Introduction
Customers are expecting biometric authentication for services today. You only have to look at Apple Pay to understand that this is indeed the case.In my view the cornerstone of Apple pay can be described by two facts.
- It is simple. This might not be obvious at first glance, but if you compare the solution to similar solutions for mobile payments and especially if you look beyond the surface it becomes obvious.
- It is convenient. Using biometrics for user authentication allows a smooth and convenient authentication. This also allows authentication to be performed in all purchase situations, while other solutions has been required to make a split where low value payments are with no user authentication to be perceived as convenient.l
- It is secure. The secure word is a dangerous word to use since nothing is absolutely secure and anything usable will have to make provisions against utopia in regards of security. The solution arguably more secure than any other deployed solution in the market.
So what are you talking about ?
This is the solution.Basically you get access to a full service Internet bank by your finger print, and we are talking really full service banking. Among the services:
- Payments to any domestic or foreign recipient.
- Order new or replacement cards.
- Retrieve pin codes for your cards on the screen.
- Stock portfolio management
Evaluation
Convenience
The convenience is superb, to be grated access the only thing you have to remember or present is your finger print, and thats it. For high risk transaction performed after login the same applies, you will be queried for your fingerprint to authorize the transaction. No more and no less.
Security
The big question of cause would be if this is secure, and the answer is yes this is very secure. With all solutions there are new and different risks, arguably one risk with solution is the risk of somebody misusing you biometrics. This a valid case where somebody could have been incapacitated and the biometrics are used without the persons consent or even knowledge.Such new treats needs to be evaluated against other treats which such an solution eliminates.
- Access is not possible without this particular device and the account holder. It can not be performed remotely by somebody on a different continent when you are at sleep at nigth.
- Arguably the biggest treat to your financial as far as fraud today is located at your desk and is called your PC. The platform used here is immensely stronger and resilient to attacks.
- Nobody rememberer passwords except for the really bad ones like "123456" or "password". Almost everybody has their credentials which are normally weak on their phone anyway. So loose control or loose your phone you are in a really big risk of misuse or fraud as it is. This solution arguments this by requiring not only your phone but also your biometrics.
Platform support
Currently the only platform this is implemented is on IOS. It is conceivably to implement a simular solution on a few selected Android phones. Actually I have prototyped an identical solution on Samsung S5, however there are some quite big challenges.The biggest challenge is that the TEE and repository is not documented in a convincing manner. Remember if you going to launch something like this you need to be very sure about every aspect of the platform security. Unfortunately this is not there on the Android side at the moment.
Secondly the fragmentation of Android which expends to the point where no biometric API exist is a really big show stopper.
