HSBC bank has become the latest financial institution to adopt smartphone-based biometrics as a form of user authentication. Institutions already doing so include MasterCard (selfie), Barclays (voice) and Bank of Montreal (selfie or fingerprint). HSBC’s chosen method is the selfie.
Phones have been a key element in providing two-factor user authentication for many years. The usual method has been to send the user a one-time password via SMS. The advantage of the SMS approach is that it can be used whether the user has a standard mobile phone or a screen-based smartphone. But there are three primary disadvantages: firstly it is unliked by consumers because of the additional effort (friction) required; secondly, it ultimately only verifies the device, not the user; and thirdly, in combination with the second issue, it is a method that can be compromised by malware.
NIST recently made it clear that it does not support SMS-based authentication, while studies have shown that users are ready to accept biometrics.
Biometric authentication goes a long way to solving the problems with SMS-based authentication. In terms of ease-of-use, there is minimal user friction — the user does not have to remember anything nor enter an additional passcode via the keypad. In terms of security, properly functioning biometric authentication verifies the user and not just the device.
For now, the HSBC selfie is purely for opening new accounts, and clearly aimed at attracting new, young customers. It works with HSBC’s selfie mobile app available for both Android and iOS. The user must upload a photo ID document, such as a driver’s license or passport. The selfie is then compared to the verified photo image to confirm the identity of the user.
“Through simplifying the ID verification process, we’ll be able to save our business customers time and open accounts quicker,” said Richard Davies, HSBC’s Head of Global Propositions for Commercial Banking. “We also expect the convenience and speed of a ‘selfie’ to become the verification method of choice for our customers, who no longer need to visit a branch to complete the process.”
This same ease-of-use argument is being considered by the wider corporate community. Making authentication difficult for the user (for example, by insisting on frequently changed long and complex passwords) invites them to find insecure ways to simplify the process; or simply complain about the difficulties. While corporates have a history with their own employees and can include behavioral analysis to verify the user, banks have no such prior history with new customers. Straightforward biometrics is a useful solution — and since there is a necessary consent contract with opening a bank account, banks don’t have the privacy issues that could be involved with companies storing biometric records of their employees.
This doesn’t mean that facial biometrics are without problems. Historically they have been prone to false positives, depending on the angle of view and lighting. Repeated false positives would generate as much user friction as other methods of authentication, including visiting the local branch. We can assume that HSBC’s trials and studies have concluded that its expected false positive rate falls well within acceptable bounds.
