RBS and NatWest recently became the first banks in the UK to offer biometric authentication for access to mobile banking. It's a great piece of PR for the financial giant, but will it actually drive more customers to its services, save money, or improve security? For many CIOs the jury's still out on biometrics. But if some of the most risk averse institutions in the country are beginning to come around, maybe it's time to take another look at the technology.
The headlines surrounding the RBS project were perhaps a little misleading. This isn't the bank itself rolling out biometrics devices so that users can log into online sessions – it's merely that it's decided to support Apple's Touch ID standard for fingerprint authentication. That said, I'm a big fan of biometrics and have been using them for an additional layer of log-in security for some time.
Goodbye cruel passwords
First up, they can remove the need to remember so many pesky passwords and usernames. For consumers with multiple accounts across the web the temptation all too often is to reuse a single memorable password. When their credentials get stolen from their service provider or pinched via a targeted phishing or other attack, all those accounts are then put at risk.
In an enterprise context, passwords can be even more limiting. For those organisations which enforce strict 30-day password update policies, with previously used credentials not allowed, it becomes arduous in the extreme for users. So what do they do? They write their password down on a post-it note somewhere near the PC. It's a classic example of employees finding a way around user-unfriendly security – completely undermining the reason for enforcing the policy in the first place.
Biometrics is also a great choice from an enterprise point of view because they completely negate the efforts of hackers to crack your log-ins to get into corporate systems. They may have put keyloggers on your receptionist's PC but if she's scanning her finger, hand, iris or any other biometric to access the network, they'll not get in.
Now for the cons
But as much as biometrics offers a genuine alternative to traditional authentication methods, there are limitations. The most obvious, especially from a mobile perspective, is scale. Going back to the RBS story, biometric log-ins will only be available to iPhone users on the newest, Touch ID-enabled, models. There's no mention of Android because it's quite frankly impossible for Google or anyone else to enable standardised fingerprint scanning in that ecosystem. Android is simply too amorphous; with different handset manufacturers, operating system versions and user interface overlays.
Partly for this reason I think biometrics will be too expensive for most CIOs to implement inside the enterprise. With the advent of BYOD there are simply too many devices in circulation to try and enforce any kind of homogenous biometric access policy. It has a much better chance of success in a mass market, B2C context. But even here, there are emerging concerns around user privacy in the US. A Virginia court last year ruled that while the police couldn't force criminal 'suspects' to divulge their phone passcodes, they could force them to unlock their devices with a fingerprint scan. It's why I keep Touch ID switched off when I travel to the States – not because I've anything to hide but because I don't like the privacy and corporate security implications.
Get used to it
In the end the best use for biometrics going forward will be in combination with another factor – either a password or perhaps another biometric, like voice analysis. A user could place their finger on a scanner and say their memorable word, for example – pretty hard to simulate if you're a crook. As RBS has done, a fingerprint scan could be enough to access a provider's homepage, but for payments and other higher-risk tasks, additional steps will be required. It's all about balancing security and usability – with risk reduction your guiding principle.
It might not be everyone's cup of tea but users have already shown themselves to be open to biometrics if the benefits are great enough. Think beating the queues at the airport with a biometric scan, for example. With that in mind, successful CIOs will increasingly look to biometrics for ways to transform customer-facing services – for greater efficiencies, cost savings and fraud reduction.
These are the kind of high profile projects which could do your career prospects no harm either.