First there was Two-Factor Authentication. Something You Know (a PIN or a password) plus Something You Have (a key, a hard token, a chip in a credit card, or – best of all – a mobile phone).
Now you can add Something You Are. Your fingerprint, iris, retina, face, or voice pattern, for example. Physical features unique to you, and no-one else.
Rumours had been flying around that Apple had something in the pipeline ever since they bought AuthenTec for $356m last year, and indeed it was as the sages had predicted. The new Apple 5S came with ‘Touch ID’, a biometric fingerprint scanner neatly incorporated into the Home button as a stainless steel ring, allowing users to access their phones without having to remember complex sequences of numbers or letters.
Equally predictably, industry reaction was mixed. One editor of a biometrics news site declared “The industry has been waiting for a moment like this.” Others thought this technology fell short of the needs of consumer-facing businesses, believing that such biometrics were all “At least a decade away from being reliable enough to use as authentication methods.”
Although Apple claimed that Touch ID scans the ‘sub-epidermal skin layers’, members of a major hacker association claimed to have constructed a ‘fake fingerprint’ which fooled the sensor. This was taken from a mark lifted off a glass, which was then laser printed, then transferred to latex. (Apparently, this kind of ‘false fingerprint modelling’ had been demonstrated to work successfully more than ten years ago in Japan.)
The hacker group also observed that while Apple’s fingerprint sensor had a higher resolution than other sensors on the market, it could still be tricked, and that “Fingerprints should not be used to secure anything”. Adding that it was “Plain stupid to use something you can’t change and that you leave everywhere every day as a security token”.
Hard on the heels of this announcement followed the revelation that a UK start-up had already devised software that could distinguish between real and counterfeit fingerprint images. Their sophisticated algorithms were able to identify the real fingerprint by its greater elasticity, active sweat pores and more defined ridges. They claimed a 90% accuracy rate, and thought that 95% was well on the cards.
Apple didn’t have the field to themselves for long. In a matter of weeks, HTC had also incorporated a fingerprint scanner into their One Max ‘phablet’. Again, a researcher at a security laboratory observed that the technology had better be totally secure before it saw widespread adoption. If a password becomes compromised, it can easily be changed. Not so a fingerprint.
However, industry experts did agree that some level of security was better than no security. Given that most users don’t bother to lock their phone with a PIN code, because of the hassle, a fingerprint reader would at least provide some measure of protection.
Some mCommerce commentators were excited by the potential for Apple’s Touch ID to authenticate a user for completing an online purchase, removing the barrier of having to type in your password, one more element of friction in the log-in process. But without NFC integration, which Apple has not incorporated, they did not see Touch ID working for in-store purchases.
Others questioned the lack of similar fingerprint scanners in the updates to the iPad and MacBook ranges. They suggested that the combination of a fingerprint scan with a conventional password, as part of the new iCloud Keychain functionality, would have made excellent sense.
As one source put it, “Why would you spend $US356 million to buy fingerprint scanning technology, fete it as the next best thing, then simply ignore it in the run-up to what has traditionally been your biggest quarter? It’s like dropping a few hundred grand on a new Ferrari and keeping it in the garage.” Some even suggested that the ‘fake fingerprint’ episode had so damaged Apple’s confidence in its technology; they promptly put it on the back burner while they had a rethink.
The rumor machine did not stop there, with plenty of gossip about Samsung. It is believed that the new Galaxy S5 will not only have a fingerprint sensor but, following their patenting of related technology, will also incorporate an iris scanner, to be announced at the Mobile World Congress in February. (Samsung have already made a start with facial detection technology, as seen in their eye tracking Smart Stay and Smart Scan features, but apparently for iris scanning to work, an exceptionally high quality camera will be needed.)
Privacy concerns have been raised about these types of applications. As the UK’s Guardian put it, “When does face scanning tip over into the full-time surveillance society?”. This particular question was raised by the prospect of Tesco installing its petrol stations with advertising screens which would scan the faces of its customers, to present them with advertising which would be most suitable to their age and gender. “Dear Tesco, our relationship has become a bit creepy” was the reaction of one columnist for the Independent.
A similar system had already been used in bus shelter advertising, but the City of London put their foot down when it came to recycling bins, which tracked the smartphone data of passers-by to do a similar job. Mainly because these bins hadn’t bothered to obtain the pedestrians’ consent first.
Facial recognition is also controversial. L’Oreal, for example, is apparently looking at this area in an attempt to offer consumers personalized makeup recommendations. While Facebook, in using this technology as part of their photo tagging feature, has led to questions being asked, in the US administration and the EU, over the long-term use of their database.
Vendors have also been quick to make use of this technology in the authentication sector, often as part of a multi-layered verification package. One company offers a facial detection feature, which it claims, can match an ID photo against a customer’s actual face, during an online or mobile transaction. Another uses facial recognition at point of sale, delivering what it claimed as “the world’s fastest payment system” where the shopper only has to look into the machine and press OK. While yet another combines both facial and voice recognition in a single mobile identity validation app, which can also be used to gain physical access to restricted areas.
Other applications go more than skin-deep. One offers to confirm financial transactions by scanning the vein patterns in your hand with an infrared camera. But the most intimate of all biometric authenticators has to be the system that monitors your electrocardiograms, or the unique electrical activity generated by your heart. As the manufacturer’s press release says, “Your cardiac rhythm is protected inside your body, making it almost impossible to steal, mimic or circumvent. In comparison, a fingerprint is left on every surface a user touches.” At the moment the user has to wear a wristband, which performs authentication in conjunction with a smartphone, tablet or computer, but clearly this technology also could be incorporated into a smart watch or other types of wearable tech.
Look in the heart of the average consumer and what you’ll probably find is a deep longing for one standardized authentication technology, accepted everywhere, so that they can get on with their life, free from worries of fraud, cybercrime and government surveillance. Or would that be too much to ask for?
As it happens, analysts Ovum have recently announced that 2014 will finally see Apple launch what they term as “a fully-fledged, unified mobile payments platform”. This will result in “a positive impact on consumer uptake and use of m-payments” but may have “a negative impact on other players hoping to gain market dominance in the space”.
So this could be the year iTunes becomes iPay. Whatever the outcome, Ovum certainly appears to have their finger on the pulse. We’ll wait to see what transpires when Apple finally gives the thumbs-up.