Skip to main content

Fingerprints and faces: How biometric authentication is still far from secure

Biometric authentication, such as retina and fingerprint scanning and voice recognition, holds a lot of promise for identity and access management. Industry analysts the world over laud the new technology and are constantly jostling to take the crown as the main authority on the subject.

"Secondary authentication like facial recognition or biometric retina-vein recognition to authorise a higher value transaction... can revolutionise fraud management," said Forrester principal analyst Andras Cser of the technology back in April.

His peers at Gartner tend to agree. Jackie Fenn, vice president and Gartner Fellow Emeritus, and Hung LeHong, research vice president, said in a research note, "Biometric authentication will enable a near-cashless world scenario." Similarly, in May 2013, Ant Allan, research vice president at Gartner, was also excited but slightly cautious, saying that biometric authentication methods, "promise better accountability and superior user experience, yet remain a niche choice."

But people often forget to read between the lines. Each of these analysts is merely making predictions. They are talking about the future. Nobody is recommending using biometric authentication now, since it simply isn't ready.

The gold-standard for any authentication method is at least 99.9 per cent reliability. Chip and pin has this, but biometric authentication as yet does not, instead varying between 40 per cent and 95 per cent depending on the levels of security required (the latter being a low level).

Two major companies in the ultra-risky fields of payments and banking, PayPal and Barclays, have already kicked off trials of biometric authentication technologies. PayPal's system in 12 Richmond stores (opens in new tab) is the first of its kind in the UK to use a customer's photo for authorising payments. The firm's app for iOS, Windows OS and Android highlights nearby shops and restaurants that accept PayPal before a customer checks in by clicking on the required retailer and sliding an animated pin down on their screen. The customer's name and photo then promptly appear on the shop's payment system before the retailer charges them by clicking on their image.

Meanwhile, the Wealth & Investment Management division at Barclays is currently testing voice recognition on a portion of its customers. The system requires a user to engage in "natural" speech with a call centre agent for 20-30 seconds until a computer is able to verify the voice calling against that already held on file. According to the bank, around 95 per cent of customers are verified during the first call; those that aren't then have to go through the usual rounds of security questions on their first pet, best friend at school, etc., meaning that voice recognition simply adds to an already lengthy process.

Using face or voice recognition technologies to authenticate quick and convenient transactions in shops, cafes and banks seems ideal in our ever-busy lives. However, in both cases there are still risks that drag the reliability of these methods below the crucial 99.9 per cent line.

In the case of face recognition, completion of a transaction relies on a shop assistant verifying a customer's face, which could easily be subject to human error. However, using a real person here is still far more reliable than using a computer. If the process is automated, there seem to be more documented cases of facial recognition failures than successes, from phone apps amusingly recognising distorted knees and other body parts as faces, to the system employed by the US Government, which cost millions of dollars yet failed to pick out the Boston bombers.

Voice recognition is not new but, like face recognition, is still in its infancy. We are not even at the stage where computers can reliably recognise what we're saying, let alone who is saying it. The 99.9 per cent reliability is at least a decade away.

From a social side, people are wary of authentication methods which involve their own body parts (perhaps as a result of James Bond-esque movies in which a villain may decide that the best way to acquire a fingerprint is to simply sever a whole finger). As unlikely as the situation may be, it is difficult to imagine a day when the public would be happy to put themselves in this position for the sake of their job.

The foundation of secure authentication is essentially the identity of the user – the real user must match the digital representation of the user; essentially, the right person needs to be accessing the right digital information. Two-factor authentication using mobile phones to verify processes (opens in new tab) such as payments and banking still remains the best way forward.

The system, as its name suggests, uses a combination of two pieces of information. Firstly, something you own: a mobile device; secondly, something you know: a PIN. The mobile phone replaces something like a card reader and smart card, which is easy to misplace and less likely to be carried around on a daily basis.

Using technology within a device already owned by an individual, such as preloaded SMS or soft token app authentication through mobile phones, is a more secure and cost effective method for organisations. It has a higher reliability rate and is far less prone to faults or replication from malicious users trying to illegally access an individual's details.

SMS technology's ability to turn any mobile into an authentication device is to date the most novel and effective solution we have. Combining this with an end-user app cuts out the need for a help desk and means that customers are always in control. This makes the solution is as hassle free as a password but doubly secure.

In stark contrast, face and voice recognition technologies are just about learning to stand without falling over. In today's world, two-factor authentication is the most secure solution we have.

Andy Kemshall is the technical director of SecurEnvoy (opens in new tab).