Recently a senior PayPal evangelist gave a rather controversial interview to the Wall Street Journal. In it, he appeared to suggest a radical alternative to password-based authentication systems: biometrics generated by devices ingested or embedded under the user’s skin. Now, it’s true that passwords should no longer be used by any online provider serious about security. And it’s always interesting to hear new approaches to user authentication.
But organisations need an answer today to the mounting problem of online fraud. It needs to be fast, affordable, frictionless and accurate. And in those respects, biometrics just don’t deliver.
Kill all passwords
The presentation on which PayPal global head of developer advocacy, Jonathan LeBlanc, expounded to the WSJ was titled "Kill All Passwords". It’s a sentiment we certainly share at ThreatMetrix. Passwords are yesterday’s news. Cyber criminals have become too well-schooled in guessing, cracking, and hacking them to make this a viable secure authentication method. Phishing attacks and keylogging malware give the criminals an unfair advantage, but naïve users also help by reusing credentials across accounts.
It’s no coincidence that account takeovers leapfrogged payment fraud at the end of 2014 as the highest risk fraud type, according to our data. It makes complete sense: cyber criminals know they stand more chance of bypassing fraud filters by breaking into accounts and using valid saved card details, than by trying to buy goods with stolen details.
So why isn’t biometric technology the answer?
The problem with biometrics
On paper, the prospect of biometrics like embedded wireless chips monitoring ECG readings, or ingestible capsules that can detect glucose levels, sounds like a decent idea. After all, the readings they then transmit should be unique to that person – surmounting problems of false positives and false negatives. LeBlanc even suggested that batteries for such systems could be powered by stomach acid. At last, a fully internalised, unhackable "natural body identification" system to put "users in charge of their own security". Right?
Well, not really.
The main issue many people have with biometrics is that they rely on something that should be unhackable – impossible to simulate or crack. But if cyber criminals do find a way of doing so – and they’ve proven themselves to be a pretty resourceful bunch thus far – then what? You might be able to reset your password pretty easily after a phishing attack, but what about your heart rate? Or your glucose levels?
The next major barrier is the users themselves. Security versus usability is a tough balance at the best of times. How much tougher will it be to sell such invasive authentication systems if the user is basically happy with the level of security they get with a regular fingerprint scan or a phone based one-time passcode system?
That’s not even to begin imagining the development and management costs associated with such systems. If you then find users are dropping out of log-in or shopping cart processes because the biometrics are too much hassle, fraud prevention may end up costing your business more than you lose in fraud.
Why context-based wins
I’m not dismissing the work of PayPal and others to improve on password-based verification. But too many question marks remain over biometrics – even the systems that are closer to reality than the hypothetical scenarios painted by LeBlanc. Whether your business is in e-commerce, social media, banking, insurance or another sector – you need fast, reliable, friction-free two factor authentication that works … today.
The key for organisations going forward is to seek out systems which can work in the background, completely invisible to the user, checking things like device identity, malware, and use of ToR or other obfuscation methods favoured by cybercriminals. They’ll be able to check against a series of unique attributes associated with that user comprised of log-in habits, typical locations, user IDs, email addresses, phone numbers, shipping information etc, and flag a suspect transaction even if the person is using valid (but stolen) credentials.
Futuristic biometrics will always grab the headlines. But context-based authentication is where the smart money’s already being spent, to cut fraud and keep customers happy.