Barclays bank has announced plans to introduce biometric authentication based on vein patterns in fingers for its UK business customers.
Authentication is as much in the news as ever, with the latest naked celebrity mega-scandal highlighting once again the weakness of online authentication systems.
Banks are particularly interested in improving the accuracy of user ID checking to reduce the costs of fraud.
Currently most online banking systems rely on passwords, as does much of the internet, despite the daily death-by-attrition of this wheezing old approach to security, usually combined with some sort of two-factor authentication.
These are less than ideal for most users, adding an extra layer of complexity to accessing accounts, and biometrics are regularly heralded as our saviour, offering to reduce the effort required while increasing security.
Whenever we’ve looked at new ideas in biometrics in the past, it’s been clear that it will need a big push from a major service provider to bring any of them into the mainstream.
Barclays is one of the world’s largest banks and one of the “big four” retail banks operating in the UK, with an estimated 48 million customers worldwide. Should the new authentication system catch on and spread to personal banking customers and other regions, it could well signal a major shift in how we access online banking systems, and indeed any service or system that requires authentication.
The option selected by Barclays is based on Hitachi’s VeinID system, in which “near-infrared light” is shone through the finger, with a reader on the other side picking up the patterns of veins beneath the skin.
This should make it considerably harder to spoof than the surface fingerprint readers being added to high-end smartphones, which have consistently proven to be easily bypassed, often using readily available materials. Vein patterns are also not left on things we touch, another major problem with fingerprints.
The use of veins bypasses a few of the other common problems with biometrics, such as the danger that seriously determined criminals could simply detach the required piece of their target and use it to fool ID checks, as the veins apparently require blood to be flowing through them for the scanner to recognise them.
Barclays insists that all vein-pattern data will be held only in the local reader device and never uploaded or stored elsewhere, reducing the danger of having your data stolen or spoofed.
This contrasts with the use of similar technology in ATMs in Poland, Turkey and Japan, which presumably have to query the bank servers each time a user tries to authenticate themselves.
The actual device required is described as “the size of a tennis ball”, making it not that much bigger than many of the card-reading code-generating gizmos currently being offered by banks to help secure their customers.
But the pocket-unfriendly shape, plus the requirement for a wired connection, means that while fine for the business users currently being targeted, everyday folk using their banks will probably find them a little unwieldy.
(The devices, due to hit business users’ desks sometime in 2015, look very similar to examples included in a 2007 whitepaper produced by Hitachi to introduce the VeinID approach.)
It’s possible that smaller, more portable versions will be with us soon, facilitating the uptake of vein scanning in the consumer space, but as the finger needs to be inserted into the machine, the reader isn’t going to be as small as current smartphone print readers.
Rival tech giant Fujitsu has developed an authentication method based on palm veins which uses reflected light rather than light shone through the flesh, but Hitachi claims the better depth penetration, and bypassing of surface contaminants such as dirt and grease, makes its method more accurate and reliable.
So once again this seems unlikely to be the long-awaited silver bullet that finally does away with the need for careful password management.
But with the serious weight of a major global bank behind it, it seems more than possible that something along these lines may become the standard for serious authentication in the near future.
Let’s keep our fingers crossed.
Follow @VirusBtn
Follow @NakedSecurity
Composite image of futuristic background and veins courtesy of Shutterstock.
I hope they can take Varicose Veins, Spider Veins and other changes into consideration in the system or we’ll be told we aren’t ourselves as we get older then told we can’t have our own money. Clever idea, but I’m I’m not sold on the notion that the technology is good enough yet to never have any issues.
Never use “something you ARE”, rather than “soemthing you KNOW” a key factor in identifying yourself.
“Something you are” can be stolen – ever seen a TV cop lift a fingerprint from a cup?; “something you know” can’t unless you’ve been inadvertently careless with it.
Look forward to post-breach requests for plastic surgery on the hands…
I’m not sure that I’d want something like this being the single factor for identification — your veins can’t be revoked, but the pattern could change over time (hitting your finger with a hammer, collapsed veins etc).
But it sounds promising as a second factor, or even as the primary factor: it’s hashed locally (hopefully with a seed) and only the hash is transmitted. With the option of second channel PIN verification as the second factor, we could conceivably replace passwords with vein hashes. You’d basically be using your veins AS the password, but you could use a decent keylength and have the generated hash be unique for each site/service you use, based on a shared seed.
This also has some implications for executor handling of data: any system depending on vein hashing would render the channel inoperative when you die, preventing your executor from accessing the data (unless you store a copy of your hash in a safe place with your will, I guess).
Seems kind of like a privacy violation, not sure about that one.
Could be enough to get me to switch banks, as current bank’s attitude to security is derisory. I am making the assumption that this will be part of a two factor scheme, so there is still password/pin as well.
Would be nice for small businesses if you could set a transaction threshold so that below a certain level (chosen by the user) you could make transactions without the higher security. This would give a way to trade-off security v risk if you travel a lot and occasionally need to make transactions when you are on the go.
At least it shows that finally a UK bank is serious about security. As for privacy – don’t use it if you feel that a hashed patter of subcutaneous veins is an infringement on your privacy. It is more private than a fingerprint or a picture of your iris.
What concerns me as a forensic specialist is that there does not seem to be any evidence satisfactory to a court that the vein patterns are sufficiently unique between individuals. Finger marks (not fingerprints please, they are what is left behind by touching) are largely accepted as being fairly unique, even between identical twins.
What evidence is there that vein patterns are sufficently consistent to be used as a reliable unique identifier? Many people with circulatory health issues appear to have a variability in their vein and artery patterns due to their illness and that varies with time and their health.
What testing has been done to establish a sufficiency of data to show how reliable and consistent the method is in establishing it is that one person whose vein pattern is being detected? Has that testing had sufficient coverage of people with a wide range of conditions and of different ages and genetic origins?
I can’t find any research data available on the Internet to support any such assumption, as that’s what it seems to be based upon and that may be an erroneous assumption until there is empirical data to support it.
I will not be using such a device yet.
On the surface sounds like a great idea. Vein patterns are unique to each individual and if they read those along with fingerprints then the result is far more secure than any password could ever be. You won’t forget it either, unless you lose that finger.
That’s the theory… I doubt crooks are going to lose any sleep. Why? The same interception techniques that work for logging key presses and other authentication techniques (man in the middle) work just as well on this technique. In short, nothing changes. Crooks will find the weakest link and exploit that. Most often that’s the user itself!
“This is Barclay’s, in order to continue using your account we need to collect your finger print again, please submit your…. “