Passwords and PINs are a pain. Everyone forgets them.
According to a study from Cyber Streetwise, the average British consumer needs to recall 19 passwords to access all his or her logins for email, social networks, e-commerce and banking.
And the experts say you should choose something with 20 characters and lots of $, * and %
It’s ridiculous. And it’s why so many people choose just one password and make it something memorable.
Like ‘password’ or ‘1234’.
This, of course, makes them easy to hack and defeats the whole object.
No wonder there’s so much interest in biometrics.
Biometric authentication uses ‘something you have’ rather than ‘something you know’ to identify someone. That makes it hard to steal.
The most common form of biometrics are voice, fingerprint, iris and facial recognition. But they’re not the only ones.
Mind you, not everyone is on board. Biometrics refuseniks point to the ability of criminals to perform ‘man in the middle’ attacks and to steal the digital files that represent a biometrics ID.
Then there are obvious human flaws.
What happens if you grow a beard? Or cut your finger? Or catch a cold that makes your voice husky?
However, supporters say the point of biometric authentication is convenience. For low-security uses, it’s fast and efficient. And when security needs to be more robust, biometrics can be used in conjunction with broader array of measures such as PIN and password.
Despite all the debate, there’s lots of momentum behind the cause.
According to Goode Intelligence, 3.4 billion users will have biometric authentication features on their mobiles by 2018, and that by 2017, there will be over 990 million smartphones, phablets and tablets with fingerprint sensors.
Some companies are already hard at work.
Let’s look at a few…
Authentication method: keystrokes
The big idea of biometric authentication startup BehavioSec is this:
It’s not what you type, it’s how you type it.
The Swedish company has devised a behavioral biometrics technology that observes how the user interacts with a device or browser, analysing the rhythm of typing, the key pressure, swipe speed, finger positioning and typing velocity.
BehavioSec’s behavioral biometric authentication software is embedded in a bank’s website or app so it can scan a user’s activity fingerprint.
Thereafter, its machine-learning algorithm builds up a unique profile and a biometric score.
Every time a user logs in, it compares his or her activity with the what’s in the database.
BehavioSec says the success rate of the technique is extremely high. In a pilot trial with Danske Bank, the product distinguished between legitimate users and imposters in 99.7 per cent of cases.
Most Nordic banks now use its system and further launches are under way with financial firms across Northern Europe.
Authentication method: edible (seriously)
OK, this one’s not live yet.
In a presentation called “Kill all Passwords” PayPal’s global head of developer evangelism Jonathan Leblanc lamented the current state of online security and described iris recognition and fingerprint scans as “antiquated”.
Instead, he proposed some radical biometric authentication ideas: embeddables, injectibles and ingestibles.
These comprised silicone chips with sensors that could go inside the skin, and identify heartbeats and glucose levels.
Authentication method: voice
SayPay offers a voice-recognition tech that it pitches primarily at banks and e-commerce merchants.
As you might expect, the system requires users to speak to authenticate themselves, but the important bit is that they dictate a one-time code displayed on the screen rather than a name or password. On review, the customer simply presses “Pay.”
Naturally, the system can also be used for lower-risk actions like signing into a service.
Authentication method: facial recognition
Earlier this year at CeBit, the CEO of Alibaba Jack Ma took a selfie and claimed his pic alone had processed a live payment.
The facial recognition technology, called Smile to Pay, is still in beta and will be usable not just on Alibaba but on any transaction using the Alipay Wallet service.
“Online payments are always a big headache. You forget your password…you worry about security,” said Ma.
Authentication method: facial recognition
The UK company has been a little secretive with its biometric authentication tech even though it’s been around three years.
It claims to have created a tech – Verifier – that gets past the usual wrinkles with facial recognition. For example, it bypasses user vanity by displaying an outline of the face and uses multiple flashes to detect movement (thereby rejecting still photos held in front of the camera).
Authentication method: veins
Palm reading. Sounds a bit new-agey, but actually it’s the foundation of Biyo’s biometric authentication technology. Biyo (formerly PulseWallet) has created a physical reader that integrates with a retailer’s own POS systems.
Regular shoppers register themselves by entering their card details then waving their hand on the terminal. This links the palm to the card and thereafter, they can pay merely with their hand.
The systems, based on Fujitsu’s PalmSecure tech, uses sensors to capture a user’s palm vein pattern. It looks for flowing blood, and is therefore not affected by cuts or dirt on the palm.
And it’s contactless (the user holds his or her hand over the screen) so the display doesn’t get greasy. This also means vein patterns can’t be lifted like fingerprints.
See also Quixter.
Authentication method: heartbeat
Bionym’s Nymi bracelet authenticates the wearer by her unique electrocardiogram (basically, the heartbeat pattern). Another set of sensors then continuously detects that the authenticated person is still wearing the bracelet.
So the idea is this – you strap on your bracelet, and it knows it’s you. Then, when you approach any linked device – could be a door, a laptop, a phone – the device will automatically unlock. Naturally, this form of biometric authentication could be extended to payments.
When you take off the device, it re-sets. If someone else puts it on, it won’t work.
In September, Bionym raised $14 million on the back of a pre-launch order book for 10,000 of its wearable bracelets. The Royal Bank of Canada and Mastercard also tested the tech in a trial last year.
Authentication method: signatures
Signatures? That’s not biometric authentication. That’s signing a cheque!
Well, not quite. Belgian-Dutch startup Sign2Pay does more than just recognising the pattern of a signature. Instead, it assesses the way the signature is written.
It analyses over a thousand datapoints like pressure, number of keystrokes and where and when the finger/stylus leaves the screen. It believes the process fast and safe – and doesn’t require additional readers or authentication devices.
Authentication method: fingerprint
NXT-ID has developed a curious alternative to the wallet. The Wocket is a small plastic device inside which is a single smart card. Users place any credit, debut, gift or loyalty card inside the Wocket.
It scans them and retains the details, which can be viewed on the screen. It can store about 10,000.
The user then scrolls the screen, chooses the card and unlocks it to the single Wocket smart card. He or she then uses this to make a transaction as normal.
So the Wocket replaces multiple cards with just one. Where the biometric authentication comes in is at the ID stage. Effectively the card is dumb and worthless till its unlocked by a fingerprint.
Company: Fujitsu/NTT DoCoMo
Authentication method: Iris
Japanese phone maker Fujitsu and mobile operator NTT DoCoMo teamed up to make the Arrows NX F-04G smartphone – apparently the world’s first to offer iris recognition for phone unlocking, mobile wallet payments, and web logins.
It uses a combo of LED light and infrared camera to read the pattern of your iris to match it to your pre-registered pattern. And it doesn’t matter if you’re wearing glasses.