Should you ditch passwords for biometrics, or rage against the machine? Over 60 per cent of Brits reportedly prefer passwords and their mother’s maiden name than having their fingerprint in a database.
If the last four decades of Hollywood movies have taught us anything, it’s that biometrics is the future. It’s also very cool.
Biometrics isn’t new
Biometrics is the use of electronically-stored records of physical identifiers that validate a person’s identity, including fingerprints, retinal blood vessel patterns, and voice.
While this technology may have captured the imagination of writers and filmmakers, only five per cent of UK residents actually consider biometrics as risk-free, according to a survey from YouGov, commissioned by GMX.
Already over 60 hospitals in the UK use fingerprint technology to access patient files, and with banks like HSBC, Santander and Barclays using voice biometrics for contact centre interaction, the technology is already showing strong signs of being commercially viable.
The password paradox
Hackers can just easily steal your password as they can guess it
Passwords are inherently vulnerable. The more complex a password is, the harder it is for hackers to guess, making it secure.
However, complex passwords are hard to remember, and are more likely written down or stored in a digital format, which makes it less secure.
Of course, if a password is stolen, it doesn’t matter whether it’s complex or weak. The damage is done.
The proponents of biometrics use this argument to explain just how unique your biologically data really is.
A 3 billion-to-one chance
According to Nick Dryden, founder of biometrics startup Sthaler, the chance of finding another individual with your exact vein print is so slim that in a nationwide study of 150 million people in japan, no one has ever found two people with the same pattern.
Even identical twins, or theoretical clones have different vein patterns, fingerprints and blood vessels in their retinas as these markers are determined in utero and at early stages of infancy.
Stahler’s FingoPay product marries biometric identification with payments, making a cashless, cardless future very possible.
“We make a little a crypto key from your vein pattern. It’s only 572 bytes, a a tiny set of data, that goes into the cloud. It takes around 200 to 300 milliseconds, and essentially asks ‘do you recognise this vein pattern?’ and ‘is there a payment method associated with this?’,” Dryden says.
The system links users’ vein patterns to their credit and debit cards and Paypal accounts, so they can theoretically go from a festival to a nightclub to McDonalds, wallet-free. All the biometric data is anonymously stored on the cloud.
What’s so scary about biometrics?
Why are so many Brits skeptical towards password alternatives? 42 per cent state privacy concerns as a primary reason. They don’t want companies to collect, save, or use their personal data.
Stahler’s Dryden thinks a way to win over sceptics is by giving customers complete control of their data. “While testing our product, we had some naysayers say that vein printing is too ‘Big Brothery’. It’s only ‘Big Brothery’ if kept your data. The general public will trust it if they have control over it. In our system you are anonymous unless you tell us,” he explains.
41 per cent expect sign-in malfunctions and technical glitches. Almost one third fear fraudsters may outsmart biometric authentication methods.
But how can a limited permutation of 8-digit letters and numbers can protect their data better than their unique biological markers?
According to GMX CEO Jan Oetjen, the study reveals that the general UK consumer may need more reassurance that biometric log-in methods are secure and have the potential to go mainstream.
Can a fraudster throw your voice?
While most businesses may invest in strong cyber security measures for their websites, the contact centre remains vulnerable to fraudulent phone scams, according to Matt Peachey, general manager of voice fraud prevention firm Pindrop‘s EMEA region.
“Fraudsters may think contact centres are a weak entry point, and technically, the door is wide open. There’s very little investment in technology to understand or prepare contact centres for risks in phone interaction,” he says.
According to Peachey, fraudsters are always looking for ways to beat security measures, and the only way to one-up them is by adopting a multi-layer approach, looking at “something you are, something you have, and something you know.”
The call is definitely not coming from inside the house. Most fraudulent calls are from con artists based in West Africa or Eastern Europe using VoIP technology.
“Contact centres today just look at something you know, which may be in the form of PINs, passwords, your mother’s maiden name, your date of birth. This is pretty easy to even guess in some cases. This isn’t enough,” Peachey adds.
“Your voice is your voice, so it’s something you are. If a fraudster knows a company is using voice biometrics, they will do things specifically to make voice biometrics fail, such as injecting audio like babies crying, dogs barking, police sirens in the background and so on, to throw them off. Then contact centres will revert to knowledge-based authentication again, which we know is easy to crack.
“The key piece of the puzzle is adding something you have, and that could be your phone or where you are. This is what we do with phoneprinting, recording an imprint of the phone and telephony infrastructure, which cannot be duplicated.”
Going back to the GMX survey, Peachey’s multi-layer approach may resonate well with the 26 per cent of respondents, who believe biometric log-in methods are a good addition to passwords, but only in combination with manual methods like PIN entry.