Following today’s news that RBS and NatWest customers will be able to log into mobile banking apps using their fingerprints, CBR brings you the reactions of 5 leading security experts, giving you their thoughts on banking biometrics.
1. Convenience, as well as security, is key
Jason Goode, Managing Director EMEA at Ping Identity, commented: CIOs and IT managers should take note that while security is a top priority for online banking customers, so too is convenience. It should therefore come as no surprise that the banking industry is starting to embrace the next generation of application technology.
"Biometric technology such as fingerprint recognition not only facilitates a faster service in our on-demand culture, but it also centres on the user’s identity- a crucial aspect.
"By deploying systems that centre on a customer’s identity and recognise returning customers to give them quick and easy access, banks can avoid any exodus and allow both their businesses and their customers to truly realise the benefits of secure online, mobile access to their finances."
2. A false promise?
Thomas Bostrøm Jørgensen, CEO at Encap Security, commented: "Today RBS and NatWest announced customers using iPhone 5s, 6 and 6 Plus would be able to log-in using Touch ID. This is a watershed moment for biometrics in banking.
"The question is: are biometrics a false promise?
"Sure it’s trickier to subvert a fingerprint than a password, but it’s not impossible – Touch-ID was ‘hacked’ less than a month after introduction. One hacker has claimed to be able to recreate fingerprints from high-resolution photos. And while you can issue a new PIN or password you can’t issue a new fingerprint – not without it being very messy. A single factor will always be vulnerable to attack.
Apple has already suffered reputational damage from the iCloud breach that revealed a lot more than some celebrities wanted. Banks can’t afford to make the same mistake with biometrics."
3. Not exactly the most reliable or secure tech
Roy Tobin, Threat Researcher at Webroot, said: "With so many high-profile data breaches over the past 12 months banks should tread carefully when implementing biometric technology. Biometrics have a very useful application in certain areas.
"But fingerprint technology isn’t the most reliable or secure method. In security we are always tasked with making the technology easy to use, but as secure as possible. Unfortunately, these two goals are difficult enough on their own, let alone when combined.
"The sheer amount of prints the average individual leaves behind day-to-day means that this data can relatively easily be compromised. There are a vast issues around data protection; who can access these fingerprints and how that data can be used are all real concerns.
"Add in the fact that the iPhone fingerprint scanner was hacked less than 2 days after its release, doesn’t restore faith in this type of verification. We should not be looking for the simplest form of access, but the most secure – two-stage authentication with a strong password is the ideal security option."
4. Biometrics should not be used in isolation
Stephen Keenan, UK&I Managing Director at Verizon said: "Lost and stolen passwords remain the No. 1 way that systems are compromised. According to the Verizon 2014 Data Breach Investigations Report, two out of three data breaches are attributable to lost or stolen user names and passwords, or both.
"We continue to see user names and passwords fail as a secure way to log in, no matter how complex the password.
"However, proving that people are who they say they are has been a challenge with digital security since computers have been in use. Biometrics offers a great way to authenticate individuals into systems, applications and data. The reasoning is simple: since everyone has a unique biological identity, let’s apply that single biological identity to cyberspace to establish trust.
"Yet biometrics should not be used in isolation, and should instead contribute to what’s called a "multifactor" authentication scheme, as this can vastly improve identity proofing by pairing "something you know" such as a username and password combination with "something you are", making it much more difficult for a criminal to hack into systems pretending to be you."
5. Landmark moment for 2FA
Phil Underwood, Global Head of Pre Sales at SecurEnvoy commented: "Today’s announcement from RBS and NatWest on their adoption of fingerprint technology is a landmark moment for two factor authentication (2FA) entering the mainstream.
"There is always a balancing act when it comes to authentication. Make it too easy for the user and the authentication may be compromised or circumvented; too hard and adoption rates for the new authentication technology will drop. This shows that there is now a middle ground that is secure enough for banks to remain regulatory compliant, but easy enough to lead to widespread adoption (as backed up by them citing almost 1m downloads of its banking app already).
"One of the main drivers of this authentication technology taking hold, is that the current generation’s device of choice is now firmly the SmartPhone, with there now being over 1.75 billion devices in use worldwide and this is ever growing.
"Today, 2FA is all around us and prevalent on popular web sites such as PayPal, Gmail and Ticketmaster.
"With the advent of reliable fingerprint readers on the latest SmartPhones, the second "something the user knows" component is switched from a potentially easy-to-break password to a physical one that is unique. So the technology is at everyone’s finger tips… literally."