David Pollington, Head of Service Access, Identity, GSMA
Biometric authentication has been around for some time but is now becoming mainstream. Why? It’s mostly down to the weakness of passwords as a way of proving your identity in today’s world. Passwords are on the way out. There’s just no way anyone can remember enough passwords to have a different one for each account in order to keep their accounts secure – market research suggests the average user has upwards of 90 online passwords now – and that leads inevitably to the security hazard of reuse across multiple accounts. One recent survey showed 83% of us reuse the same password for multiple accounts; that’s a broken system that’s not fit for purpose in the context of today.
The truth is that passwords are inherently insecure anyway – they can very easily be phished or hacked, given that they’re typically stored centrally, and they frequently are. Biometrics have some key advantages here. The obvious one is that you can’t lose or forget a thumbprint, but there’s a more significant difference. Biometric templates are generally stored and matched locally, on the user’s device, so when you use touchID it’s not checking a central database.
The key thing here is avoiding a situation in which that information can be stolen, and thereby permanently compromised – you can change a PIN if you need to, but there’s not much you can do to alter your retinas. Where central systems are breached, enormous numbers of people can have their biometric info stolen in one go; see for instance the case of Aadhaar, the Indian state identity system, which was breached in 2018 and with it the biometric records of more than a billion people compromised. There’s a lesson there for all of us in the future of biometrics, and it’s good to see there’s good awareness now of how to avoid situations like that.
Where we don’t open people up to that kind of risk, we can save them a lot of time and effort, while also helping businesses to perform better. The supermarket chain Carrefour for instance has been testing biometric payment systems in the Romanian capital of Bucharest, allowing customers to complete transactions by verifying their identities through facial recognition. By allowing people to create a biometric profile to get through checkouts they not only make payments quicker and more convenient – no more fumbling around for cards or cash, or realising you left your wallet in the car – but they incentivise repeat business by building that new dynamic with the customer.
Speaking of cars, there’s been talk of incorporating biometric verification into automotive for some time now –– but only in the last few months have these started to make their way into the mass consumer market in earnest. The most obvious use case is for authorised ignition, but there are more – Hyundai announced at the end of last year that their new range will allow drivers to unlock doors with a fingerprint, and Apple have recently patented a facial recognition system to recognise individual drivers so multiple profiles and settings can be loaded in the same vehicle. Biometric sensors can now monitor how many people are in a car, their heart and breath rate, and even if they’re adults or children – all of which will come in very handy with the rise of autonomous vehicles.
If that all sounds quite specialised and expensive, it’s worth noting that such techniques are now becoming commonplace – one carsharing company for instance is using facial biometrics in its rental app – HyreCar’s users can now authenticate by selfie, which has allowed the driver verification process to be shortened by around 30%. That’s good for the customer for obvious reasons – they spend less time hanging around filling in forms – but it’s also game-changing for the company, whose cars also spend less time waiting in car parks, and more time out on the roads making them money.
What people often miss, though, is that biometrics aren’t limited to scans of these kinds – they’re at their strongest when they contribute layers of authentication, as opposed to providing a single box to tick. So where a scan of the familiar kind can be matched against behavioural biometrics – where you can profile someone’s gait, or online behaviour, alongside say their voice – you can be a lot more certain that the presenting person is who they say they are, and hasn’t just been able to compromise and synthesise a scannable biometric.
That’s where biometrics will show their keenest capacity to keep our identities, data and belongings secure in the years ahead. On their own they provide a hard-to-crack element of ourselves which is always there by default, which is far more secure than a password, but when multiple biometrics can be layered with one or more additional components which we have with us at all times – a PIN or mobile device – then you really can’t get much more secure than that. The mobile industry is well placed to provide that kind of security.