October 07, 2008
Banks and Biometrics... I want to believe, I really do.
HelpNet has an article up by Paul Foote and Reena Hora about why biometrics are a "must have" for banks - the title ("Biometric Security for Financial Meltdown Solutions") seems to imply a link between the crazy stuff going on in the bankerage world and biometrics, but it's really more about how to prevent fraud by using biometrics. Interestingly, this article got some play over at eWeek as well. If you haven't done so, it's an interesting bit of reading.
Now, I've been a huge advocate of biometrics. I want to believe... I really do. I started my career at a biometrics company, I've tried (in almost every job I've had) to push biometrics in all sorts of industries. I was a dedicated follower of HAAPI and the BioAPI. I've tried them all: fingerprint (with optical and capacitance readers), iris, voice, signature, etc. And I have consistently obtained no traction on deploying them past a pilot stage. Particularly in a banking context. Historically, it's been a tough sell.
Foote and Hora tell us:
"To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America’s bioLock is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system--such as the amount of an outgoing wire transfer."
And that's *absolutely true*. For large transfers outside of an institution, most firms would agree that strong auth is where it's at. In fact, a lot of institutions have had strong auth in place for quite a while now. For example, a system that I helped deploy to do just this was in place in 1999 within a particularly large (and now defunct) institution. So no argument there.
The problem, in my opinion, is that the authors hitch the "strong auth" train to biometrics without examining the (multitude of) other alternatives - and they don't seem to acknowledge that not all biometrics systems are created equal. First of all, a single factor biometric is not always better than a password. For example, the biometrics company I worked for used a glass platten to scan fingerprints. My fingers leave a lot of oil on glass. By shading the platten, one could log into the system using just the residue of the oils from my fingertip. Is a system like that better than a password? I don't think it is. So what we're really talking about is strong, two-factor, auth.
And is a biometric-based two factor system necessarily "better" than a token-based system? I'm not sure we can make that assumption either. I't might be the most expensive solution. What's the expense, you ask? How about enrollment, readers/scanners, upkeep/maintenance, and support overhead. Supporting a system like this one is big bucks. But is more expensive always better? It might be, but I'm not prepared to accept that without some evidence.
And is it true that users are clamoring for it? I don't think so. I think the users clamoring for biometrics are the ones that haven't used it. Take a look at the Bloomberg, as an example. They've had their UBL model out for 5 years now -it's a system that uses a biometric to log on to the terminal. And guess what? People hate it. The consider the fingerprint solution a "deal breaker" and would rather go with Reuters (trust me, not something Bloomberg wants to hear). They don't, however, hate the token-based solution. Another example? I piloted iris scanning in a Wall Street firm. People hated that too. In fact, it gave people headaches during field testing. A deal-breaker.
So, is biometrics the "only" answer? I don't think it is. In fact, I think if you did a "find and replace" on this article and substituted "two factor" for "biometrics", the point would be just as true. As a biometrics supporter, I love to see the positive press, but I also think we need to find a legitimate argument for why biometrics are superior to the alternatives and lay that down. And I don't think we're there yet.
Posted by Ed at October 7, 2008 09:09 AM | TrackBackHi - the Author of this comment sounds as if he had some bad experiences by trying to get into the biometrics market far too early. I can relate since I was there too - but I am still here and I can only point out that biometrics technology has improved at "mach" speed. Last I would have to agree that a dual authentication (or triple) is the best way to go. This is why realtime's bioLock can protect any mouse click in the SAP system with biometric AND (or) smart card. We can recognize what you have first and then confirm who you are. Most important we can not only do it when you log in but when you access or execute the critical function. See a full movie at www.bioLock.us Thank you to the author - perhaps we need to "advertise" more that our technology works in combination with smart cards and or tokens!
Posted by: Thomas Neudenberger at October 14, 2008 08:44 AM