Overview
“Behavioral dynamics will play an increasingly important factor in establishing trust factors for the authenticating consumers’ identity across every channel and for establishing persistent identity,” said Tim Sloane, Vice President, Payments Innovation, at Mercator Advisory Group and author of report. “With the introduction of new authentication factors, new secure mobile platforms, and software- and cloud-based authentication mechanisms; it will be extremely risky for banks to make an investment decision that includes hardware and requires five-plus years to achieve a positive return on investment.”
Increasingly smartphones are shipping with trusted execution environments that can displace traditional hardware security fobs. These new smartphones are critical to this fundamental shift in biometrics.
Criminal theft of passwords has made passwords obsolete, and so a new factor is required for authentication. Biometrics will be that new factor. It increases security and will prove more convenient for the consumer than passwords as it transitions into a persistent identity over the next 5 to 8 years.
For persistent identity, authentication no longer entails just a single challenge event such as a fingerprint scan but evolves into a passive trust value uniquely associated with an individual, as is being pursued by Google. The trust value will be constantly updated based on multiple factors including location and passive sound (voice and ambiance) as well as facial recognition and a range of behavioral inputs.
With the mobile device formulating this trust factor, it is highly likely that Apple and Google will be critical partners in consumer authentication for the majority of access control scenarios, including call centers and physical access.
This reliance on the smartphone will help establish the FIDO (the Fast Identity Online) Standard as the appropriate architectural approach for managing authentication credentials. Keeping the credentials in the handset eliminates the honeypots that attract criminals, increases consumer trust, and converts the authentication infrastructure into a shared resource that will greatly lower deployment costs currently associated with all authentication solutions.
This research report is 44 pages long and has 8 exhibits.
Companies mentioned in this report include: AimBrain, Allscripts, Amazon, Apple, Arena, AstraZeneca, Balabit, Bank of America, Bank of Tokyo, Bayer, BehavioSec, BioCatch, BrowserSpy.dk, bunq, Chase, ContinUse, CO-OP Financial Services, Desert Schools Federal Credit Union, Diebold, Discover, E8 Security, Early Warning, Eli Lilly, Entrust Datacard, Etsy, Evernym, Exabeam, Facebook, FIDO Alliance, FIS, Fiserv, Fortscale, Fujitsu, GlaxoSmithKline, Google (Alphabet), Gurucul, HID Global, The Hiroshima Bank, HP, IBM, IDScan Biometrics, IEEE, LexisNexis, LG, Merck, National Westminster Bank, Nikon, NuData, Nymi, MasterCard, MicroBilt, Microsoft, Mitek, NetGuardians, PayPal, Plurilock, Qualcomm, SAFE-BioPharma, Samsung, SecureAuth, Securonix, Sovrin Foundation, Sqrrl, Telesign, Temenos, TMG, Twitter, UniCredit, USAA, US Defense Department, Veridium, Visa, VoiceVault, Wells Fargo, Yahoo, and Xiaomi.
One of the exhibits included in this report:
- Given the effectiveness of cybercriminals, security will continue to be at risk until passwords are eliminated entirely.
- Consumers are wary of biometrics today but will come to accept it just as they did mobile banking.
- Apple and Google will continue to upgrade and extend the security and biometrics implemented in hardware and operating systems and, due to the broad visibility that these operating systems have into the life of the mobile device user, will have more data than all others for authenticating the individual.
- Authentication will move from a single challenge event, as done today with fingerprint readers, and evolve into a passive persistent identity trust value. The trust value will be based on multimodal biometrics to include geolocation, known commute and work patterns, passive voice and face recognition, and a range of behavioral inputs. As these improve in verifying authenticity, the challenge event will become relatively rare and specific only to high-risk situations.
- Smartphone technology is rapidly becoming more secure and broadly available in the U.S. population, which means that broad deployment of biometric hardware by financial institutions is likely to be obsolete in less than 5 years.
- It is probable that Apple and Google solutions will become critical hardware and software authentication suppliers for the majority of access control scenarios, including devices, call centers, cloud and application authentication needs.
- Biometric tags and trust decisions should be held and calculated in the device to mitigate risk associated with central storage of credentials and is critical for increased consumer trust. Centralized repositories, no matter how secure, represent a liability from the consumer’s perspective.
- The FIDO authentication architecture will establish an authentication framework that moves much of the hardware and software into a shared asset resident on the mobile phone, which will greatly lower the cost of deploying authentication solutions.
- Financial institutions should plan for the biometric world described above. This suggests utilizing the mobile device for authentication wherever possible and to avoid the collection of biometric data centrally as much as possible, as that data represents yet another target for criminals.
Make informed decisions in a digital financial world