Thursday, 14 July 2016

Will Brexit affect PSD2's Strong Customer Authentication Requirements?

There is no doubting that Brexit is having a profound affect on the UK and ripples of disruption have been felt around the world as result of the UK's decision to leave the EU.

I have written extensively on EU and EC legislation and its impact on a number of cyber security matters including mobile security, identity, authentication and biometrics. 

Recent researchhas investigated the impact of PSD2  on security; in particular the impact on how payment service providers (PSPs) manage customer authentication. 

To summarise the main objectives of PSD2:

  • Contribute more to a more integrated and efficient European Payments market
  • Improve the level playing field for payment service providers (PSPs), including new players
  • Make payments safer and more secure
  • Protect consumers
  • Encourage lower prices for payments

The European Parliament adopted PSD2 in October 2015 and EU member states have two years in which to implement the new procedures. The EC states that there is a different date of application for the new security measures, including Strong Customer Authentication (SCA) and standards for secure communication. This is subject to the adoption of the regulatory technical standards which are being developed by the European Banking Authority (EBA) and adopted by the EC. It is anticipated that the new security measures shall apply 18 months after the adoption of the standards by the EC.

PSD2 provides rules for payment security and customer authentication, concentrating on protecting consumers when paying on the internet. 

PSD2 applies to all payment service providers (PSPs) operating in the EU, including banks, payment institutions or third party providers (TPPs) and relates to all electronic means of payment.
The EC defines SCA as a process that “validates the identity of the user of a payment service or of the payment transaction”.

SCA is based on the use of two or more elements:
  1. Knowledge - something only the user knows, e.g. a password or a PIN
  2. Possession - something only the user possesses, e.g. a card or an authentication code (OTP) generating device
  3. Inherence - something the user is, e.g. a biometric authenticator such as fingerprint, voice or eye-print
PSD2 states that these elements have to be independent of each, meaning that if one element is breached or compromised then this does not compromise the “reliability” of the others. The design of the authentication solution must also protect the confidentiality of the authentication data or identity credentials. 
As the UK has voted to exit the EU, will this mean that UK banks and PSPs will not be bound to comply with these regulations (and in fact other EU legislation)? This is a difficult question to answer as the exact nature of the UK's exit and what will exactly be negotiated as the UK triggers Article 50 is still very much up in the air. What I think will happen is this:
  • UK banks and PSPs that have functions in the EU will have to comply with PSD2 - it also makes competitive sense to support PSD2
  • PSD2's authentication requirements are pretty-much the basic requirements for supporting strong customer authentication and it makes common sense to support them especially some of the risk-based authentication services that enable lower-risk payment transactions to be exempt from strong customer authentication
  • Some UK retail banks are owned by European organisations who will want to have a common strategy for customer authentication that supports PSD2
As the UK's ex Prime Minister, Harold Wilson said in the 1960s "A week is a long time in politics" and I am sure that there will much debate over the coming months and years about the relevance of EU legislation to the EU. If you are a UK bank and have started projects to ensure compliance to PSD2 then I am pretty sure that these will not be halted as a result of Brexit.
Please let me know your thoughts my commenting on this blog. Thank you and remember in the global economy no nation is an island!

You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.

Thursday, 7 July 2016

The Future of Mobile Security

Mobility is the new normal for enterprise users. With forecasts from the GSMA predicting that 80 percent of adults on earth will have a smart phone by 2020 these always connected and always on devices are the most popular personal computer in history.

The use of smart mobile devices (smart phones and tablets running mobile platforms such as Apple iOS and Google Android) in the enterprise is rising rapidly each year. Figures from Citrix indicate that the number of smart mobile devices (SMD) managed in the enterprise increased by 72 percent from 2014 to 2015.

What is surprising, however, is that the enterprise is not fully embracing mobile. Whether it is an employee-owned Android smart phone or a company-issued and controlled iPhone productivity-enhancing enterprise services are still relatively scarce within the enterprise. Outside of email and calendar applications there are relatively few examples of enterprise mobile apps. This differs from the current situation with consumer adoption of mobile where it dominates social, financial services, commerce and entertainment.

So why is? In the latest white paper from Goode Intelligence, the issues facing the enterprise in delivering services to mobile is explored. The report discovers that a mixture of technology constraints, security concerns, compliance to regulation and privacy law are having an impact of restricting mobile enterprise services.

Enterprises do face a challenge in enabling productivity enhancing applications to be available through smart mobile devices but there are ways in which they can combine the convenience of mobility and strong security mechanisms that meet company security policy and comply with regulation. In covering mobile security since 2007 I have learnt that next generation mobile security solutions should have these characteristics:
  • They should focus on users
  • Support agile multi-factor authentication (MFA) with a choice of authenticator to match the context 
  • Be able to provide mobile-based single-sign-on (SSO)
  • Must protect the data, both at rest and during transmission
  • Be available in a simple to use and unified security offering
I believe that there are very few solutions that offer a unified solution that supports these characteristics and this is why we have seen limited adoption of full-throttled enterprise services for mobile. Often, an organisation will have to mix and match technology solutions to support this vision and this can be expensive and time-consuming. A solution that combines the functionality and features of a next generation mobile security solution is the Sign&go Mobility Center from Ilex International

This product provides an integrated security solution to solve the enterprise mobility conundrum; mixing convenience and mobile security in a unified product and provides:
  • Strong Multi-Factor Authentication supporting one, two or three factors
  • Mobile SSO
  • Data Protection in a secure container
Without the combination of these features, organisations will remain limited in what productivity-enhancing mobility solutions they can deliver. 

Friday, 26 February 2016

Biometrics Takes Centre Stage at MWC 2016

This is my fourth year of being a judge for  the GSMA's annual Global Mobile Awards (Mobile Identity and Mobile Security category) and each year I am seeing an increase in the number of entries that are using biometrics to protect smart mobile devices and the services that are being accessed from them.

One of this year's nominees (finalists) was Hoyos Labs who were nominated for their 1U mobile biometric authentication product. Hoyos Labs is one of a growing list of companies that are showcasing their biometric solutions at Mobile World Congress (MWC) as mobile has been a major catalyst for the rapid growth in biometric technology and its adoption by millions of consumers.

Alongside Virtual Reality (VR) technology (did you see that crazy image of Mark Zuckerberg entering the auditorium with all those people plugged into VR units?), wearables was one of the big themes of this year's MWC. We have had limited adoption of biometrics on wearables for security purposes and one consortium of technology companies wants to change that by providing a solution that offers hardware OEMs a platform for building biometric authentication in a range of wearable devices. Gemalto, Fingerprint Cards, Precise Biometrics and STMicroelectronics have partnered to introduce an end-to-end security framework for the use of fingerprint biometrics on wearable devices. The partnership will demonstrate a solution that embeds a fingerprint sensor from Fingerprint Cards, fingerprint software from Precise Biometrics and secure NFC and low-power mircocontrollers from STMicroelectronics. Gemalto is providing the UpTeq eSE , secure hardware where the user's credentials are stored, and the match-on-card application that validates the fingerprint.

The financial services market has been the fastest growing area of biometric adoption with our (Goode Intelligence) forecasts of over 120 million users in 2015. On the back of HSBCs decision to roll-out voice and fingerprint multi-modal mobile biometric authentication to its UK customers in 2016, MWC 2016 witnessed a flurry of announcements for this sector. 

MasterCard is another financial services company that is planning to roll-out multi-modal mobile-based biometric authentication with the decision to deploy fingerprint and facial-recognition technology in around 14 countries. MasterCard's 'selfie pay' solution was piloted in the Netherlands in 2015 and proved to be so successful that it will be available to millions of payment customers around the globe. The aim is to offer this solution to replace MasterCard's 'SecureCode' online payment verification solution. This is an ideal solution and solves a real problem; how do you verify those transactions that need additional user verification and also make it convenient. How many people currently abandon the payment process when the SecureCode window pops up and asks you to enter your 2nd, 5th and 7th letter of your SecureCode? Touching a finger against a sensor or taking a selfie on your smartphone is miles better and should play an important role in reducing Card-Not-Present (CNP) fraud, making it easy to prove you are who you say you are. 

Visa, not wanting to be outdone by its main card scheme competitor, also made announcements on biometrics at MWC including a tie-up with Morpho. Morpho has many years of experience in the high-end biometric market (identity and law enforcement) and wants to apply this experience to the consumer market. This includes the use of the MorphoWave four-finger scanner at the physical point of sale. MorphoWave can scan and match four fingerprints in under one second without any sensor contact and involves a customer waving their hands through the scanner. 

This is just a selection of the activity that is happening with the convergence of mobile, wearables and biometrics at the moment. If you are a company that is involved in this exciting area of technology then please reach out to me - either through this blog or via the enquiry email address at Goode Intelligence; enquiry at goode intelligence dot com.

Thank you. 

Tuesday, 9 February 2016

Top Trends for Biometrics in Financial Services

Biometrics is certainly a technology that is rapidly being adopted by the Financial Services industry and this is not just confined to mobile deployments. Mobile is a growing channel for the delivery of financial services and will start to dominate most financial sectors over the next five years but other channels are still a vital part of any delivery strategy.

This is an important message that I have learnt after spending the second half of 2015 researching how biometrics is becoming an important tool within the security toolbox that can be utilised in the fight against financial fraud and identity theft.

In a series of analyst reports that I authored in 2015 that were published in June, October and December 2015 by Goode Intelligence, I was able to carry out a deep-dive  into the adoption of biometric technology in financial services. This included banking, payment and mobile-based biometric services.

In the reports I identified five key trends that are currently shaping this market.

Bye Bye PINs for ATM Security

ATMs are unattended and when I type in my PIN I am always uber-aware of who is standing behind me in case they may be attempting to steal my PIN. Being a paranoid sort of person I go through a series of checks that includes checking for ATM skimmers or evidence that a camera may be pointing at the keyboard. Banks have installed awareness notices and stuck-on mirrors to help me protect my PIN but it shouldn't have to be like this. 

Things are changing and banks are modifying their ATM technology to phase out PINs and to embrace biometrics. There is also choice in the biometric deployment method; a bank can either integrate a biometric sensor into the ATM itself (fingerprint, palm-vein, finger-vein and Iris are being used) to go either cardless (my biometric replaces the plastic) or keep the card (the biometric is stored on the card and a biometric is captured at the ATM and then matched against the stored template on the card). There is also a mobile biometric solution that also replaces the need for a plastic bank card or integration of specialist sensors at the ATM; Hoyos Labs has a neat solution where the mobile device interacts with an ATM using a combination of barcode and mobile biometric authentication technology.  And if you like plastic cards then there are solutions as well; a number of vendors, including Zwipe, have integrated a fingerprint sensor into plastic cards to replace PINs. The plastic bank card will only work if the authorised user's fingerprint is first placed on the sensor. 

Authenticated Contactless Mobile Payments

One of the more visible success stories for biometric adoption in financial services has been the development of mobile biometric contactless payments. Apple Pay and Samsung Pay both use integrated fingerprint sensors to secure contactless mobile payments in physical locations. The PIN was adding friction to the physical payment experience so you can either forget about user authentication and limit the transaction amount (tap and pay for low value payments) or replace the PIN with a method that doesn't slow down the experience but still adds a level of security. 

How to tackle rising levels of Card-Not-Present Fraud?

Technology does reduce fraud. The deployment of EMV chip cards has led to a reduction of fraud at the physical point of sale. This has led criminals to move online and attack commerce channels that the EMV chip cannot protect. The rise of Card-Not-Present (CNP) fraud, especially for eCommerce transactions, and the movement towards mobile commerce has created the need for secure and convenient user authentication and transaction verification. Biometrics offers a viable solution. Expect to see the payment networks start to roll-out mobile-based biometric solutions that aims to tackle the CNP fraud problem and even support in 3D Secure 2.0. 

Wearable Payments to support Biometric Authentication 

It is early days for wearables; the market is too fragmented and there are too few devices currently being used by consumers. This will change and as more and more apps are developed to support the delivery of financial services to bands and smart watches then the need to validate identity and to protect commerce will become critical. For wearables, it is important to pick a biometric modality that suits the device and the application so expect to see technology such as heart-rate (ECG), behavioral and vascular being integrated into the next generation of wearable devices. Biometrics that can be captured when a device is close to the skin of its wearer. Brainwave for Glass perhaps?

Financial-Grade multi-modal biometric authentication to become de-facto for mobile banking apps

The final trend that I am pulling out of these reports is part of a movement to increase security of mobile-based biometric solutions without adversely effecting convenience and ensuring that financial services providers maintain ownership of identity. The industry needs to ensure that the biometric technology is hard to spoof, that the protocols cannot be compromised and that the vulnerabilities seen in existing 2FA solutions (including replay and man-in-the-middle attacks) are not introduced. And at the same time being easy to use, scalable and fit into existing identity lifecycle management tools (can I revoke a credential?). The use of more than one biometric modality, face and voice for instance, in a banking app can increase security and also provide choice for consumers. A service provider can also match the right biometric modality to the context of the login or transaction attempt; fingerprint may open the app but a challenge using another modality may be needed to send a payment to a new beneficiary. 

To conclude; both established financial services organisations, challenger banks and the emerging FinTech providers now understand the importance of choosing the most appropriate user authentication and transaction verification technology that can work across all finance channels and can meet the needs of convenience and security. Biometrics certainly ticks the boxes for convenience with millions of customers around the world paying for products and accessing mobile banking with the touch of the finger or by taking a selfie. A number of biometric platforms are also being introduced that also tick security, regulatory and privacy boxes including IEEE's Biometric Open Protocol Standard (BOPS)

What is exceptional about this market is the sheer scale of deployment that has already taken place and the enormous potential that is yet to come. From millions of Brazilians daily withdrawing cash from biometrically-enabled ATMs, to mobile banking customers accessing their accounts with the touch of a finger or by taking an image of their face, the use of biometrics for financial services is improving security, reducing financial fraud and removing the need for cumbersome authentication solutions that are not fit for purpose in today's hyper-connected world.

Monday, 19 October 2015

Innovation in Biometrics Enables Alternative Payment Methods

Payments have been the major driving force for the wide-scale adoption of biometrics in the consumer market. Today, millions of customers (Goode Intelligence forecast 350 million plus during 2015) are using biometrics on a daily basis around the world to provide secure convenient user authentication and transaction authorisation and this theme is set to continue with a forecast of over three billion users by 2020. 

Biometrics for payments is increasingly a vital part of a payment service providers’ toolkit in the never-ending task of reducing financial fraud and ensuring that their customers can conveniently prove their identity and authorise transactions.

The adoption of biometrics for payments is also leading to wide-scale disruption in the payment industry, enabling alternative methods for consumers to pay for goods and services in a variety of payment scenarios. This is not simple replacing one authentication mechanism with another; the finger replacing the PIN. Biometrics is allowing alternative payment methods to be introduced, some of which are being supplied by non-traditional payment service providers. 

HYPR Corp has developed a biometric security protocol that provides digital payment platforms, including Bitcoin, with a solution to secure access to their digital payment assets.

One of the core security concerns around Bitcoin and other digital currency platforms is that unlike with credit cards, transactions are irreversible.

HYPR was founded to solve the core fraud problem by providing a definitive answer to the question of “Am I who I say I am?” 

HYPR answers the question of “Am I who I say I am?” through a three-factor authentication protocol that creates a biometric authentication bridge between the user and their mobile wallet. The cryptographic algorithm that HYPR uses is the same as the digital signature algorithm that the Bitcoin protocol uses. Because of this similarity, future iterations of the HYPR biometric security platform could be used to biometrically validate Bitcoin transactions.

Another company looking to secure Bitcoin transactions is Nymi with their heartbeat-enabled wearable band. The Nymi band can be used to store a users Bitcoin in a native biometric wallet with the private key tied to a unique ECG biometric signature. I recently demoed the capabilities of the Nymi band at a presentation I gave on the future of biometrics for wearables at the Biometrics 2015 conference in London. I even use the Nymi band to log me into my office computer and have been impressed at how natural it feels to allow me access to my computer. 

It is also enabling new ways in which consumers can use traditional payment methods, even cash (still the preferred payment type for many people). Hoyos Labs has developed a smartphone-based biometric authentication solution that aims to reduce the increasing amount of fraud at the ATM, negating the problem of bank card skimming. Their 1U ATM product is a software platform that allows bank customers to access their accounts via ATMs using biometrics on smartphones. There is no need for cards or for the customer to enter in a PIN at the ATM as the entire authentication occurs on the customer’s smartphone.

The Hoyos Labs solution is compatible with existing ATM platforms and does not need any hardware to be installed on the ATMs.

These are just three examples of how the latest biometric solutions are protecting payments and enabling alternative ways in which we can pay for a wide range of goods and services in a variety of payment scenarios; from Bitcoin to the humble bank note

I explore many more examples of biometric payments, including the rise of the mobile wallet, in an analyst report recently published by Goode Intelligence; "Biometrics for Payments; Payment Security Gets Personal"

Wednesday, 9 September 2015

The Top 10 Features for a Modern Authentication Solution

Back in 2009 I wrote an analyst report for Goode Intelligence on the mobile phone as an authentication device. It predicted that the mobile phone would become the prime user authenticator and enable people to securely access digital services delivered across a wide range of endpoints; used as an out-of-band authenticator for web services and as a seamless authentication tool for mobile apps. 

Roll forward to 2015 and these predictions have proved to be pretty accurate. The smartphone has become the remote control of our digital lives with user authentication being one of the main go-to buttons on our remote controls. All of the major authentication platforms are transitioning away from delivering strong authentication through sole-purpose hardware. Traditional stronger authentication technology, such as the smartcard and OTP token is largely being replaced by smart and agile forms of mobile-based authentication solutions some of which (Apple's Touch ID biometric authentication technology) is being embedded into mass-market consumer technology. It has never been as easy to deploy strong mobile-based authentication. But which authentication and identity management solution should an organization choose and how should they measure them?

In the years that I have been covering the authentication industry I have worked with my colleagues, both at Goode Intelligence and through our many consultancy engagements, to develop a checklist of where an authentication solution needs to excel in order to be market leading. 

The result of this work has been the recently launched Product Evaluation service that provides an independent analysis of information security products and services, including authentication and identity management solutions. We define that a modern authentication solution should have the following ten features to be successful in meeting the latest demands. These ten features are listed below.

We have used this criteria as part of a product evaluation of the Encap Security Smarter Authentication Platform in a recently published free-to-download report. The evaluation concludes that Encap's mobile-based authentication platform meets the requirements of a modern authentication platform and Goode Intelligence has awarded the product a ‘Highly Commended’ rating (Goode Intelligence’s top rating for Authentication and IAM). 

This rating has been awarded as the Smarter Authentication Platform is a highly customizable, adaptive and risk-based platform that meets the needs of highly-scalable connected digital services. It has the ability to be quickly integrated and rolled out to millions of end-users and is available for all smart mobile devices. 

Organizations can apply the same measurement criteria when evaluating authentication and identity management solutions for their own use and Goode Intelligence shall be publishing further product evaluation reports in the coming months to assist organizations in choosing the most appropriate technology for their use.

Thursday, 2 July 2015

A guide for banks in choosing the most appropriate biometric system

Banks are racing ahead in deploying biometric systems in an attempt to control rising levels of financial fraud and to reduce friction on inconvenient forms of authentication and fraud management. 

There are many different competing biometric modalities that banks can implement but what criteria do (or should) they use to ensure that the biometric system is appropriate.

Through Goode Intelligence, I have been involved in a number of consultancy engagements with banks and suppliers to assist them in assessing and choosing the most appropriate biometric system to meet their requirements.

Based on this experience, and engagements with a wide range of biometric and authentication technology companies, we have devised an assessment methodology that banks and systems integrators can use to ensure that the most appropriate biometric system is chosen. 

The Goode Intelligence Banking Biometric System Assessment (BBSA) tool is based on four interlocking parts, biometric performance, usability, regulation and security. It is also applicable to other highly regulated industries including healthcare, government, telecommunications and utilities. 

The methodology provides guidance to banks in assessing biometric systems and exactly how a bank weights the assessment criteria is dependent on their own set of circumstances such as budget, security policy, bank channel, regulatory environment and risk and privacy models.

There will obviously be other technical and non-technical assessment criteria that a bank will use including integration, scalability and support models etc. 

Biometric Performance: The assessment of the biometric performance and accuracy of a banking biometric system includes measurement of False Reject Rates (FRR), False Acceptance Rates (FAR) and Failure to Enrol Rates (FER). The accuracy of a banking biometric system is expressed as an Equal Error Rate (ERR). It is important to be pragmatic when assessing biometric systems using these standard biometric performance measurements as 'lab conditions' may not match those experienced by a banks' customers when they are using the technology. It is important for a bank to ensure that they can continuously measure the performance of a live  biometric system and banks must ensure that their suppliers can meet this requirement.

Usability: Today’s app-driven world means that getting usability right across a wide-range of devices is essential. What might be an appropriate biometric modality in terms of usability at an ATM might not be appropriate when a bank customer is authenticating themselves via a mobile app or via an Interactive Voice Response (IVR) solution. A pilot or proof-of-concept (POC) provides an opportunity for banks to evaluate a biometric system and different biometric modalities. Financial institutions should build usability measurement into these pilots and POCs and to gather feedback from users in reference to how easy the biometric systems are to use. Regional differences also play an important part in the usability choices of a bank; a biometric system that is suitable for one region may be inappropriate for others.

Security: When evaluating a biometric system for banking, banks should ask whether the system is secure and able to meet internal and external (regulatory) security requirements. Biometric systems must adhere to security policy and regulation and biometric data, including templates, should be securely captured, encrypted and stored. 

Regulation: Banking (industry) regulation is the fourth main component of the assessment of a biometric system for bank use. Biometric systems in banking is currently controlled by a mixture of data protection and privacy regulation, such as the EU’s Data Protection legislation, technology-based guidelines including the US’s FFIEC guidance on the use of authentication in an internet environment, and specific financial services regulation including the EU’s Payment Services Directive II (EU PSD II). 

We have published more information on our banking biometric system assessment methodology / tool in our recently published report; Biometrics for Banking; Market & Technology Analysis, Adoption Strategies and Forecasts 2015-2020. Goode Intelligence's biometric advisory and consultancy service aims to assist organisations in choosing the most appropriate biometric systems - contact us for more information.