Friday 19 September 2014

Payments drives consumer biometrics and the push for enterprise

I was fortunate to be out in Washington DC last week (8-11 September) speaking at an RSA Global Summit on the future of authentication and presenting my research on mobile and wearable biometric authentication.

The Summit coincided with Apple's latest product launch on the 9th September and I was able to catch up with the announcements during a couple of breaks - unfortunately not aided by Apple's live streaming debacle that was at times verging on the ridiculous. (I particularly enjoyed the Chinese commentary and some severe editing that left out much of what Cook was saying. I got the applause but not the reason for the applause - perhaps that was Apple's corporate comms team in charge of editing?)

As well as a number of new hardware launches including bigger bolder iPhones and a watch....(will it support biometrics for authentication?). We saw Apple make a push into payments with 'Apple Pay'; using the Touch ID fingerprint system to provide authentication for payments (both online and physical). I have been watching Apple create the building blocks for this payment solution over the last couple years - Passcode, iBeacon, Passbook, Touch ID, Secure Enclave and finally NFC. Nice to see the finished solution.

As I said in a couple of interviews with the press last week, what Apple has done is not revolutionary; what it has successfully done is to cement a number of emerging technologies into a usable solution. This is backed by strategic partnerships with the world's largest retail payment  providers and links over 800 million global iTunes users to a mobile payments solution. And from a biometric authentication point of view, with Touch ID, it offers quite possibly the best user experience and the highest penetration of available mobile devices - a frictionless payment tool in a sleek piece of metal and glass. It will be interesting to see how it links other features such as loyalty, social and coupons to the payment app to make it any more appealing than using a plastic card - the value is not in the payment transaction per se.

By also opening up the Touch ID environment to third parties (Touch ID API) it allows other service providers (including financial services providers) to take advantage of this frictionless authentication solution. We have already seen announcements from MINT and Simple bank that they are utilising Touch ID for their mobile banking apps plus a proof of concept from Nok Nok Labs with a FIDO Ready solution. I expect that we will see many more announcements as the devices start to get in the hands of consumers (there is apparently pent-up demand for the latest iPhone from 4S and 5 users wanting to upgrade).

It is quite possible that the trend of Bring Your Own Identity (BYOI) may be accelerated as a result of Apple's Touch ID solution. All a service provider need do is to build an app that uses the Touch ID API and that's my authentication sorted - right?

Talking of FIDO, this year has also seen the world's two largest Internet payment companies, PayPal and Alipay adopt FIDO standards (through Nok Nok Lab's S3 Authentication Suite) to leverage mobile-based fingerprint sensors to provide the prime authentication solution for mobile payments (where the device obviously supports it).

Payments is definitely driving consumer biometrics.

So what about the enterprise? Are they ready to embrace BYOI and adopt authentication solutions for their employees and business partners? I think the answer is a guarded yes but it may take some time.

My time spent at the RSA Global Summit last week in DC was very informative in listening to the thoughts and opinions of enterprise users. Consumer is definitely driving innovation in authentication and this is taking its time to trickle down into the enterprise. In the main, they have BYOI and consumer-based mobile biometric authentication technology on their radar but also need some assurances that the trust, privacy and security models (there is obvious overlap between these three) employed by mobile device OEMs (including Apple, Samsung and Huawei) is good enough to meet security policy and industry regulation.

FIDO can help; by creating a user authentication standard fit for a modern connected world, ratified by some of the world's leading technology companies and service providers, organisations and end users can have a higher level of assurance that trust, privacy and security demands are met. FIDO has real positives in the 'first mile' of authentication but also needs connections to subsequent miles of the authentication and authorisation journey.

Enterprise users in particular demand comprehensive and integrated authentication solutions that combine convenient user authentication (probably on a mobile or wearable device) with other associated risk and security solutions including single sign on/federation, risk based authentication and risk management, business aware authorisation that is context aware and threat intelligence/threat analytics, That's potentially a lot of integration work!

Please free to leave a comment on this blog - I am always interested in receiving feedback and openly discussing this fascinating topic.

Thank you, Alan.