Secure Convenient Internet Banking utlizing biometrics

Introduction

Customers are expecting biometric authentication for services today. You only have to look at Apple Pay to understand that this is indeed the case.
In my view the cornerstone of Apple pay can be described by two facts.

1. It is simple. This might not be obvious at first glance, but if you compare the solution to similar solutions for mobile payments and especially if you look beyond the surface it becomes obvious.
2. It is convenient. Using biometrics for user authentication allows a smooth and convenient authentication. This also allows authentication to be performed in all purchase situations, while other solutions has been required to make a split where low value payments are with no user authentication to be perceived as convenient.l
3. It is secure. The secure word is a dangerous word to use since nothing is absolutely secure and anything usable will have to make provisions against utopia in regards of security. The solution arguably more secure than any other deployed solution in the market.

In this discussion I will use these factors as discussion points for the solution.

So what are you talking about ?

This is the solution.

Basically you get access to a full service Internet bank by your finger print, and we are talking really full service banking. Among the services:

• Payments to any domestic or foreign recipient.
• Order new or replacement cards.
• Retrieve pin codes for your cards on the screen.
• Stock portfolio management 

And a lot of other high security services. And this is for real and not some kind of mock-up its about real money and a solution for a real bank. (I know I made it and have the scars to show for it).

Evaluation

Convenience

The convenience is superb, to be grated access the only thing you have to remember or present is your finger print, and thats it. For high risk transaction performed after login the same applies, you will be queried for your fingerprint to authorize the transaction. No more and no less.

Security

The big question of cause would be if this is secure, and the answer is yes this is very secure. With all solutions there are new and different risks, arguably one risk with solution is the risk of somebody misusing you biometrics. This a valid case where somebody could have been incapacitated and the biometrics are used without the persons consent or even knowledge.
Such new treats needs to be evaluated against other treats which such an solution eliminates.

• Access is not possible without this particular device and the account holder. It can not be performed remotely by somebody on a different continent when you are at sleep at nigth.
• Arguably the biggest treat to your financial as far as fraud today is located at your desk and is called your PC. The platform used here is immensely stronger and resilient to attacks.
• Nobody rememberer passwords  except for the really bad ones like "123456" or "password". Almost everybody has their credentials which are normally weak on their phone anyway. So loose control or loose your phone you are in a really big risk of misuse or fraud as it is. This solution arguments this by requiring not only your phone but also your biometrics.

At the end of the day, unless you are afraid of being subjected to a rape drug for the purpose of financial robbery you are far better of with this solution than any alternative solution.

Platform support

Currently the only platform this is implemented is on IOS. It is conceivably to implement a simular solution on a few selected Android phones. Actually I have prototyped an identical solution on Samsung S5, however there are some quite big challenges.
The biggest challenge is that the TEE and repository is not documented in a convincing manner. Remember if you going to launch something like this you need to be very sure about every aspect of the platform security. Unfortunately this is not there on the Android side at the moment.
Secondly the fragmentation of Android which expends to the point where no biometric API exist is a really big show stopper.

The Big Picture

So this is really great right ? Simple really anybody could do this. Yes a lot of people could and probably will make similar solutions, some will be great secure solutions while others will look great but will be disasters waiting to happen.

The Devil

Like  most solutions the difference is in the details and this is also where the devil hides. The biometrics are great to authenticate the user locally on the phone. Translating this fact in a reliable manner to the back end systems are the task which separates the boys from men so to speak.

Signing off

I will probably expand this material with more details when time permit. In the mean time feel free to get in touch with me if you would like to discuss with me. Some stuff I can share while other aspects will have to remain a business secret.