Setting Out a Vision for Customer Authentication

Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

Reconciling TouchID with Bank T&Cs

Reconciling TouchID with Bank T&Cs
Apple’s TouchID is brilliant – I now use it not only to unlock my phone, but also to log into my Amazon account. I can also use it to log into my Amex app and my bank’s mobile banking app. And of course, it is the way to initiate Apple Pay transactions. The only trouble is that none of those providers can be assured that it is really me doing all of this. TouchID allows registering up to 10 different fingerprints, and authenticates the user locally by matching his or her fingerprint to the registered templates. However, authentication is not the same as identity – banks and other apps know it is someone authorised to use that phone, but they don’t know it’s me, Zil Bareisis. It is likely to be me, but it could also be my wife or my kids. It could even be a total stranger if in some bizarre bout of insanity, I allowed them to register their fingerprint with my phone. The Telegraph reported last week that the UK banks are very much aware of this issue and have decided to take a hard stance:
“Banks have warned customers that if they store other people’s fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.
This means the bank can decline to refund disputed transactions or refuse to help where customers claim they have been victims of fraud.”
According to the paper, “the banks’ position is typically buried in the detail of bank account Ts & Cs”, something as we all know that most people accept without reading in detail. I can appreciate the banks’ concerns, but I wonder if they are somewhat overblown. Although this will change in time, most of Apple Pay transactions in the UK are still capped at the contactless limit (£30). Any of my family members today can take my contactless card and use it as contactless without any PIN. I haven’t heard too many suggestions that I should keep my card locked away from my family members. However, if this were to happen, I should be prepared to accept my family’s transactions and not report them as fraud. I am no legal expert, but it doesn’t feel like inserting protective statements within T&Cs is the way forward. First, it’s not very transparent. Second, if the issue were to arise, it is something that would not be easy for banks to prove. Could consumers just delete all the other fingerprints in case of a dispute? Finally, it’s just poor customer service. Instead, banks should invest into educating consumers about digital technologies and how to use them safely and responsibly. Even if it’s as basic as, “don’t allow strangers to register their fingerprints on your phone” and “be prepared to accept your family’s transactions and not dispute them as fraud.” As the value of Apple Pay transactions grows, banks ought to consider deploying additional techniques, such as behavioural analysis to authenticate the users and minimise fraud. As with most security, multi-layered approach is likely to work best.