RBS and NatWest fingerprint authentication is great news for the industry

The news that RBS and NatWest are introducing fingerprint authentication to their mobile banking offerings was a monumental step forward.

Last week’s news that RBS and NatWest are introducing fingerprint authentication to their mobile banking offerings was a monumental step forward for the industry in improving the security of its online services.

Lost and stolen passwords remain the single biggest way that systems are compromised. According to the Verizon 2014 Data Breach Investigations Report, two out of three data breaches are attributable to lost or stolen user names and passwords, or both. We continue to see user names and passwords fail as a secure way to log in, no matter how complex the password.

Biometrics offers a great alternative way to authenticate individuals into systems, applications and data securely.  The reasoning is simple: since everyone has a unique biological identity, let’s apply that single biological identity to cyberspace to establish trust.  Fingerprint biometrics usually afford the easiest user interface – simply place your index finger or thumb on a reader and authentication takes place.

Historically, the primary challenge with tying a biometric to a cyber-identity has been the costs associated with rolling out an additional device to ‘read’ the biometric; especially on the scale that would be needed to equip all of a bank’s online and mobile banking customers.

However, the evolution of smart devices and systems like Apple’s Touch ID has significantly reduced this barrier. Consumers are now able to use a device they already have to perform the biometric reading, thereby significantly reducing the costs.

However, biometrics should not be used in isolation, and should instead contribute to what’s called a “multifactor” authentication scheme, as this can vastly improve identity proofing by pairing “something you know” such as  a username and password combination with “something you are”, making it much more difficult for a criminal to hack into systems pretending to be you. 

In this scenario, the user would have a username/password/pin combination and would then be asked to use a biometric, such as a fingerprint. If the authentication fails to establish trust using this combination of form factors, then the user would be asked to authenticate utilising another previously registered second form factor.

This could be the person’s mobile device with a securely loaded one-time password generator; whereby the user enters a six-digit number that is ‘bound’ to the authentication. Indeed, many banks have already rolled out this form of user authentication for online and mobile banking services.

There are several other innovative technologies in the pipeline that are becoming reliable enough to be considered as viable alternatives to more mainstream biometrics. One option is asking a user to key in a passphrase, essentially establishing a question and corresponding challenge response.

The software not only verifies the accuracy of the response to the challenge question, but also determines how a user types, using variables such as the speed between each letter being typed. From this, the software determines if the individual is the correct person.

In this example, the more the user interacts with the biometric system, the more accurate it becomes. Another method is utilising an individual’s cognitive abilities. For example, presenting a set of pictures and asking the user to choose the combination that only the individual would know and be able to identify.

Whichever way the industry moves next, last week’s news was an important step in the journey to strengthening online identity and authentication in the banking industry.