Biting off More Than You Can Chew: Why Biometrics Aren’t the Future
Posted April 28, 2015
Recently a senior PayPal evangelist gave a rather controversial interview to the Wall Street Journal. In it, he appeared to suggest a radical alternative to password-based authentication systems: biometrics generated by devices ingested or embedded under the user’s skin. Now, it’s true that passwords should no longer be used by any online provider serious about security. And it’s always interesting to hear new approaches to user authentication.
But organisations need an answer today to the mounting problem of online fraud. It needs to be fast, affordable, frictionless and accurate. And in those respects, biometrics just don’t deliver.
So why isn’t biometric technology the answer?
The problem with biometrics
On paper, the prospect of biometrics like embedded wireless chips monitoring ECG readings, or ingestible capsules that can detect glucose levels, sounds like a decent idea. After all, the readings they then transmit should be unique to that person – surmounting problems of false positives and false negatives. LeBlanc even suggested that batteries for such systems could be powered by stomach acid. At last, a fully internalised, unhackable “natural body identification” system to put “users in charge of their own security”. Right?
Well, not really.
The main issue many people have with biometrics is that they rely on something that should be unhackable – impossible to simulate or crack. But if cyber criminals do find a way of doing so – and they’ve proven themselves to be a pretty resourceful bunch thus far – then what? You might be able to reset your password pretty easily after a phishing attack, but what about your heart rate? Or your glucose levels?
The next major barrier is the users themselves. Security versus usability is a tough balance at the best of times. How much tougher will it be to sell such invasive authentication systems if the user is basically happy with the level of security they get with a regular fingerprint scan or a phone based one-time passcode system?
Why context-based wins
I’m not dismissing the work of PayPal and others to improve on password-based verification. But too many question marks remain over biometrics – even the systems that are closer to reality than the hypothetical scenarios painted by LeBlanc. Whether your business is in e-commerce, social media, banking, insurance or another sector – you need fast, reliable, friction-free two factor authentication that works … today.
The key for organisations going forward is to seek out systems which can work in the background, completely invisible to the user, checking things like device identity, malware, and use of ToR or other obfuscation methods favoured by cybercriminals. They’ll be able to check against a series of unique attributes associated with that user comprised of log-in habits, typical locations, user IDs, email addresses, phone numbers, shipping information etc, and flag a suspect transaction even if the person is using valid (but stolen) credentials.
Futuristic biometrics will always grab the headlines. But context-based authentication is where the smart money’s already being spent, to cut fraud and keep customers happy.