Friday, 26 February 2016

Biometrics Takes Centre Stage at MWC 2016

This is my fourth year of being a judge for  the GSMA's annual Global Mobile Awards (Mobile Identity and Mobile Security category) and each year I am seeing an increase in the number of entries that are using biometrics to protect smart mobile devices and the services that are being accessed from them.

One of this year's nominees (finalists) was Hoyos Labs who were nominated for their 1U mobile biometric authentication product. Hoyos Labs is one of a growing list of companies that are showcasing their biometric solutions at Mobile World Congress (MWC) as mobile has been a major catalyst for the rapid growth in biometric technology and its adoption by millions of consumers.

Alongside Virtual Reality (VR) technology (did you see that crazy image of Mark Zuckerberg entering the auditorium with all those people plugged into VR units?), wearables was one of the big themes of this year's MWC. We have had limited adoption of biometrics on wearables for security purposes and one consortium of technology companies wants to change that by providing a solution that offers hardware OEMs a platform for building biometric authentication in a range of wearable devices. Gemalto, Fingerprint Cards, Precise Biometrics and STMicroelectronics have partnered to introduce an end-to-end security framework for the use of fingerprint biometrics on wearable devices. The partnership will demonstrate a solution that embeds a fingerprint sensor from Fingerprint Cards, fingerprint software from Precise Biometrics and secure NFC and low-power mircocontrollers from STMicroelectronics. Gemalto is providing the UpTeq eSE , secure hardware where the user's credentials are stored, and the match-on-card application that validates the fingerprint.

The financial services market has been the fastest growing area of biometric adoption with our (Goode Intelligence) forecasts of over 120 million users in 2015. On the back of HSBCs decision to roll-out voice and fingerprint multi-modal mobile biometric authentication to its UK customers in 2016, MWC 2016 witnessed a flurry of announcements for this sector. 

MasterCard is another financial services company that is planning to roll-out multi-modal mobile-based biometric authentication with the decision to deploy fingerprint and facial-recognition technology in around 14 countries. MasterCard's 'selfie pay' solution was piloted in the Netherlands in 2015 and proved to be so successful that it will be available to millions of payment customers around the globe. The aim is to offer this solution to replace MasterCard's 'SecureCode' online payment verification solution. This is an ideal solution and solves a real problem; how do you verify those transactions that need additional user verification and also make it convenient. How many people currently abandon the payment process when the SecureCode window pops up and asks you to enter your 2nd, 5th and 7th letter of your SecureCode? Touching a finger against a sensor or taking a selfie on your smartphone is miles better and should play an important role in reducing Card-Not-Present (CNP) fraud, making it easy to prove you are who you say you are. 

Visa, not wanting to be outdone by its main card scheme competitor, also made announcements on biometrics at MWC including a tie-up with Morpho. Morpho has many years of experience in the high-end biometric market (identity and law enforcement) and wants to apply this experience to the consumer market. This includes the use of the MorphoWave four-finger scanner at the physical point of sale. MorphoWave can scan and match four fingerprints in under one second without any sensor contact and involves a customer waving their hands through the scanner. 

This is just a selection of the activity that is happening with the convergence of mobile, wearables and biometrics at the moment. If you are a company that is involved in this exciting area of technology then please reach out to me - either through this blog or via the enquiry email address at Goode Intelligence; enquiry at goode intelligence dot com.

Thank you. 

Tuesday, 9 February 2016

Top Trends for Biometrics in Financial Services

Biometrics is certainly a technology that is rapidly being adopted by the Financial Services industry and this is not just confined to mobile deployments. Mobile is a growing channel for the delivery of financial services and will start to dominate most financial sectors over the next five years but other channels are still a vital part of any delivery strategy.

This is an important message that I have learnt after spending the second half of 2015 researching how biometrics is becoming an important tool within the security toolbox that can be utilised in the fight against financial fraud and identity theft.

In a series of analyst reports that I authored in 2015 that were published in June, October and December 2015 by Goode Intelligence, I was able to carry out a deep-dive  into the adoption of biometric technology in financial services. This included banking, payment and mobile-based biometric services.

In the reports I identified five key trends that are currently shaping this market.

Bye Bye PINs for ATM Security

ATMs are unattended and when I type in my PIN I am always uber-aware of who is standing behind me in case they may be attempting to steal my PIN. Being a paranoid sort of person I go through a series of checks that includes checking for ATM skimmers or evidence that a camera may be pointing at the keyboard. Banks have installed awareness notices and stuck-on mirrors to help me protect my PIN but it shouldn't have to be like this. 

Things are changing and banks are modifying their ATM technology to phase out PINs and to embrace biometrics. There is also choice in the biometric deployment method; a bank can either integrate a biometric sensor into the ATM itself (fingerprint, palm-vein, finger-vein and Iris are being used) to go either cardless (my biometric replaces the plastic) or keep the card (the biometric is stored on the card and a biometric is captured at the ATM and then matched against the stored template on the card). There is also a mobile biometric solution that also replaces the need for a plastic bank card or integration of specialist sensors at the ATM; Hoyos Labs has a neat solution where the mobile device interacts with an ATM using a combination of barcode and mobile biometric authentication technology.  And if you like plastic cards then there are solutions as well; a number of vendors, including Zwipe, have integrated a fingerprint sensor into plastic cards to replace PINs. The plastic bank card will only work if the authorised user's fingerprint is first placed on the sensor. 

Authenticated Contactless Mobile Payments

One of the more visible success stories for biometric adoption in financial services has been the development of mobile biometric contactless payments. Apple Pay and Samsung Pay both use integrated fingerprint sensors to secure contactless mobile payments in physical locations. The PIN was adding friction to the physical payment experience so you can either forget about user authentication and limit the transaction amount (tap and pay for low value payments) or replace the PIN with a method that doesn't slow down the experience but still adds a level of security. 

How to tackle rising levels of Card-Not-Present Fraud?

Technology does reduce fraud. The deployment of EMV chip cards has led to a reduction of fraud at the physical point of sale. This has led criminals to move online and attack commerce channels that the EMV chip cannot protect. The rise of Card-Not-Present (CNP) fraud, especially for eCommerce transactions, and the movement towards mobile commerce has created the need for secure and convenient user authentication and transaction verification. Biometrics offers a viable solution. Expect to see the payment networks start to roll-out mobile-based biometric solutions that aims to tackle the CNP fraud problem and even support in 3D Secure 2.0. 

Wearable Payments to support Biometric Authentication 

It is early days for wearables; the market is too fragmented and there are too few devices currently being used by consumers. This will change and as more and more apps are developed to support the delivery of financial services to bands and smart watches then the need to validate identity and to protect commerce will become critical. For wearables, it is important to pick a biometric modality that suits the device and the application so expect to see technology such as heart-rate (ECG), behavioral and vascular being integrated into the next generation of wearable devices. Biometrics that can be captured when a device is close to the skin of its wearer. Brainwave for Glass perhaps?

Financial-Grade multi-modal biometric authentication to become de-facto for mobile banking apps

The final trend that I am pulling out of these reports is part of a movement to increase security of mobile-based biometric solutions without adversely effecting convenience and ensuring that financial services providers maintain ownership of identity. The industry needs to ensure that the biometric technology is hard to spoof, that the protocols cannot be compromised and that the vulnerabilities seen in existing 2FA solutions (including replay and man-in-the-middle attacks) are not introduced. And at the same time being easy to use, scalable and fit into existing identity lifecycle management tools (can I revoke a credential?). The use of more than one biometric modality, face and voice for instance, in a banking app can increase security and also provide choice for consumers. A service provider can also match the right biometric modality to the context of the login or transaction attempt; fingerprint may open the app but a challenge using another modality may be needed to send a payment to a new beneficiary. 

To conclude; both established financial services organisations, challenger banks and the emerging FinTech providers now understand the importance of choosing the most appropriate user authentication and transaction verification technology that can work across all finance channels and can meet the needs of convenience and security. Biometrics certainly ticks the boxes for convenience with millions of customers around the world paying for products and accessing mobile banking with the touch of the finger or by taking a selfie. A number of biometric platforms are also being introduced that also tick security, regulatory and privacy boxes including IEEE's Biometric Open Protocol Standard (BOPS)

What is exceptional about this market is the sheer scale of deployment that has already taken place and the enormous potential that is yet to come. From millions of Brazilians daily withdrawing cash from biometrically-enabled ATMs, to mobile banking customers accessing their accounts with the touch of a finger or by taking an image of their face, the use of biometrics for financial services is improving security, reducing financial fraud and removing the need for cumbersome authentication solutions that are not fit for purpose in today's hyper-connected world.