Authentication is as much in the news as ever, with the latest naked celebrity mega-scandal highlighting once again the weakness of online authentication systems.
Banks are particularly interested in improving the accuracy of user ID checking to reduce the costs of fraud.
Currently most online banking systems rely on passwords, as does much of the internet, despite the daily death-by-attrition of this wheezing old approach to security, usually combined with some sort of two-factor authentication.
These are less than ideal for most users, adding an extra layer of complexity to accessing accounts, and biometrics are regularly heralded as our saviour, offering to reduce the effort required while increasing security.
Whenever we’ve looked at new ideas in biometrics in the past, it’s been clear that it will need a big push from a major service provider to bring any of them into the mainstream.
Barclays is one of the world’s largest banks and one of the “big four” retail banks operating in the UK, with an estimated 48 million customers worldwide. Should the new authentication system catch on and spread to personal banking customers and other regions, it could well signal a major shift in how we access online banking systems, and indeed any service or system that requires authentication.
The option selected by Barclays is based on Hitachi’s VeinID system, in which “near-infrared light” is shone through the finger, with a reader on the other side picking up the patterns of veins beneath the skin.
This should make it considerably harder to spoof than the surface fingerprint readers being added to high-end smartphones, which have consistently proven to be easily bypassed, often using readily available materials. Vein patterns are also not left on things we touch, another major problem with fingerprints.
The use of veins bypasses a few of the other common problems with biometrics, such as the danger that seriously determined criminals could simply detach the required piece of their target and use it to fool ID checks, as the veins apparently require blood to be flowing through them for the scanner to recognise them.
Barclays insists that all vein-pattern data will be held only in the local reader device and never uploaded or stored elsewhere, reducing the danger of having your data stolen or spoofed.
This contrasts with the use of similar technology in ATMs in Poland, Turkey and Japan, which presumably have to query the bank servers each time a user tries to authenticate themselves.
The actual device required is described as “the size of a tennis ball”, making it not that much bigger than many of the card-reading code-generating gizmos currently being offered by banks to help secure their customers.
But the pocket-unfriendly shape, plus the requirement for a wired connection, means that while fine for the business users currently being targeted, everyday folk using their banks will probably find them a little unwieldy.
(The devices, due to hit business users’ desks sometime in 2015, look very similar to examples included in a 2007 whitepaper produced by Hitachi to introduce the VeinID approach.)
It’s possible that smaller, more portable versions will be with us soon, facilitating the uptake of vein scanning in the consumer space, but as the finger needs to be inserted into the machine, the reader isn’t going to be as small as current smartphone print readers.
Rival tech giant Fujitsu has developed an authentication method based on palm veins which uses reflected light rather than light shone through the flesh, but Hitachi claims the better depth penetration, and bypassing of surface contaminants such as dirt and grease, makes its method more accurate and reliable.
So once again this seems unlikely to be the long-awaited silver bullet that finally does away with the need for careful password management.
But with the serious weight of a major global bank behind it, it seems more than possible that something along these lines may become the standard for serious authentication in the near future.
Let’s keep our fingers crossed.