Biometric authentication, FIDO standards and our money security
In the upcoming revolution on the payment market, stimulated by the PSD2 Directive and open banking standards, security of transaction plays an ever-important role. In order to protect our funds from unauthorised access, financial operations will need to introduce a very strong authentication. The system shall verify at least two out of three elements, defined as something we know (e.g. PIN or password), something that we have (e.g. smartphone or token) and who we are (e.g. iris scan or fingerprint)
Customer convenience is just as important as security; therefore, authentication should occur quickly and without extra effort. Will the financial service providers be able to deal with all these requirements? Are there any ready-made solutions and technologies that will provide useful?
Growing security needs
A password is not anymore an adequate protection. They are cracked and stolen far too often. And, we simply have too many of them, far too many to remember them all. One of the most widespread insecure practices is re-using the same passwords for various accounts and applications. Additionally, some people still use popular passwords, such as 12345 and abc123 (both are on GeekWeek’s top 10 list). The majority of cyber-attacks are caused by weak passwords.
Fortunatelly, there is an alternative. Biometrics is a technology, that in just a few years will eliminate the neccesity of using passwords. Combined with any additional security technology, it will successfully protect us and our money from any fraudulent access.
Biometrics: unique data that we always carry around
Biometric methods are based on biological and behavioural features, which are unique and enable us to distinguish between one person and another. One of the oldest and most popular methods our civilisation knows, is checking our fingerprints. Modern technologies, however, offer a wider variety of methods, from iris and cornea scanning, through voice biometrics, vascular biometric systems, face scanners, palm scanners and behavioural methods, such as the way a person draws a symbol on their screen or pushes the keys. In only few years we’ll have ability to analyse the information included in our DNA, so we are just a step away from scanning… our breath.
Visa conducted a survey, which proved that European consumers are ready for biometric access to their financial services and resources. The majority perceives it as safe, quick and convenient. The inclusion of biometrics in the services, will thus improve the overall quality of customer service and increase their satisfaction. By doing so, it will improve and strengthen the relationship with the brand.
Goodbye, passwords!
Biometrics, currently considered the best authentication method, is taking the security systems by storm. We can find it in services and products, as well as in the production facilities and infrastructure of the largest corporations worldwide. Microsoft proposed face recognition as a way to unlock your PC, Apple installed TouchID fingerprint scanners in their iPhones and later on expanded their functionality to ApplePay service. TouchID allows users to make contactless payments using ApplePay, but only with a fingerprint scan hold. TouchID scanners have found their way to an ever-increasing number of smartphones, including ones manufactured by Huawei, Samsung and HTC.
Banque Accord and the Auchan supermarket chain introduced biometric payment authentication, combining a WPAN MasterCard and a selection of two biometric authentication methods: fingerprint or finger vein scan as early as in 2012. Citi Handlowy bank in Poland also recently enabled logging in to the accounts using fingerprint scanners.
Biometrics, currently considered the best authentication method, is taking the security systems by storm. We can find it in services and products, as well as in the production facilities and infrastructure of the largest corporations worldwide. Microsoft proposed face recognition as a way to unlock your PC, Apple installed TouchID fingerprint scanners in their iPhones and later on expanded their functionality to ApplePay service. TouchID allows users to make contactless payments using ApplePay, but only with a fingerprint scan hold. TouchID scanners have found their way to an ever-increasing number of smartphones, including ones manufactured by Huawei, Samsung and HTC.
Banque Accord and the Auchan supermarket chain introduced biometric payment authentication, combining a WPAN MasterCard and a selection of two biometric authentication methods: fingerprint or finger vein scan as early as in 2012. Citi Handlowy bank in Poland also recently enabled logging in to the accounts using fingerprint scanners.
Meanwhile, the future for call centres lies with voice authentication. Such a solution – recording a sound sample and using it for authentication during future calls – was recently implemented by BZWBK bank in Poland in their Business Customer Service Centre. Other banks, such as Alior, went a step further and implemented video authentication, allowing users to register their accounts using video chat. The face and the eyes of the customer are scanned, analysed and compared with the photograph in the ID card.
A secure and convenient authentication method based on the FIDO standard brings the customer experience to a higher level and at the same time ensures compliance with PSD2 Directive.
Stay up-to-date with API economy
Subsribe to APILOGIC newsletter and get the latest news on innovations in the financial sector.
[FM_form id=”3″]
The FIDO standard and a new approach
Quick and simple biometric authentication becomes increasingly available in various devices, but the technology is adapted fairly slow by service providers. Additionally, poor implementation of biometrics may bring more harm, which is why its use should be connected with great attention to technical details.
FIDO brings about the standardisation of biometrics and other security measures, available through the device. Compliance with that standard means that the hardware fulfils all requirements pertaining to security and privacy. After registering FIDO-compliant devices in the services used by customers, they can connect to them in an easy and secure way – they no longer have to worry about identity theft, phishing or capturing their traffic. If the authenticator tied to a service gets stolen, the criminal will not gain access to our accounts, because they will not be able to pass the biometric verification. Additionally, reporting the stolen device to FIDO will immediately cause it to be disconnected from all services.
After introduction of FIDO standard, service providers get access to the user information required for authentication, all while gathering no other personal data, which disclosure could be potentially harmful. In this sense, the FIDO standard additionally helps protect our privacy.
Read more: PSD2 RTS – Regulatory Technical Standards for 2nd Payment Security Directive
W3C open Web standard
W3C open Web standardThe vision of the FIDO (abbreviation of Fast Identity Online) organisation is the presence of strong authentication within all networking services, around the world. The FIDO Alliance has been working for years over transforming the intellectual property, developed by its members into open and widely available standards. The significance of this organisation should be further emphasised by the fact, that it gathers some of the largest corporations from the sector, including American Express, Goldman Sachs, ING, MasterCard, PayPal and Visa.
FIDO standards were submitted in 2015 to the World Wide Web Consortium (W3C) as platform specifications. After they pass the certification procedure, they will function as a global standard for the Web. FIDO also provides a public API. The specifications contain information regarding to the unified mechanism of using cryptographic authentication certificates. They describe a number of use cases for mobile devices, such as smartphones, and tokens (e.g. using USB). The number of devices using that standard is growing at an astounding pace. FIDO-compliant biometric devices are installed in phones from the leading smartphone manufacturers worldwide. FIDO is widely accepted by corporations such as Google, Dropbox and GitHub.
What is more important, FIDO gives its members access to its protocols even during the development phase, and allows for their use in public domain. Therefore, we can expect that in some time, this organisation’s works will transform the entire digital identity ecosystem. Given that FIDO specifications are open, they can be further expanded in order to accommodate future innovations.
UAF protocol – passwordless experience in payment services
UAF (Universal Authentication Framework) is one of the FIDO protocols, which ensures strong authentication without password. Using biometrics and other methods, the user logs in on a local device, which then authenticates in on-line services (biometrics, if used, is available in the device only, never outside). Any stage of this process does not require password. Regardless of the authentication method used, FIDO UAF specifies a common interface for further procedures. It is the most secure authentication solution for modern payment services, presently available on the market.
We decided to implement FIDO-compliant solutions in our Open Banking API , because it is the only standard that ensures full compliance with the stringent guidelines in the RTS and the strong authentication requirement included therein. Additionally, it makes the process convenient and quick. FIDO leaves the responsibility for authentication at the device. We can assign the authentication function to our mobile phone, which is then connected to a bank account. Logging in requires using biometrics or traditional methods, such as a PIN, a unique shape drawn on the screen or a fingerprint scan. Neither of these information is submitted to any vulnerable external databases. This makes the entire process more secure.
Let us try and imagine an attempt of hacking an account, secured using FIDO. First and foremost, the attacker would have to break two security layers on the device itself: not only by getting access to the device, but also by getting a biometric sample or pattern. This is not something that would be profitable, since today cyber criminals conduct attacks on hundreds and thousands of accounts at the same time. The vulnerable password system gave the attackers a relatively high return on investment with limited risk. A FIDO-based security ecosystem is much more difficult to breach.
Read more: Open API and open banking – 7 product ideas