Since Apple launched the double whammy of the iPhone 5S and 5C in September, internet chatter has focussed primarily on the merits and disadvantages of the new home button on the 5S and whether its biometric fingerprint scanner is ultimately secure or hackable.
Within two days of launch, Germany's Chaos Computer Club claimed to have cracked the protection around Apple's fingerprint sensor by taking a fingerprint of the user, photographed from a glass surface, and then creating a "fake fingerprint" which could be put onto a thin film and used with a real finger to unlock the phone. Many have taken this exercise as evidence that biometric technology doesn’t stand up to fraudsters yet this observation appears flawed. The use of fingerprint in the case of the iPhone is actually really effective. Apple’s primary reason for introducing it was in fact ease of use more than security, yet they appear to have been judged purely against the criteria of secure access. The key to using biometrics is to apply them in a way that is appropriate to the context. When used in financial services for example, a biometric should be just one of a number of tools used in what we call a ‘multi-factor’ approach to user authentication.
In the case of the iPhone finger scanner the use of a static biometric is perfectly workable, yet when we move into other contexts such as financial services, where the level of risk might be higher, we need to use dynamic biometrics such as voice, as they are far harder to crack and hence provide much stronger authentication. In addition, using them as part of a bigger, ‘multi-factor’ system makes for a far more well-rounded and refined approach to authentication. The chances of legitimate customers being denied access is greatly reduced, something that’s a common previous pitfall of traditional binary biometrics being used in isolation. Many forward-looking institutions in the finance sector are already utilising voice biometrics, but as part of a multi-factor approach. A recent report from Opus singled out a multi-factor authentication model, including a voice biometric, as a solution that offers all the innovation that biometrics can provide yet maximises security by utilising other factors at the same time.
Of course, the key to the success of this approach is invoking levels of security that are adaptable and flexible for different channels and devices. For certain activities – for example making a mobile banking payment – it may be necessary to use all factors available in a solution, whereas a lower value activity may require just two factors. While security is important this must be matched by an effective user experience and this is where biometrics really have their merit.
Ultimately, biometric technology alone is never going to be a security panacea, regardless of whether it is used to secure transactions, incorporated in large enterprise or for consumer use. When considering the launch of new biometric technologies the industry should be focussing its discussion on the overall level of solution offered to the end consumer and in what context we are applying the biometric. Once this is achieved we will start to see biometrics, and voice biometric technology especially, achieve real success.
This was first published in November 2013