How many passwords do you need to remember on a daily basis? Do you find yourself having to reset passwords because you couldn’t remember if it had a number, or a capital, or both, or neither? Are all your ATM PINs the same, or are you brave enough to have different digits for each card you possess? The digital age has brought many benefits and made life easier in innumerable ways, but there are a few areas where life has got a little bit more complicated. One of these is in the area of authentication, where our digital lives have produced the need for 19 passwords, according to one UK study. Research from Ireland suggests the average person has a day-to-day need for five passwords, five PINs, three security ID numbers and three bank account numbers.
Either way, creating and remembering unique identifiers that keep our digital identities, our information, and our money safe has become such an unmanageable chore that many people simply use the same password across all sites, where possible, or they write them down on Post-It notes or in text files on their computer. None of these, of course, is safe, but as realistic strategies for busy people with busy lives and non-photographic memories, each one is much more realistic than creating and memorizing a unique and random password for every website visited, and changing them every 90 days. When was the last time you changed your PIN?
How to move beyond PINs and passwords is a question that occupies the minds of many in the fintech and mobile payments industry. Developing and preserving trust in new technologies is crucial to their adoption and active usage. Simultaneously, privacy advocates have become increasingly concerned about the amount of information that citizens and consumers are required to volunteer to both public and private entities, and the possibilities that exist for misuse of that information by them or by unauthorized third parties. Technologies are being developed, such as the EU-sponsored ‘ABC4Trust’ that should keep privacy walls between various parties and prevent information being passed on. It is likely to be a long time, however, before such or similar technology achieves widespread adoption. In the meantime, mobile payment service providers, tech-savvy banks, MNOs and handset manufacturers are left with the challenge of finding the balance between ease of use and security. Apple and Samsung’s embrace of biometrics in the form of fingerprints has pointed towards one direction of travel, but is it really the answer?
The psychology of security
If you are carrying a fistful of dollars that you are holding on tight to, no-one is going to dispossess you of them except through threats or violence. This is the benchmark that fintech security has to meet, for despite all its problems and costs, cash is secure. Because you either have it or you don’t, consumers tend to take greater care of cash than of other “replaceable” payment instruments, such as plastic cards, the losses stemming from the fraudulent or unauthorized use of which will generally not be borne by the consumer. In recent years this has meant greater concern among the banks and merchants who do bear liability for fraud (both on- and off-line) for identifying and preventing it.
This has particular relevance in the world of mobile payments, where the very newness of new technologies creates a certain level of suspicion and mistrust about the security of the consumer’s hard-earned funds. Few working in the world of mobile payments will not have carefully explained to a friend or relative the advent of some new technology or product in the space and not have been met with the question, “But what happens if you lose your phone?” While tempting, the retort of “What happens if you lose your debit card” is unlikely to win over skeptical minds.
It likely for this reason that what appear to be unnecessarily stringent Apple Pay spending limits of £20 (US$31) have been introduced in the UK, as Apple’s mobile wallet makes its European debut (though it is thought that the limit may rise to £30 in September). The decision by retailers to limit the amount that can be purchased using Apple Pay to the same limit imposed on contactless debit and credit cards is bizarre when you consider that unlike contactless payment cards, Apple Pay does require authentication. At a minimum, use of Apple Pay requires the entry of a PIN to unlock the phone in the same way paying with an EMV debit card also requires a PIN. It can also, of course, be opened with TouchID fingerprint identification, meaning that unless a thief has gone to very convoluted lengths to produce a fake fingerprint, Apple Pay should be, at a minimum, as secure as using a debit card, and generally more so. So why the spending cap?
The limitations of biometrics
The fact, however, that smartphones can be opened by either a fingerprint or a PIN point to a certain lack of confidence in this first generation of popular consumer biometrics. iPhone users will be aware that the first time after restarting the phone the PIN must be entered, instead of using TouchID. And if the user’s hands are dirty, sweaty or greasy, TouchID will struggle to identify the user and the fallback of the PIN will have to be relied upon. In practical terms, this means that fingerprint biometrics are no more secure than entering a PIN, so long as a PIN can be used to override the fingerprint scan.
Moreover, a determined fraudster could replicate a fingerprint using fairly basic technology, as this video demonstrates, without having to resort to Mission Impossible levels of accomplishment (though whether they would be able to do so before the target of the fraud notices that their phone is missing is highly debatable). Nevertheless, other than the novelty factor and the convenience of a half-second saved, it is unclear precisely what the value of TouchID and similar technologies currently is. More worryingly, the vulnerabilities of biometrics have been laid bare this past week through the revelation that over 22 million Americans had their personal information compromised, possibly by a cyber-attack originating in China, on federal government security-clearance personnel records that included 1.1million fingerprints. Presumably the database was password protected, but even if your PIN or password gets compromised you can change it. The same cannot be said of a finger. As one report rather bluntly put it, this hack will continue to be a problem until each of these people whose sensitive information was stolen “drops dead”.
What this highlights is the fact that the immutable nature of biometrics is their weakness as well as their strength. As long as the biometric authentication is unique, unchanging and replicable, once compromised it is thereafter rendered either redundant or at risk. And while wearables or other advances in biometric technology mean that in the near future combinations of biometrics, or biometrics and PIN/location verification, may become available to create the two-factor authentication that would be much more secure, it is highly questionable whether consumers would warm to the user experience of having to scan a finger and a retina in order to buy a $40 t-shirt. Indeed, would they even be prepared to trust their bank with such information?
In truth, we are just starting down the path towards scalable and secure biometrics, but we are a very far way from seeing on the market products and services that cannot easily be overridden by a PIN. Until then, a password minder service is probably recommended; if you can remember the password for it, that is.
©Mondato 2015. Mondato is a boutique management consultancy specializing in strategic, commercial and operational support for the Mobile Finance and Commerce (MFC) industry. With an unparalleled team of dedicated MFC professionals and a global network of industry contacts, Mondato has the depth of experience to provide high-impact, hands-on support for clients across the MFC ecosystem, including service providers, banks, telcos, technology firms, merchants and investors. Our weekly newsletters are the go-to source of news and analysis in the MFC industry.
Click here to subscribe and receive a weekly Mondato Insight direct to your inbox.
Image courtesy of Perspecsys CC BY-2.0.