Say Goodbye to Mobile Passwords
Confidence in Motion
CSC recently teamed with identity authentication specialist Daon to launch a biometric service for banks. The service is called ConfidentIDTM Mobile, and it combines passwords and public key infrastructure with optional biometrics factors, such as face recognition, voice recognition and palm identity. It can even use GPS, cellular triangulation and other data to add location intelligence.
The solution, built on Daon’s IdentityX platform, is hardware-independent and supports smartphones and tablet computers. It uses the technology already present in mobile devices to perform the authentication, so no external tokens or input devices are necessary.
It authenticates both individuals and their transactions and helps organizations meet stringent requirements, including those prescribed by the Federal Financial Institutions Examination Council. This level of authentication is critical when authorizing financial transactions, especially transactions involving large sums of money.
When the customer initiates a transaction on the bank’s website or mobile application, such as transferring money from one account to another, a request is made to the user for authentication. ConfidentID Mobile directly informs the service provider of successful authentication on the back end without further action from the customer.
Read the full Summer 2012 issue.
The rapid advance of Web and mobile applications has ushered in a new era of productivity and convenience, with one notable exception: Accessing anything online still means directing a blank stare to the prompt on your smartphone or tablet and wondering, “What was that password again?"
Passwords are routinely forgotten, guessed or stolen — yet these cryptic snippets remain the first, and often the only, line of defense protecting your digital domain from marauding packs of bots and hackers.
Passwords remain a popular security device simply because they are easy and inexpensive to implement. But now, thanks to new tools and technologies, the last days of forgettable letters and numbers may be in sight.
The co-evolution of online services and mobile devices is driving more demand for fast, easy and affordable authentication. Those same devices, packed with processing power and instant connectivity, are providing the platform needed to make new methods possible.
Steve Hooks, director of the CSC Identity Labs, says biometric authentication, using unique physical attributes to verify your identity, is a plausible successor. “Twenty years ago, biometric applications were used primarily in law enforcement, matching fingerprints. The war effort in the early 2000s accelerated development and brought biometrics to the battlefield. Now those results are filtering into the private sector,” Hooks says.
IDC analyst Chris Christiansen says familiar methods such as hand scanners are used to secure physical facilities, but applications are limited by hardware that is fixed in place. Considering today’s mobile computing trends, lugging such a scanner with you just isn’t realistic. “Biometric authentication won’t achieve broad adoption in mobile devices unless it’s almost transparent to the user, and the capabilities have to be built into the device,” he says.
Todd Hawkins, director of identity management business initiatives at CSC, says today’s smartphone has the capability to overcome the limitations and make emerging forms of authentication practical. “Without adding extra equipment or expense, we can use your smart device for face recognition and voice recognition,” Hawkins says. “We can also use your palm image because the lines that form a pattern in your palm are unique, just like fingerprints.”
Stealing your face
Biometric authentication schemes like these may be convenient and accurate, but would you trust a picture of your face or your hand to protect your bank account? Hawkins explains that biometric markers are often used in combination, a technique referred to as multi-factor authentication.
“Someone can easily get your picture or a recording of your voice, or even a fingerprint or DNA,” Hawkins says. “You leave those traces everywhere. So, systems that use biometrics for authentication won’t rely on those factors alone. That’s where "liveness" comes into play.”
Liveness refers to the ability to discern the difference between individuals based on the smallest aspects of facial expression, a tilt of the head or the blink of an eye. The same is true for your voice. “Taken together — face, voice and palm images, plus face and voice liveness — that gives us five factors of authentication. And that can be used to verify your claim of identity beyond the shadow of a doubt,” Hawkins says.
Christiansen agrees. “Many individual forms of authentication are relatively weak,” he says. “On an individual basis, face, voice and finger biometrics can be compromised, or your device might have a hard time reconciling them against one another and existing accounts and associated passwords. Combining several biometrics, however, can provide much stronger authentication.”
While most biometric solutions are making do with the hardware in today’s devices, new hardware will soon be added that make possible more forms of authentication — for example, cameras sensitive enough to distinguish an identity by the user’s iris. Formerly, these customized solutions needed to be purchased separately and high costs limited deployment to high-security physical security solutions.
Hooks says iris scanning has an advantage over face matching because it is more precise and not subject to the effects of aging. “You could have a picture taken for a bank account when you’re 18, but by the time you’re 38, your face has probably changed. That doesn’t happen with the iris.”
Christiansen says the future is coming to Apple’s app store, where users will be able to purchase biometric authentication apps for add-on security. “Finger, face, and voice aside, some of the forms that may become available will seem strange to us. For example, I’ve heard discussion of an app that uses the iPhone’s accelerometer to authenticate the user by gait or the way you walk.”
One system designed to use multiple forms of authentication and other data points is being developed by CSC. (See sidebar.) ConfidentIDTM creates a safe transaction environment for mobile systems. While biometrics are an important part, ConfidentID adds other elements, including rule checking, your physical location and other features to create a more secure system.
Hawkins does see a time in the very near future that applications running on your smart device will allow you to smile for the camera and enter your online accounts with ease and complete security.
And those pesky passwords? “The time has come now that smart devices have advanced to the level that they can fuse together these multimodel different methods for authentication that’s more secure,” Hawkins says. “Passwords have served us for hundreds of years. I think it’s time to retire them.”
DALE COYNER is a writer for CSC’s digital marketing team.