Talk about seeing the collision before it happens. A big bang is shaping up inside financial institutions where on one side are skeptics about biometrics used in lieu of passwords – be it voice or eye print or fingerprint – and on the other side are increasing numbers of senior executives as well as plain customers who frankly despair about how unreliable, indeed broken, the old fashioned username/password has become.
Many experts say the username/password login dates back 50 years, to the early days of mainframe computers.
The problem with username/password is twofold. Strong ones are tough to remember and easy to forget. They also – increasingly – are stolen, usually by hackers who break into a system and steal literally hundreds of thousands of them.
But the final problem – the issue that is pushing a hard look at usernames/passwords back into focus – is the near impossibility of properly entering them on a mobile device.
Try to correctly type this on a smartphone: $1033_3rd_#206$. It’s a beautifully strong password – mixing letters with numbers with other characters – but it is not a password you want to attempt on an iPhone.
That is forcing eyes to look afresh at biometrics and, word from industry leaders, is that the reliability is soaring just as ease of use also is increasing. Already, most of the leading financial institutions have pilots involving biometric logins, often only involving employees at this stage.
But the reality is: if the username/password login is broken, something has to replace it and the best bet appears to be a biometric, mainly because that is something we always have with us. The other plus: most of the leading biometric tools revolve around harnessing the smartphone as a delivery mechanism and the phone of course also is something we almost always have.
“Biometrics are better than user ID and password. They test who you are,” said Charles Foley, CEO of Watchful Software, a biometrics company, in an interview.
Where the confusion thickens is that, frankly, right now there is no clear leader in the race to biometric dominance.
The eye is what Toby Rush, CEO EyeVerify, said is the tool to beat. His system –which revolves around a short video of the eye, taken with the tools built into any newer smartphone – “involves using nothing special. You have your eye and you have the phone,” said Rush.
Rush said EyeVerify already is in pilots with several banks and “soon” will go into pilots with a few credit unions – he declined to name names.
What about the user who is suffering a horrendous allergic attack, or who maybe just is suffering a terrible hangover, and whose eyes are patches of red? Rush said that would not impact the eye print identification – “we look at the big blood vessels, not the small capillaries.”
But he also said that any implementation would build in alternative login avenues for use if eye printing failed for any reason (maybe the phone camera simply broke). “That won’t be a problem for us,” said Rush, who predicted that “next year you will see mass adoption of eye prints.”
Voice is what Joram Borenstein, an executive with NICE Actimize, said will be the breakthrough biometric. The advantages: you (almost) always have your voice with you and it is natural with a phone.
“Voice is getting lots of consideration right now,” said Borenstein.
“Voice print technology has gotten much better – faster to process, more reliable – in just the last 18 months,” said Borenstein.
Cellular networks also keep getting better and smartphones are making substantial progress in canceling out extraneous noises (sounds of traffic, wind, or maybe just the din in a bustling coffee shop).
The main hurdle: “People don’t like the enrollment process,” admitted Borenstein.
Usually that consists of reading a series of frequently nonsensical words or numbers or both – the idea is to get lots of sounds.
Note: success generally is higher in using voice to authenticate identity (as a password substitute) than using it to drive transactions. In the former the system just has to know who is calling. In the latter it has to understand the difference between “pay PGE” and “pay PSEG” and that is not an easy problem.
The authentication piece is gaining fans, fast, however. Already, said Borenstein, some banks “are embedding voice authentication into their apps.”
Watch for more and bigger voice pilots soon.
Further out is what Foley called “next-generation biometrics. Software based. Call this e-biometrics.”
He gave this illustration: “There’s a science of keystroke dynamics that can be used to set a biometric marker. Typing is learned. Everybody types differently. There is for instance dwell time – how many microseconds your finger is pressing on the key. There also is flight time – how fast you move from one key to another.”
Collect the data involved in typing – which could be on glass, it does not necessarily involve a physical keyboard – and, said Foley, a biometric that is every bit as accurate and reliable as a fingerprint can be established. “These biometrics will be based on knowing things about the individual user.”
In Foley’s opinion, we are much more likely to readily accept e-biometrics – which simply measure what we already do – than we are other biometrics which at least in some corners still are looked at as invasive.
“Over the next 10 years you will see rapid ramp up of e-biometrics,” predicted Foley. “Most people wouldn’t be afraid of this behavior modeling and, that quickly, we will solve the problem of the broken username/password security model.”