Dgwb blog white border

Biometric authentication against a device with tamper-resistant hardware is a good general-purpose solution for mass-market online login. For the foreseeable future, that device will be the mobile phone and that biometrics will be the fingerprint, but Barclays use of finger vein scanning is still interesting.

It was really fascinating to read today’s reports about the “new” security technology that is going to be introduced by Barclays Bank in the UK for their corporate clients. Apart from anything else, Consult Hyperion is one of those corporate clients so we will undoubtedly be one of the users of this new-fangled login kit. Just that you understand the context for the new technology, I thought I’d show you first how things work right now.

Using Barclays smart card for corporate banking

Here we in Consult Hyperion’s accounts department logging in with the Barclays smart card.

We are an SME user of Barclays Banking and have been for a great many years. They provide us with smart card readers and we have two of these attached to PCs in our office. We also have four smart cards, each with its own PIN. Our two accounts staff have a card each as does our Finance Director and our HR director. To make an online payment, someone with a smart card has to instruct the payment and then somebody else with another smart card has to verify the payment. To be honest, the whole system works perfectly well and as far as I know we are happy with it. However, Barclays are adding convenience and higher security to their corporate banking service by moving to biometrics in the coming year.

Barclays is introducing new finger scanning technology that will allow customers to access their online bank accounts and authorise payments without the need for PINs or passwords… The Barclays Biometric Reader will initially be available to Barclays Corporate Banking clients from 2015.

[From Video: Barclays to introduce finger scans instead of PINs – Telegraph]

The technology that they are referring to here is the Hitachi finger vein scanning system. It works by having a user insert their finger into a device that uses a particular kind of light to scan the finger to obtain the pattern of veins under the skin. This pattern is stored inside a tamper resistant chip in the device and when the device is subsequently called upon to authenticate the user, their finger vein pattern is compared against the template. So starting next year, our staff will no longer need the smart card and the PIN, but will just put their finger in the scanning device.

The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications. I haven’t actually been to the files to dig out the report, but I do remember that our guys were happy with the security and thought it appropriate in certain use cases. Here’s what I wrote about the technology seven years ago:

The vein authentication system has been available in the Japanese market since October 2006 and has already been deployed by Sumitomo Mitsui Banking Corporation as the user ID system for ATMs located in am/pm convenience stores throughout Japan

[From Fingering suspects – Tomorrow’s Transactions]

As I understand it, there is an interesting heritage to the technology because in certain Asian countries people are uncomfortable with touching devices that are touched by lots of other people. This is why in some hotels in the Far East, I’ve noticed, as soon as you press the button in the elevator an attendant immediately gives a quick spray and wipes it off so that it is pristine for the next traveller. As a result, both Hitachi and Fujitsu looked to develop alternatives to the fingerprint scanners that were being developed in the West. Hitachi opted for finger vein and Fujitsu, if memory serves, opted for palm print. In both cases there is no contact between the finger or hand and the scanner which uses light to get its data.

As I told Peter White on the show, this is actually a very good use of biometrics. By and large, in the mass-market, we think that the use of biometrics as an authentication technology that uses a local template is broadly speaking a good idea and the use of biometrics as an identification technology against a remote template is broadly speaking a bad idea (because the templates can be stolen and reverse-engineered). In the case of the Fujitsu scanner, as in the case of the iPhone, the biometric template is stored locally in tamper-resistant hardware and is never given up. The template obtained by reading is fed into the tamper-resistant hardware for analysis and matching, which is a great way to do things.

I think what Barclays are doing here is an interim step that gives us a window into the more generalised solutions for the future where a variety of biometrics will be used for local authentication against devices and the devices will communicate the authentication through standard mechanisms (such as FIDO) into standard identity management systems. The fingerprint scanner on the iPhone and on the Samsung S5 seems to me a more likely mass-market choice than finger vein scanners but who knows.

Down at CHYP End and we are looking forward to our new scanners arriving and you can rest assured that there will be pictures at 11 when they do!

1 comment

  1. Thanks for the insights and for making yourselves a case study.
    It’s nice that the Barclays deployment appears to keep the vein templates stored within a SIM type chip. Is each reader dedicated to one registered user? Or can the SIM save a number of templates and thereby service several different users of the one workstation?

    My concerns with biometrics as they expand into payments are that the security-convenience trade-off is not yet quantifiable. I wonder if you’ve been given any data on the accuracy of the vein scanner in practice? What are the False Positive / False Negative rates and how have they been fine tuned (according to the so-called Detection Error Tradeoff) for your actual deployment? Biometrics expert Jim Wayman has cautioned against extrapolating from Zero Effort Imposter bench testing figures into real world security performance. As far as I know, there are no published figures anywhere for the performance of vein scanning in practice.
    And vein scanning proponents talk a lot about liveness detection; it’s said they scanner can detect haemoglobin. These things actually work by looking for a colour that corresponds to haemoglobin, and in principle that can be spoofed. There are as yet no standard ways to standardise and certify liveness detection.
    I hope these gaps in the quantification of biometrics are filled in quickly. On a population basis, we actually don’t know yet if any biometrics is better than a four digit PIN with its typical False Accept Rate of 0.03%.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights