyber worlds. From opening up my front door and locking my car to waking up my desktop and authorising a wire transfer (BTW I am not a techno-utopian - I know that it will be extremely difficult to have the one digital identity on the single device that can be asserted across all of my connected devices and assets).

Instead of people typing in a remembered PIN, password or OTP generated by a hardware token, their identity shall be presented to connected devices through a combination of biometric data and behavioural analysis. Instead of presenting a finger to unlock an iPhone or to make a payment using a biometric card, wearable devices allow continuous biometric feedback from its owner - something that could be very powerful and potentially much more difficult to spoof or hack. It also becomes hygiene - I know that it is there and I know that it is keeping my digital and physical assets safe and secure but it is definitely not obtrusive and annoying like remembering where I put my token or unlocking my personal safe to get hold of my bulky black book of passwords (that is getting thicker and tattier by the day).

These trends are happening at an incredible pace and as a result I have decided to update a report I wrote originally published in June 2014. The report, "mobile and wearable biometric authentication market analysis and forecasts 2014-2019" has been updated with revised forecasts for wearable biometrics authentication users and reflects new market activity such as Apple Pay. The report forecasts that by 2019 there will be 604 million users of wearable biometric authentication solutions.

If you want to know more about this research or talk to me about this blog then I would love to hear from you. Contact me through the website

Thanks for reading. Alan

Tuesday, 28 October 2014

The role of the Mobile Network Operator in Authentication Services

In previous posts, I have talked about the need to deliver agile authentication services that are convenient to use and address the needs for proving identity across a wide range of services from a variety of endpoints.

Legacy authentication solutions, especially passwords, are continually proving to be both inconvenient and insecure for both consumers and employees – although the lines between the two are being eroded.

Thankfully, a combination of factors including the development and deployment of open standards,  including OpenID Connect, SAML and FIDO, and the creation of innovative mobile-based  authentication technology, including biometrics, are moving us away from a reliance on legacy authentication solutions. Authentication solutions that allow people to authenticate once with the touch of a finger.

PayPal’s FIDO-enabled biometric authentication solution on Samsung devices and Apple’s Touch ID solution is paving the way for wide-scale adoption of convenient user-centric authentication and getting people used to new methods of proving their identity for digital services.

These services are just the tip of the iceberg in terms of the potential for next generation mobile authentication services and I believe that Mobile Network Operators (MNOs) can play an important role in the new authentication landscape as they logical owners of authentication services in an era where accessing the internet is increasingly being made from mobile devices.

MNOs have long standing relationships with millions of consumers around the world and are considered to be trusted organisations that know how to deliver secure consumer-focused services. 

By owning and managing one of the trusted building blocks of mobile communication, the SIM, MNOs have a part to play in the delivery of authentication services to billions of mobile phone subscribers around the world.

I have just completed a piece of work, commissioned by Nok Nok Labs, that details the important role of Mobile Network Operators in delivering the latest agile authentication solutions. You can download the white paper from the Goode Intelligence website here.

I am also taking part in an online webinar organised by Nok Nok Labs to discuss this research on 4th November 2014 at 16:00 GMT. You can sign up to the webinar here.

Thanks for reading. 

Friday, 19 September 2014

Payments drives consumer biometrics and the push for enterprise

I was fortunate to be out in Washington DC last week (8-11 September) speaking at an RSA Global Summit on the future of authentication and presenting my research on mobile and wearable biometric authentication.

The Summit coincided with Apple's latest product launch on the 9th September and I was able to catch up with the announcements during a couple of breaks - unfortunately not aided by Apple's live streaming debacle that was at times verging on the ridiculous. (I particularly enjoyed the Chinese commentary and some severe editing that left out much of what Cook was saying. I got the applause but not the reason for the applause - perhaps that was Apple's corporate comms team in charge of editing?)

As well as a number of new hardware launches including bigger bolder iPhones and a watch....(will it support biometrics for authentication?). We saw Apple make a push into payments with 'Apple Pay'; using the Touch ID fingerprint system to provide authentication for payments (both online and physical). I have been watching Apple create the building blocks for this payment solution over the last couple years - Passcode, iBeacon, Passbook, Touch ID, Secure Enclave and finally NFC. Nice to see the finished solution.

As I said in a couple of interviews with the press last week, what Apple has done is not revolutionary; what it has successfully done is to cement a number of emerging technologies into a usable solution. This is backed by strategic partnerships with the world's largest retail payment  providers and links over 800 million global iTunes users to a mobile payments solution. And from a biometric authentication point of view, with Touch ID, it offers quite possibly the best user experience and the highest penetration of available mobile devices - a frictionless payment tool in a sleek piece of metal and glass. It will be interesting to see how it links other features such as loyalty, social and coupons to the payment app to make it any more appealing than using a plastic card - the value is not in the payment transaction per se.

By also opening up the Touch ID environment to third parties (Touch ID API) it allows other service providers (including financial services providers) to take advantage of this frictionless authentication solution. We have already seen announcements from MINT and Simple bank that they are utilising Touch ID for their mobile banking apps plus a proof of concept from Nok Nok Labs with a FIDO Ready solution. I expect that we will see many more announcements as the devices start to get in the hands of consumers (there is apparently pent-up demand for the latest iPhone from 4S and 5 users wanting to upgrade).

It is quite possible that the trend of Bring Your Own Identity (BYOI) may be accelerated as a result of Apple's Touch ID solution. All a service provider need do is to build an app that uses the Touch ID API and that's my authentication sorted - right?

Talking of FIDO, this year has also seen the world's two largest Internet payment companies, PayPal and Alipay adopt FIDO standards (through Nok Nok Lab's S3 Authentication Suite) to leverage mobile-based fingerprint sensors to provide the prime authentication solution for mobile payments (where the device obviously supports it).

Payments is definitely driving consumer biometrics.

So what about the enterprise? Are they ready to embrace BYOI and adopt authentication solutions for their employees and business partners? I think the answer is a guarded yes but it may take some time.

My time spent at the RSA Global Summit last week in DC was very informative in listening to the thoughts and opinions of enterprise users. Consumer is definitely driving innovation in authentication and this is taking its time to trickle down into the enterprise. In the main, they have BYOI and consumer-based mobile biometric authentication technology on their radar but also need some assurances that the trust, privacy and security models (there is obvious overlap between these three) employed by mobile device OEMs (including Apple, Samsung and Huawei) is good enough to meet security policy and industry regulation.

FIDO can help; by creating a user authentication standard fit for a modern connected world, ratified by some of the world's leading technology companies and service providers, organisations and end users can have a higher level of assurance that trust, privacy and security demands are met. FIDO has real positives in the 'first mile' of authentication but also needs connections to subsequent miles of the authentication and authorisation journey.

Enterprise users in particular demand comprehensive and integrated authentication solutions that combine convenient user authentication (probably on a mobile or wearable device) with other associated risk and security solutions including single sign on/federation, risk based authentication and risk management, business aware authorisation that is context aware and threat intelligence/threat analytics, That's potentially a lot of integration work!

Please free to leave a comment on this blog - I am always interested in receiving feedback and openly discussing this fascinating topic.

Thank you, Alan.

Thursday, 5 June 2014

Touch ID - The Cornerstone of Apple's Authentication Framework

This is an extract from an upcoming Goode Intelligence Analyst Report entitled "Mobile & Wearable Biometrics for Authentication Applications"

Apple caught much of the analyst and biometric community by surprise with the announcement that it was to open up its Touch ID fingerprint biometric environment to third-parties using an API at its annual developer conference, WWDC2014, on 1 June 2014.

Apple announced that once iOS 8 launches (possibly September or October 2014) third party developers will be able to access the Touch ID environment and leverage the benefits of mobile fingerprint biometrics.

During the presentation given by Apple's SVP Craig Federighi, Apple referenced Touch ID being used to authenticate into a personal financial application called Mint.

Apple’s Touch ID Local Authentication Framework (LocalAuthentication.framework) will enable third-party app developers to make use of Touch ID and benefit from its convenient personal authentication features.

Touch ID has been a great success for Apple; Apple also announced some stats for its Passcode phone unlock feature at WWDC. 83 percent of users were turning on the Passcode phone lock feature compared with 49 percent of general iOS users. That equates to millions more iOS devices being protected against unauthorised access and a great deterrent to theft.

Apple has been steadily building up its product and software portfolio to offer a wide range of connected services and it appears that they intend to use Touch ID as the foundation for identity verification on the Apple ecosystem.

I believe that Touch ID will be used to authenticate in the following scenarios (some of these are available now and some are predictions):
  • To replace the PIN for Passcode (device unlock)
  • To provide authentication for Apple ID (iTunes purchases)
  • To verify identity for an Apple payments product (both for online and physical store purchases)
  • To provide authentication for Apple’s CarPlay in-car service
  • To verify identity for Apple’s mobile healthcare solution “Healthkit”
  • To provide authentication for Apple’s connected home solution “Homekit"
    • This includes  the ‘Secure Pairing’ feature where only authorised users can unlock a home door or change the temperature of a room via a smart thermostat
Apple’s vision is to merge the logical and physical worlds using an iDevice (iPhone, iPad or even iWatch) as the smart controller with Touch ID providing convenient biometric authentication for this uber connected world. 

Wednesday, 16 April 2014

The Samsung Galaxy S5 fingerprint sensor has been spoofed - what can be done to prevent it

With the recent news that researchers from SR Labs in Germany have successfully fooled (spoofed) the Samsung Galaxy S5's integrated fingerprint sensor; allowing unauthorised access to the device and the ability to make payments using the PayPal app, there are questions as to how secure fingerprint biometrics are for authentication. These questions are justified. 

An authentication solution can be convenient but it must also be secure.  

A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed. 

The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year -  "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done. 

So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack? 

One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent. 

I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."

As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required. 

I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated. 

There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible. 

However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability. 

Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.