Biometric authentication against a device with tamper-resistant hardware is a good general-purpose solution for mass-market online login. For the foreseeable future, that device will be the mobile phone and that biometrics will be the fingerprint, but Barclays use of finger vein scanning is still interesting.
It was really fascinating to read today’s reports about the “new” security technology that is going to be introduced by Barclays Bank in the UK for their corporate clients. Apart from anything else, Consult Hyperion is one of those corporate clients so we will undoubtedly be one of the users of this new-fangled login kit. Just that you understand the context for the new technology, I thought I’d show you first how things work right now.
Here we in Consult Hyperion’s accounts department logging in with the Barclays smart card.
We are an SME user of Barclays Banking and have been for a great many years. They provide us with smart card readers and we have two of these attached to PCs in our office. We also have four smart cards, each with its own PIN. Our two accounts staff have a card each as does our Finance Director and our HR director. To make an online payment, someone with a smart card has to instruct the payment and then somebody else with another smart card has to verify the payment. To be honest, the whole system works perfectly well and as far as I know we are happy with it. However, Barclays are adding convenience and higher security to their corporate banking service by moving to biometrics in the coming year.
Barclays is introducing new finger scanning technology that will allow customers to access their online bank accounts and authorise payments without the need for PINs or passwords… The Barclays Biometric Reader will initially be available to Barclays Corporate Banking clients from 2015.[From Video: Barclays to introduce finger scans instead of PINs – Telegraph]
The technology that they are referring to here is the Hitachi finger vein scanning system. It works by having a user insert their finger into a device that uses a particular kind of light to scan the finger to obtain the pattern of veins under the skin. This pattern is stored inside a tamper resistant chip in the device and when the device is subsequently called upon to authenticate the user, their finger vein pattern is compared against the template. So starting next year, our staff will no longer need the smart card and the PIN, but will just put their finger in the scanning device.
The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications. I haven’t actually been to the files to dig out the report, but I do remember that our guys were happy with the security and thought it appropriate in certain use cases. Here’s what I wrote about the technology seven years ago:
The vein authentication system has been available in the Japanese market since October 2006 and has already been deployed by Sumitomo Mitsui Banking Corporation as the user ID system for ATMs located in am/pm convenience stores throughout Japan[From Fingering suspects – Tomorrow’s Transactions]
As I understand it, there is an interesting heritage to the technology because in certain Asian countries people are uncomfortable with touching devices that are touched by lots of other people. This is why in some hotels in the Far East, I’ve noticed, as soon as you press the button in the elevator an attendant immediately gives a quick spray and wipes it off so that it is pristine for the next traveller. As a result, both Hitachi and Fujitsu looked to develop alternatives to the fingerprint scanners that were being developed in the West. Hitachi opted for finger vein and Fujitsu, if memory serves, opted for palm print. In both cases there is no contact between the finger or hand and the scanner which uses light to get its data.
As I told Peter White on the show, this is actually a very good use of biometrics. By and large, in the mass-market, we think that the use of biometrics as an authentication technology that uses a local template is broadly speaking a good idea and the use of biometrics as an identification technology against a remote template is broadly speaking a bad idea (because the templates can be stolen and reverse-engineered). In the case of the Fujitsu scanner, as in the case of the iPhone, the biometric template is stored locally in tamper-resistant hardware and is never given up. The template obtained by reading is fed into the tamper-resistant hardware for analysis and matching, which is a great way to do things.
I think what Barclays are doing here is an interim step that gives us a window into the more generalised solutions for the future where a variety of biometrics will be used for local authentication against devices and the devices will communicate the authentication through standard mechanisms (such as FIDO) into standard identity management systems. The fingerprint scanner on the iPhone and on the Samsung S5 seems to me a more likely mass-market choice than finger vein scanners but who knows.
Down at CHYP End and we are looking forward to our new scanners arriving and you can rest assured that there will be pictures at 11 when they do!