RBS and NatWest have been the first banks to announce that they are soon to allow customers to access accounts on their smartphones using fingerprint recognition technology.
The move is a seminal one for UK financial institutions, and an indication that the era of passwords may be finally drawing to a close. When Apple opened up its Touch ID technology to third party developers last year, it was only a matter of time before banks and other transaction providers started to build the technology into their services.
When PayPal and Alipay upgraded their apps to allow users fingerprint authorisation, teaming up with Chinese handset maker Huawei in September last year, they were the first to put their trust in the technology as just as secure as PIN codes or passwords. And now manufacturers like Samsung have been inundated with requests for fingerprint technology for authentication. But the UK banking sector has been traditionally very conservative with security- for obvious reasons.
> See also: US banking giant tests fingerprint biometrics
Geoff Webb, senior director, solution strategy at security software firm NetIQ, believes that the move by RBS is being driven by the confluence of two very powerful trends. Firstly the widespread move to online banking, with customers expecting to be able to do more on the go from their mobile device, without the inconvenience of having to go to a physical bank or even use a traditional desktop or laptop computer.
The second trend is the failure of traditional methods of authentication – proving we are who we claim to be – and the rising cost of fraud and breaches that accompany that failure.
'It's simply too difficult for consumers to create and remember complex passwords, and far too easy for hackers to steal those passwords,' says Webb. 'As a result there is a rapid shift to biometric-based methods of authentication. The most obvious (and accessible with modern smartphones) is the fingerprint. It's a good solution – fast, reliable and actually pretty secure. As the need to quickly and securely prove who we are grows in line with the migration of our lives from offline to online, we should expect to see more and more biometric authentication – including fingerprints, iris scanning, retina scanning, and behavioural.'
But while this shift will be welcomed by many, there will still be some trust issues. As Phil Underwood, global head of pre-sales at two-factor authentication specialist SecurEnvoy explains, it will always be a balancing act – make it too easy for the user and the authentication may be compromised or circumvented; too hard and adoption rates for the new authentication technology will drop.
> See also: Mobile payments: Apple's next security pitfall?
'This shows that there is now a middle ground that is secure enough for banks to remain regulatory compliant, but easy enough to lead to widespread adoption,' says Underwood.
Two-factor authentication is already prevalent on popular websites such as Gmail, Dropbox and Ticketmaster. As Underwood stresses, it should be remembered that fingerprints are publicly available and could be cloned, with different levels of effort. Therefore deploying biometric technology should be considered not on its own, but as part of a multi-factor authentication strategy.
