There’s no going back

Insight: Trigger Finger – Apple fires biometrics into the mainstream (Reuters)

By adding a fingerprint scanner to its newest mobile phone, Apple Inc is offering a tantalizing glimpse of a future where your favorite gadget might become a biometric pass to the workplace, mobile commerce or real-world shopping and events.

Read the whole thing. I think this piece gets things about right.

It’s easy to overestimate and underestimate the importance of what Apple has just done. The fingerprint functionality itself is pretty shallow. The fingerprint sensor allows users to unlock the phone and buy stuff from Apple. That is all. But that also reflects that, of course, Apple wants to get things right “in captivity” before releasing the fingerprint sensor “into the wild.” And further, I think that means that fingerprint sensors on mobile devices are here to stay. Samsung, Microsoft/Nokia, etc. will follow suit.

It’s Official: New iPhone really does have a fingerprint reader

Well, the rumors were true. Apple has included a fingerprint sensor in its newest iPhones. It’s hard to escape the conclusion that his is a big deal for mobile biometrics even though the biometric capability in the iPhone is limited to unlocking the device. Still, that’s not nothing and I expect that eventually, app developers will be given access to the reader. 
Even if they aren’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there; Samsung certainly won’t be left behind as mobile ID surges forward; Microsoft/Nokia + Windows 8 will almost certainly join the fray; moreover, we’d expect all of those companies to have a more laissez faire attitude than Apple toward turning future fingerprint hardware over to third party developers.*

*The preceding paragraph was revised on 24 Sept. 2013 it originally read, “Even if they don’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there and Samsung certainly won’t be left behind as mobile ID surges forward. “

The case for mobile fingerprint hardware

Why would Apple add a fingerprint sensor to the iPhone? (Macworld)

Much of the theorizing has revolved around the possibility that Apple will add a fingerprint scanner to the iPhone, either incorporating it directly in the Home button, or, as indicated in a patent granted to the company in 2012, situating it in a dedicated area of the handset’s front screen. Such technology is far from science fiction—and it could actually provide real, tangible benefits to iOS device owners.

Frost & Sullivan on Mobile payments and biometrics

Biometrics Can Revolutionise Mobile Payment Security, says Frost & Sullivan (Press Release via KIII TV)

With the explosion in smartphones usage, the number of payments done via mobile devices has significantly increased over recent years. As eCommerce becomes mCommerce, the industry has to focus on payment security. During a ‘card not present’ process, a personal account number (PAN), expiration date, and card validation code (CVC) are not enough to completely secure a transaction. Biometrics that provide high levels of security and an intuitive customer experience might be the solution for secure mobile payments.

“Protecting the mobile device itself is a first step, necessary to secure mobile payments. Although a personal identification number (PIN) can do the job, in 2011 more than 60 percent of smartphone users were not using a PIN to protect their mobile access,” noted Frost & Sullivan Global Program Director, ICT in Financial Services, Jean-Noel Georges.

Paypal goes for bricks-and-mortar payments

PayPal tests mobile payments using your face for verification (CNET)

When purchasing an item, the customer’s name and photo pop up on the store’s payment system. An employee clicks on the photo to initiate the payment. The customer then gets a notice and receipt for the transaction on their phone.

Paypal looks to be trying to process payments in bricks-and-mortar retail establishments with a clever method of substituting a credit card with a mobile phone and a signature with a photo.

The Paypal system uses a human-based facial recognition scheme that humans are actually quite good at administering: one-to-one matching. If Paypal finds it desirable, an algorithm-based face matching feature could be added fairly simply by installing a small web cam and a software application.

If you build it…

Pantech reveals fingerprint-scanning smartphone (MSN – Malaysia)

The biometric reader is built into the phone’s rear panel, as is a small touchpad for unlocking the device. An interesting idea in theory but how it will work in practice is anyone’s guess.

Mobile application developers need to know that the hardware they rely upon will be there. It’s looking more and more likely that, following a false start in 2011, there will be a fingerprint capability in the Android environment. Hopefully it’s here to stay this time.

See:
Mobile Handset Review: Motorola Atrix 4G (The One with a Fingerprint Reader) – Monday, October 31, 2011

Disappointment followed two days later…

Motorola Atrix 2 Has No Fingerprint Reader – Wednesday, November 2, 2011

India to require fingerprints before issuing SIM card

Soon You Will Require Fingerprints To Buy A SIM Card (SiliconIndia)

To put an end to the unauthorized distribution and access of SIM cards by fraudsters, the home ministry has asked Department of Telecommunication to explore various measures to take biometric details including fingerprints by cell phone service providers before activating the connection.

India isn’t alone. Pakistan is considering a similar requirement for purchasing a SIM (Subscriber Identity Module) card as a way of more definitively tying mobile phones to their purchasers.

Nigeria implemented a similar system beginning in 2010.

There are several reasons that countries want to do this. Most are related to making it easier (or even possible) to investigate crime. Mobile phones are critically important tools in criminal enterprises such as ransoming kidnapping victims and organized robbery. Terrorists depend upon mobile phones both for communication and to detonate explosive devices: Tele-operators briefed on biometric system (The Nation)

“NADRA being the sole custodian of biometrics of over 96 percent total population of the country, has offered the biometric solution in the wake of Interior Ministry’s grave security concerns over the use of cellular devices in terrorist plots,” the spokesperson said. It should be noted that on December 1, 2012, the Prime Minister, after taking notice of insecure sales mechanism for issuance of SIMs, directed all telecom companies to employ biometric verification for SIMs issuance within two months’ time.

Biometric Authentication Provides Better Mobile Device Security (Press Release via Marketwatch)

“Today’s phones already enable contactless payments, mobile wallets and mobile banking, and these changes signal the need for secure services that can be performed wirelessly or with a smartphone,” says Denise Culver, research analyst with Heavy Reading Insider and author of the report. “And as smartphones, tablets and other mobile devices continue to proliferate and provide users with powerful, mobile, networked multimedia computing options, the need to secure them will become even greater.”

The drive behind biometric authentication on smartphones will occur from both the consumer and enterprise, Culver says

Nothing is fool proof

Google’s Patent on Facial Passwords Published; Analysts Not Impressed (Mobile Bloom) — “Fool proof biometrics are yet to be designed and according to experts, this technology won’t come close to achieving it either.”

Nothing is fool proof. If easy-to-use facial recognition leads to more people protecting their mobile handset with some sort of access control technology, that’s probably a good thing. The process described at the link is actually pretty sophisticated and would probably suffice for 99.99% of mobile device users.

No good work whatever can be perfect, and the demand for perfection is always a sign of a misunderstanding of the ends of art.

—John Ruskin

Substitute “technology” for “art” and it’s still true.

Biometrics for mobile ID gaining acceptance among telecoms

Mobile biometrics gaining traction, ‘common’ by 2015 (ZDNet)

Tracy Hulver, chief identity strategist at Verizon enterprise solutions, said: “Biometrics, without a doubt, will become more prevalent as a component or add-on to mobile devices in the coming years.”

Proving people are who they say they are has been a challenge for digital security since computers have been in use, according to Hulver. Biometrics, he added, provided a “multifactor” authentication scheme: pairing “something you know” such as a user ID and password combination, with “something you are”.

She ought to know what she’s talking about.

It’s all ID nowadays

If the one word for the 60’s was plastics and in the 80’s it was all ball bearings, the technology touchstone for the 2010’s figures to be identity.

The “i” in the next iPhone will stand for “identity.” (Cult of Mac)

When people hear rumors and read about Apple’s patents for NFC, they think: “Oh, good, the iPhone will be a digital wallet.” When they hear rumors about fingerprint scanning and remember that Apple bought the leading maker of such scanners, they think: “Oh, good, the iPhone will be more secure.”

But nobody is thinking different about this combination. Everybody is thinking way too small. I believe Apple sees the NFC chip and fingerprint scanner as part of a Grand Strategy: To use the iPhone as the solution to the digital identity problem.

NFC plus biometric security plus bullet-proof encryption deployed at iPhone-scale adds up to the death of passwords, credit cards, security badges, identity theft and waiting in line.

Apple loves to solve huge, hitherto unsolved problems. And there is no problem bigger from a lost-opportunity perspective than digital identity.

The Boston Consulting Group estimates that the total value created through real digital identity is $1 trillion by 2020 in Europe alone.

Read the whole thing. Stripped of the Apple-worship, it’s an astute post.

The link inside the quote above is in the original and the pdf it links to is highly worth a look, as well. From the executive summary…

Increasingly, we are living double lives. There is our physical, everyday existence – and there is our digital identity. Most of us are likely more familiar with that first life than with the second, but as the bits of data about us grow and combine in the digital world – data on who we are, our history, our interests – a surprisingly complete picture of us emerges. What might also be surprising for most consumers is just how accurate and traceable that picture is.

Views on digital identity tend to take one of two extremes: Let organisations do what they need to in order to realise the economic potential of “Big Data,“ or create powerful safeguards to keep private information private. But digital identity can‘t be cast in such black-and-white terms. While consumers voice concern about the use of their data, their behaviours – and their responses to a survey conducted specifically for this report – demonstrate that they are willing, even eager, to share information when they get an appropriate benefit in return. Indeed, as European Commissioner for Justice Viviane Reding remarked, “Personal data is in today‘s world the currency of the digital market. And like any currency it has to be stable and it has to be trustworthy.“ 1 This is a crucial point. Consumers will “spend“ their personal data when the deals – and the conditions – are right. The biggest challenge for all stakeholders is how to establish a trusted flow of this data.

A new type of ID is needed to bind our physical and online selves, payments and hardware. If the tech giants are going to finish off the post office and assume the role of credit card companies, they’re going to have to solve the ID problem. If they solve the ID problem, there’s really no telling how many other business models they can disrupt.

It worked for the credit card companies…

…Adding financial-management tools and rewarding consumers could increase use of mobile phones as payment devices

Accenture survey on attitudes toward using more services via mobile platforms

More than half of respondents who currently use their smartphones to make payments said they were highly likely to pay by phone more often if they could use their phone to track receipts (cited by 60 percent of respondents), manage their personal finances (56 percent), or show proof of insurance (56 percent) or of a valid driver’s license (54 percent).

In addition, more than half of those who currently make mobile payments also said they were highly likely to pay by phone more often if they were offered: instant coupons from retailers when buying by phone (cited by 60 percent of respondents); reward points stored on their phone for future purchases at the store (51 percent); coupons that could be automatically stored on their phone (50 percent); or preferential treatment, such as priority customer service (50 percent).

Industry report: mobile malware on the rise

In a departure from our normal biometrics fare, NQ Mobile has a new report [pdf] showing that mobile devices are increasingly being targeted by, and succumbing to, malware developers.

The linked pdf also has a list of the top five most infected markets.

NQ Mobile offers their mobile security suite in both free and premium versions.

Despite warnings that too few people protect access to their mobile device with a PIN, doing so does not prevent authorized users from being tricked into downloading malware. See: The Con is Mightier than the Hack

That means mobile security services are going to be an important factor in keeping the purple bar at the far right of the picture as short as possible.

New Dell tablet appears to have a static fingerprint reader

Judging by one of the photos accompanying this item at GottaBeMobile.com, the new Dell Latitude 10 tablet incorporates a static fingerprint reader on the back.

The “static” part of static fingerprint reader refers to the finger as the user interacts with the hardware. With a static reader the finger is held stationary against the sensor. The swipe reader requires the user to drag a finger across the sensor. Though the software behind the swipe reader sensor has improved over time, I’ve found the swipe sensors more difficult to use than static sensors. Nevertheless, probably due to cost considerations and the availability of real estate available for situating the sensor hardware, the swipe fingerprint readers were preferred by the first generation of hardware manufacturers to incorporate fingerprint sensors into mobile devices like laptops and mobile phones.

So, it seems like some combination of the following statements must be true:
-The hardware cost of the static sensors, compared to swipe sensors, has come down*;
-The static reader hardware has gotten smaller;
-The market demand for fingerprint biometrics on mobile hardware has risen;
-And I’m not the only one who prefers using static readers.

Another observation:
It’s difficult to tell from the photo, but the fingerprint reader still looks awfully small — roughly the size of the cell phone camera also visible in the image.

Here’s a good static vs. swipe summary.

*To keep this apples to apples we’re going to leave optical scanners out of this discussion altogether.

Pakistan may require a fingerprint check to purchase a cell phone

Pakistan is considering requiring a fingerprint check as part of the process of purchasing a SIM (Subscriber Identity Module) card as a way of more definitively tying mobile phones to their purchasers.

Nigeria implemented a similar system beginning in 2010.

There are several reasons that countries would want to do this, most related to making it easier (or even possible) to investigate crime. Mobile phones are critically important tools in such criminal enterprises as ransoming kidnapping victims and organized robbery. Terrorists depend upon mobile phones both for communication and to detonate explosive devices.

Tele-operators briefed on biometric system (The Nation)

“NADRA being the sole custodian of biometrics of over 96 percent total population of the country, has offered the biometric solution in the wake of Interior Ministry’s grave security concerns over the use of cellular devices in terrorist plots,” the spokesperson said. It should be noted that on December 1, 2012, the Prime Minister, after taking notice of insecure sales mechanism for issuance of SIMs, directed all telecom companies to employ biometric verification for SIMs issuance within two months’ time.

Hardware & ID Security: PC vs Mobile

Mobile banking to hit 1 billion users by 2017

Fortunately for the consumer, mobile devices often contain technologies such as GPS that track the user’s location, front-facing cameras that can be used for face-recognition, and other biometric tools such as voice recognition technology and in some cases fingerprint technology. In December, Ben Knieff, head of fraud at financial crime and technology specialist NICE Actimize told Banking Technology that mobile banking could eventually become safer than online banking.

“While consumers didn’t like biometrics ten or even five years ago, rising usage of the technology on sites like Facebook has made it more acceptable,” he said. “Consumer sentiment is changing, and I believe there could actually be an opportunity to use some of these technologies to make mobile banking even safer than internet banking is today.”

The whole article is worth reading but two points in the second paragraph quoted above are especially thought-provoking.

That’s the first time I’ve seen the Facebook face recognition issue turned on its head like that. Stories of outrage at the Facebook facial recognition app are easy to find. Whether this has more to do with Facebook’s User Agreement policies or biometric technology is a subject for another day, but is it possible that as suggested above, by putting people into contact with the technology the Facebook face rec kerfuffle has made biometrics more acceptable to the networked public?

Another fascinating item in the second paragraph is the notion that mobile banking can be inherently safer than online banking conducted through desktop or laptop computers. We discussed some of the reasons for this in Mobile Devices and Biometric Modalities, but the reasons why authentication via mobile devices may be more rigorous than that using other hardware go beyond biometrics. Mobile devices are quite simply capable of covering all of the factors listed below. In a multifactor authentication model, the more factors that can be determined simultaneously, the higher the confidence in the authentication transaction.
Here they are.

Something you have (tokens: key, prox card, mobile phone, etc.)
Something you know (passwords, PINS, codes, high school mascot, etc.)
Something you are (biometrics: eye, voice, face, fingerprint)
Where you are (location: IP address, cellular signal, GPS, in the bank branch)
When you are (time)

Mobile hardware supports all the factors above and, in the factors with bold face, mobile platform security exceeds the security attributes of PC hardware. Mobiles make better tokens because they aren’t often shared, they have blue tooth, near filed communication (NFC), wi-fi capabilities for external signaling and, of course, they’re mobile. They support passwords (OK, maybe not quite as conveniently as PC’s). Two biometric sensors, the camera and microphone, come stock on all mobiles. They know where you are at all times.

The what time it is question is a draw in the current discussion. Both technologies in question (mobile vs. PC) are equally ignored here because the question of time is answered on the server side; i.e. you can’t avoid late fees by setting the clock back on your PC when you make last month’s payment online. Payees have their own clocks. I just included it because it’s a real factor and there are ID/security applications where an individual is treated differently at different times of the day. Time also comes up in combination with location. Credit cards run fifteen minutes apart in gas stations separated by 1,000 miles raise suspicion.

That’s the theory anyway. In theory, mobile hardware can facilitate higher confidence ID authentication. In practice the security vulnerabilities of the PC world are better understood. There are several household names offering services that maintain PC hardware as a virus/trojan/worm free environment. Uptake of similar technologies has yet to take off with mobile hardware. That will change, though, if more people use mobile hardware to handle their finances.