by Raimund Genes
RBS/NatWest recently became the first bank in the UK to offer biometric authentication for access to mobile banking. It’s a great piece of PR for the financial giant, but will it actually drive more customers to its services, save money, or improve security? For many CIOs the jury’s still out on biometrics. But if some of the most risk averse institutions in the country are beginning to come around, maybe it’s time to take another look at the technology.
Goodbye cruel passwords
First up, they can remove the need to remember so many passwords and usernames. For consumers with multiple accounts across the web the temptation all too often is to reuse a single memorable password.
In an enterprise context, passwords can be even more limiting. For those organisations which enforce strict 30-day password update policies, with previously used credentials not allowed, it becomes arduous in the extreme for users.
Biometrics is also a great choice from an enterprise point of view because they completely negate the efforts of hackers to crack your log-ins to get into corporate systems. They may have put keyloggers on your receptionist’s PC but if she’s scanning her finger, hand, iris or any other biometric to access the network, they’ll not get in.
Now for the cons
But as much as biometrics offers a genuine alternative to traditional authentication methods, there are limitations. The most obvious, especially from a mobile perspective, is scale. Going back to the RBS story, biometric log-ins will only be available to iPhone users on the newest, Touch ID-enabled, models. There’s no mention of Android because it’s quite frankly impossible for Google or anyone else to enable standardised fingerprint scanning in that ecosystem. Android is simply too amorphous; with different handset manufacturers, operating system versions and user interface overlays.
Partly for this reason I think biometrics will be too expensive for most CIOs to implement inside the enterprise. With the advent of BYOD there are simply too many devices in circulation to try and enforce any kind of homogenous biometric access policy. It has a much better chance of success in a mass market, B2C context.
In the end the best use for biometrics going forward will be in combination with another factor – either a password or perhaps another biometric, like voice analysis. A user could place their finger on a scanner and say their memorable word, for example – pretty hard to simulate if you’re a crook. As RBS has done, a fingerprint scan could be enough to access a provider’s homepage, but for payments and other higher-risk tasks, additional steps will be required. It’s all about balancing security and usability – with risk reduction your guiding principle.