Will Biometric Authentication Replace Passwords in 2016?

Read the full article here.

Security is the topmost concern of the financial services industry today. Passwords have been the most common and the oldest way to keep accounts and personal data secure. But for how long? It’s difficult to keep a track of all the passwords. With the growing number of apps and websites being used today, the list of passwords keeps growing as well. Also, there is the question of whether passwords are safe anymore. Several surveys have revealed that people use same passwords across their Internet accounts. Over half of Internet users get at least one phishing email per day. According to Consumer Reports, the cost of phishing is almost $500 million per year in the United States alone. On top of that, there are computer software programs like Hashcat, which can crack passwords up to 55 characters. Given the increasing levels of vulnerability of passwords, we at Let’s Talk Payments wonder if 2016 should be a password-free year.

What motivates us to think of 2016 as a password-free year is Google’s recent pilot involving password-free logins that involve signing into Gmail without a password. How does that work? Basically, you enter your email address in Gmail and receive a notification on your phone. When tapped “Yes,” it will let you automatically login via your computer. Google’s new feature is conceptually same to Yahoo’s recently launched “Account Key” feature, which works in a similar fashion and opens up the Yahoo Mail app for the user to approve the login.

As discussed in our recent podcast, we think passwords must go away in 2016. More than a decade ago, Bill Gatespredicted that there will be a decrease in the usage of traditional passwords for data security and thought that traditional passwords just don’t meet (and exceed) the challenge of security. Ten years after Bill Gates’ prediction, Microsoft came up with “Windows Hello” in the new Windows 10, where users can login into their PCs using face recognition.

In the FinTech industry, Apple has done a brilliant job of taking people away from passwords by introducing TouchID. Apple claims you would have to try 50,000 fingers to find a random match, which it argues is much more secure than the one-in-10,000 chance of guessing a four-digit passcode. Apple’s TouchID has been a huge success as banks and financial institutions are incorporating the feature in their banking mobile apps. Like Apple Pay, Samsung Pay also has biometric authentication techniques where a user will be able to authorize payments by holding their finger on the home button.

Very rapidly, biometric authentication is replacing the term “password,” especially in FinTech. This is true not just for the US but globally as well. Banks in countries like Poland are way ahead in biometric authentication adoption. Polish banks offer two kinds of biometrics: fingerprints and voice recognition. Voice authentication is offered by Meritum Bank and Smart Bank. Fingerprints recognition is available in mBank, Millenium Bank, Meritum Bank and ING Bank Śląski applications. Other banks keep preparing to implement the innovations as well. And it is not just fingerprints and voice recognition that may potentially replace passwords. There are other modalities like voice recognition, heartbeat recognition and iris recognition in the picture.

  • Halifax, the high street bank owned by Lloyds Banking Group, has trialed technology which uses a customer’s heartbeat as security authentication for its digital financial services
  • Bionym, the company behind the Nymi band electrocardiogram (ECG) authentication wristband, did a pilot test along with RBC and MasterCard for payments
  • Uniqul, a Finnish company, has already developed a payments system which uses first facial recognition for payment purposes
  • Japanese telco NTT DoCoMo and handset maker Fujitsu have already launched a smartphone that authenticates users for mobile payments by scanning their irises
  • Wells Fargo, one of the top US banks, plans to pilot a fusion of voice and face biometrics to authenticate customers, a feature that is being rolled out to CEO Mobile iPhone app users in 2016

While there are a few companies like Excalibur and Passwordpack which let people put all their passwords in one place with one login, that doesn’t really take passwords away. The other technology taking people away from passwords is the security token or cryptographic token. However, it requires the users to carry additional device/s with them. There are some great startups, which are actually trying to take people away from passwords:

One You/1U

Hoyos Labs, a company known for its digital infrastructure security solutions, has launched an app called 1U which could replace the need for usernames, passwords and PINs. 1U leverages a user’s smartphone capabilities to acquire the user’s biometrics. This acquired information can then be used to replace login information for thousands of websites (including non-standard websites) that require additional information like a site key in addition to a username and password.

Continue reading here.