Biometrics and Mobile Security – Points to Ponder
Last week’s FS-ISAC Annual Summit in Miami was once again top notch. This is the second year Entrust has participated in the event which in my opinion, is one of the top venues for bringing financial security decision makers and industry experts together to discuss, debate, brainstorm and overall collaborate on the top information security issues. Last year, the primary theme centered on Man-in-the-Browser (MITB) attacks; this year, as many would guess, mobile banking was the spotlight topic. It’s no wonder, given that every major bank has already rolled out a first generation solution – some with as many as 5 million subscribers – not too shabby as they say here in the Ottawa valley. Many of the banks that I met with are still struggling to find an effective way to implement strong security for the Mobile channel and quickly admitted that user experience was very important, perhaps even more so than the strength of security provided. Entrust launched a new offering at the conference that directly addresses both of these top priorities and also provides a compelling means to deliver cross channel authentication capabilities natively within the banks mobile application.
At the conference, I had two separate discussions on the use of biometric devices – one around the concept of using your thumbprint to unlock your smart phone and the other related to voice biometrics for transaction authentication. The voice biometrics chat (one might say friendly debate) was particularly enjoyable since the woman with whom I was having the discussion was very passionate about the technology and my own background in the technology is pretty deep having worked in the speech recognition market for over 5 years. She went on to describe her positive personal experience about using the technology – even with a very bad cold, the recognition engine accurately confirmed her unique identity. (I think it’s probably more accurate to say it didn’t reject her). She explained how the technology could be used to help with online security using and out of band approach to defeat advanced MITB threats. My response – you’re right! (not a bad response to give to a woman based on my experience J ) But, I went on to explain while speech recognition has come a long way in accuracy it just doesn’t make the grade on simple user experience. “What? Isn’t speaking one of the easiest things to do?” she shot back. Well, yes, speaking is easy; but it’s not that conducive unless you’re in a private setting which is often not the case on a mobile device. Before smart phones, I could check my email by phoning into my email server and issuing speech commands” play, forward, record a reply” – effective yes; useable on a train, waiting for a bus, in an airport lounge, in a restaurant, while in the company of colleagues at lunch? – No. Smart phones offer us the ability to easily communicate privately, in our own little world, in the presence of virtually anyone – think about how many times you have texted, emailed, check a sports score or Facebook status while in a public setting – my guess you’ve likely done it several times today alone. Now, imagine using speech as an alternative input mechanism…. Get my point?
To sew this up quickly, the second discussion was around thumbprint verification to access your device – seems pretty easy, perhaps easier than entering a PIN ( though I’m not convinced) – and its secure as well; the question then becomes – do we really need it? For the amount of times we lose our device and a criminal obtains it, cracks our PIN, and cracks our online banking password, all BEFORE our device is remotely wiped – do we really need this level of sophisticated security. To me, it’s about balance – security, cost, and ease of use – sure, depending on the use case, one of these three may get more priority but in general, one must consider all 3 before implementing technology simple for technology sake.