Biometrics has been creating a tremendous amount of buzz this week at two separate shows, one in Paris - CARTES 2014 - the other in Las Vegas - Money 20/20. Innovative biometric technology vendors such as EyeVerify (Eye Vein) and Agnitio (Voice) have been demonstrating how their respective technologies can bring convenient user authentication to smart mobile devices for a wide range of use cases including banking and payments.
The financial services industry is increasingly turning to biometric technology to solve a number of problems including how to conveniently authenticate mobile banking and payment customers and how to add strong authentication to previously un-authenticated contactless payments (both card and mobile) at the physical point of sale without adding friction to a currently speedy process. The latter point would enable higher value transactions to be supported when using contactless technology - currently shoppers are restricted to around $20,00 per transaction. Zwipe, a biometric card technology company, is partnering with MasterCard to extend its trial for fingerprint biometric authenticated payments for contactless payments. It also solves the problem of what if I lose a contactless payment or transit card that doesn't authenticate people when they use them.
MasterCard is also partnering with another innovative technology company in Canada, They are teaming with the Royal Bank of Canada (RBC) and Bionym, the company behind the Nymi electrocardiogram (ECG) band, to test electrocardiogram-authenticated payments by the end of this year. The use of wearable devices for biometric authentication is set to rapidly expand over the next five-to-six years. Not only will you have sole-purpose wearables (like the Nymi), being used for biometric authentication purposes but biometric sensors and software technology will also be integrated into consumer wearable technology to sit alongside health and lifestyle applications. The creation of biometric platforms and freely available APIs will accelerate the integration of biometrics technology into a wide range of wearable technology.
The ability to leverage multiple sensors that are continuously collecting biometric data from us will revolutionize how humans are identified to a wide range of digital services and led to synergies between physical and cyber worlds. From opening up my front door and locking my car to waking up my desktop and authorising a wire transfer (BTW I am not a techno-utopian - I know that it will be extremely difficult to have the one digital identity on the single device that can be asserted across all of my connected devices and assets).
Instead of people typing in a remembered PIN, password or OTP generated by a hardware token, their identity shall be presented to connected devices through a combination of biometric data and behavioural analysis. Instead of presenting a finger to unlock an iPhone or to make a payment using a biometric card, wearable devices allow continuous biometric feedback from its owner - something that could be very powerful and potentially much more difficult to spoof or hack. It also becomes hygiene - I know that it is there and I know that it is keeping my digital and physical assets safe and secure but it is definitely not obtrusive and annoying like remembering where I put my token or unlocking my personal safe to get hold of my bulky black book of passwords (that is getting thicker and tattier by the day).
These trends are happening at an incredible pace and as a result I have decided to update a report I wrote originally published in June 2014. The report, "mobile and wearable biometric authentication market analysis and forecasts 2014-2019" has been updated with revised forecasts for wearable biometrics authentication users and reflects new market activity such as Apple Pay. The report forecasts that by 2019 there will be 604 million users of wearable biometric authentication solutions.
If you want to know more about this research or talk to me about this blog then I would love to hear from you. Contact me through the website www.goodeintelligence.com.
Thanks for reading. Alan
Thursday, 6 November 2014
Tuesday, 28 October 2014
The role of the Mobile Network Operator in Authentication Services
In previous posts, I have talked about the need to deliver agile authentication services that are
convenient to use and address the needs for proving identity across a wide
range of services from a variety of endpoints.
Legacy
authentication solutions, especially passwords, are continually proving to be
both inconvenient and insecure for both consumers and employees – although the
lines between the two are being eroded.
Thankfully, a combination of factors including the development and deployment of open standards, including OpenID Connect, SAML and FIDO, and the creation of innovative mobile-based authentication technology, including biometrics, are moving us away from a reliance on legacy authentication solutions. Authentication
solutions that allow people to authenticate once with the touch of a finger.
PayPal’s
FIDO-enabled biometric authentication solution on Samsung devices and Apple’s
Touch ID solution is paving the way for wide-scale adoption of convenient
user-centric authentication and getting people used to new methods of proving
their identity for digital services.
These
services are just the tip of the iceberg in terms of the potential for next generation
mobile authentication services and I believe that Mobile Network Operators (MNOs)
can play an important role in the new authentication landscape as they logical
owners of authentication services in an era where accessing the internet is
increasingly being made from mobile devices.
MNOs have long standing relationships with millions of
consumers around the world and are considered to be trusted organisations that
know how to deliver secure consumer-focused services.
By owning and managing
one of the trusted building blocks of mobile communication, the SIM, MNOs have
a part to play in the delivery of authentication services to billions of mobile
phone subscribers around the world.
I have just completed a piece of work, commissioned by Nok
Nok Labs, that details the important role of Mobile Network Operators in
delivering the latest agile authentication solutions. You can download the
white paper from the Goode Intelligence website here.
I am also taking part in an online webinar organised by Nok
Nok Labs to discuss this research on 4th November 2014 at 16:00 GMT.
You can sign up to the webinar here.
Thanks for reading.
Labels:
2FA,
alan goode,
authentication,
FIDO Alliance,
fingerprint,
goode intelligence,
MNO,
mobile authentication,
mobile network operator,
Nok Nok Labs,
OpenID,
SAML,
smart mobile identity,
Touch ID
Friday, 19 September 2014
Payments drives consumer biometrics and the push for enterprise
I was fortunate to be out in Washington DC last week (8-11 September) speaking at an RSA Global Summit on the future of authentication and presenting my research on mobile and wearable biometric authentication.
The Summit coincided with Apple's latest product launch on the 9th September and I was able to catch up with the announcements during a couple of breaks - unfortunately not aided by Apple's live streaming debacle that was at times verging on the ridiculous. (I particularly enjoyed the Chinese commentary and some severe editing that left out much of what Cook was saying. I got the applause but not the reason for the applause - perhaps that was Apple's corporate comms team in charge of editing?)
As well as a number of new hardware launches including bigger bolder iPhones and a watch....(will it support biometrics for authentication?). We saw Apple make a push into payments with 'Apple Pay'; using the Touch ID fingerprint system to provide authentication for payments (both online and physical). I have been watching Apple create the building blocks for this payment solution over the last couple years - Passcode, iBeacon, Passbook, Touch ID, Secure Enclave and finally NFC. Nice to see the finished solution.
As I said in a couple of interviews with the press last week, what Apple has done is not revolutionary; what it has successfully done is to cement a number of emerging technologies into a usable solution. This is backed by strategic partnerships with the world's largest retail payment providers and links over 800 million global iTunes users to a mobile payments solution. And from a biometric authentication point of view, with Touch ID, it offers quite possibly the best user experience and the highest penetration of available mobile devices - a frictionless payment tool in a sleek piece of metal and glass. It will be interesting to see how it links other features such as loyalty, social and coupons to the payment app to make it any more appealing than using a plastic card - the value is not in the payment transaction per se.
By also opening up the Touch ID environment to third parties (Touch ID API) it allows other service providers (including financial services providers) to take advantage of this frictionless authentication solution. We have already seen announcements from MINT and Simple bank that they are utilising Touch ID for their mobile banking apps plus a proof of concept from Nok Nok Labs with a FIDO Ready solution. I expect that we will see many more announcements as the devices start to get in the hands of consumers (there is apparently pent-up demand for the latest iPhone from 4S and 5 users wanting to upgrade).
It is quite possible that the trend of Bring Your Own Identity (BYOI) may be accelerated as a result of Apple's Touch ID solution. All a service provider need do is to build an app that uses the Touch ID API and that's my authentication sorted - right?
Talking of FIDO, this year has also seen the world's two largest Internet payment companies, PayPal and Alipay adopt FIDO standards (through Nok Nok Lab's S3 Authentication Suite) to leverage mobile-based fingerprint sensors to provide the prime authentication solution for mobile payments (where the device obviously supports it).
Payments is definitely driving consumer biometrics.
So what about the enterprise? Are they ready to embrace BYOI and adopt authentication solutions for their employees and business partners? I think the answer is a guarded yes but it may take some time.
My time spent at the RSA Global Summit last week in DC was very informative in listening to the thoughts and opinions of enterprise users. Consumer is definitely driving innovation in authentication and this is taking its time to trickle down into the enterprise. In the main, they have BYOI and consumer-based mobile biometric authentication technology on their radar but also need some assurances that the trust, privacy and security models (there is obvious overlap between these three) employed by mobile device OEMs (including Apple, Samsung and Huawei) is good enough to meet security policy and industry regulation.
FIDO can help; by creating a user authentication standard fit for a modern connected world, ratified by some of the world's leading technology companies and service providers, organisations and end users can have a higher level of assurance that trust, privacy and security demands are met. FIDO has real positives in the 'first mile' of authentication but also needs connections to subsequent miles of the authentication and authorisation journey.
Enterprise users in particular demand comprehensive and integrated authentication solutions that combine convenient user authentication (probably on a mobile or wearable device) with other associated risk and security solutions including single sign on/federation, risk based authentication and risk management, business aware authorisation that is context aware and threat intelligence/threat analytics, That's potentially a lot of integration work!
Please free to leave a comment on this blog - I am always interested in receiving feedback and openly discussing this fascinating topic.
Thank you, Alan.
The Summit coincided with Apple's latest product launch on the 9th September and I was able to catch up with the announcements during a couple of breaks - unfortunately not aided by Apple's live streaming debacle that was at times verging on the ridiculous. (I particularly enjoyed the Chinese commentary and some severe editing that left out much of what Cook was saying. I got the applause but not the reason for the applause - perhaps that was Apple's corporate comms team in charge of editing?)
As well as a number of new hardware launches including bigger bolder iPhones and a watch....(will it support biometrics for authentication?). We saw Apple make a push into payments with 'Apple Pay'; using the Touch ID fingerprint system to provide authentication for payments (both online and physical). I have been watching Apple create the building blocks for this payment solution over the last couple years - Passcode, iBeacon, Passbook, Touch ID, Secure Enclave and finally NFC. Nice to see the finished solution.
As I said in a couple of interviews with the press last week, what Apple has done is not revolutionary; what it has successfully done is to cement a number of emerging technologies into a usable solution. This is backed by strategic partnerships with the world's largest retail payment providers and links over 800 million global iTunes users to a mobile payments solution. And from a biometric authentication point of view, with Touch ID, it offers quite possibly the best user experience and the highest penetration of available mobile devices - a frictionless payment tool in a sleek piece of metal and glass. It will be interesting to see how it links other features such as loyalty, social and coupons to the payment app to make it any more appealing than using a plastic card - the value is not in the payment transaction per se.
By also opening up the Touch ID environment to third parties (Touch ID API) it allows other service providers (including financial services providers) to take advantage of this frictionless authentication solution. We have already seen announcements from MINT and Simple bank that they are utilising Touch ID for their mobile banking apps plus a proof of concept from Nok Nok Labs with a FIDO Ready solution. I expect that we will see many more announcements as the devices start to get in the hands of consumers (there is apparently pent-up demand for the latest iPhone from 4S and 5 users wanting to upgrade).
It is quite possible that the trend of Bring Your Own Identity (BYOI) may be accelerated as a result of Apple's Touch ID solution. All a service provider need do is to build an app that uses the Touch ID API and that's my authentication sorted - right?
Talking of FIDO, this year has also seen the world's two largest Internet payment companies, PayPal and Alipay adopt FIDO standards (through Nok Nok Lab's S3 Authentication Suite) to leverage mobile-based fingerprint sensors to provide the prime authentication solution for mobile payments (where the device obviously supports it).
Payments is definitely driving consumer biometrics.
So what about the enterprise? Are they ready to embrace BYOI and adopt authentication solutions for their employees and business partners? I think the answer is a guarded yes but it may take some time.
My time spent at the RSA Global Summit last week in DC was very informative in listening to the thoughts and opinions of enterprise users. Consumer is definitely driving innovation in authentication and this is taking its time to trickle down into the enterprise. In the main, they have BYOI and consumer-based mobile biometric authentication technology on their radar but also need some assurances that the trust, privacy and security models (there is obvious overlap between these three) employed by mobile device OEMs (including Apple, Samsung and Huawei) is good enough to meet security policy and industry regulation.
FIDO can help; by creating a user authentication standard fit for a modern connected world, ratified by some of the world's leading technology companies and service providers, organisations and end users can have a higher level of assurance that trust, privacy and security demands are met. FIDO has real positives in the 'first mile' of authentication but also needs connections to subsequent miles of the authentication and authorisation journey.
Enterprise users in particular demand comprehensive and integrated authentication solutions that combine convenient user authentication (probably on a mobile or wearable device) with other associated risk and security solutions including single sign on/federation, risk based authentication and risk management, business aware authorisation that is context aware and threat intelligence/threat analytics, That's potentially a lot of integration work!
Please free to leave a comment on this blog - I am always interested in receiving feedback and openly discussing this fascinating topic.
Thank you, Alan.
Thursday, 5 June 2014
Touch ID - The Cornerstone of Apple's Authentication Framework
This is an extract from an upcoming Goode Intelligence Analyst Report entitled "Mobile & Wearable Biometrics for Authentication Applications"
Apple caught much of the analyst and biometric community by
surprise with the announcement that it was to open up its Touch ID fingerprint
biometric environment to third-parties using an API at its annual developer conference,
WWDC2014, on 1 June 2014.
Apple announced that once iOS 8 launches (possibly September
or October 2014) third party developers will be able to access the Touch ID
environment and leverage the benefits of mobile fingerprint biometrics.
During the presentation given by Apple's SVP Craig Federighi, Apple referenced Touch ID being used to authenticate into a personal financial application called Mint.
Apple’s Touch ID Local
Authentication Framework (LocalAuthentication.framework) will enable
third-party app developers to make use of Touch ID and benefit from its convenient
personal authentication features.
Touch ID has been a great success for Apple; Apple also announced
some stats for its Passcode phone unlock feature at WWDC. 83 percent of users were
turning on the Passcode phone lock feature compared with 49 percent of general
iOS users. That equates to millions more iOS devices being protected against
unauthorised access and a great deterrent to theft.
Apple has been steadily building up its product and software
portfolio to offer a wide range of connected services and it appears that they
intend to use Touch ID as the foundation for identity verification on the Apple
ecosystem.
I believe that Touch ID will be used to authenticate in the
following scenarios (some of these are available now and some are predictions):
- To replace the PIN for Passcode (device unlock)
- To provide authentication for Apple ID (iTunes purchases)
- To verify identity for an Apple payments product (both for online and physical store purchases)
- To provide authentication for Apple’s CarPlay in-car service
- To verify identity for Apple’s mobile healthcare solution “Healthkit”
- To provide authentication for Apple’s connected home solution “Homekit"
- This includes the ‘Secure Pairing’ feature where only authorised users can unlock a home door or change the temperature of a room via a smart thermostat
Apple’s vision is to merge the logical and physical worlds
using an iDevice (iPhone, iPad or even iWatch) as the smart controller with
Touch ID providing convenient biometric authentication for this uber connected
world.
Wednesday, 16 April 2014
The Samsung Galaxy S5 fingerprint sensor has been spoofed - what can be done to prevent it
With the recent news that researchers from SR Labs in Germany have successfully fooled (spoofed) the Samsung Galaxy S5's integrated fingerprint sensor; allowing unauthorised access to the device and the ability to make payments using the PayPal app, there are questions as to how secure fingerprint biometrics are for authentication. These questions are justified.
An authentication solution can be convenient but it must also be secure.
A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed.
The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year - "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done.
So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack?
One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent.
I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."
As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required.
I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated.
There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible.
However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability.
Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.
An authentication solution can be convenient but it must also be secure.
A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed.
The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year - "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done.
So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack?
One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent.
I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."
As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required.
I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated.
There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible.
However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability.
Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.
Tuesday, 11 March 2014
Improving the first mile of authentication – how the FIDO Alliance and Nok Nok Labs are helping to create the building blocks of trusted identity
There has
been a lot of media attention attracted by the FIDO Alliance, an organisation
that is attempting to change the nature of online authentication through
standards and I have been following the developments with interest.
FIDO has had
a successful start to its history with some of the largest names in technology,
PayPal, Google, Microsoft, Synaptics (Validity Sensors), Lenovo, RSA and
MasterCard to name a few, playing a role in developing the standards that were
recently made public.
A number of
the FIDO members have already showcased FIDO Ready™ devices at this year’s
trade shows including CES, MWC and RSA Conference 2014. Solutions from AGNITiO,
GO-Trust, Infineon, Fingerprint Cards, Yubico, Synaptics (Validity Sensors) and
Nok Nok Labs have all been shown to demonstrate how FIDO can be implemented at
the endpoint.
And with
Samsung announcing its new flagship S5 smartphone at MWC 2014 with an
integrated fingerprint sensor linked to PayPal’s FIDO Ready™ mobile payments
app we will soon see how the FIDO standards operate in the real world.
Samsung is
also planning to open up the fingerprint sensor to third parties using its new
Pass API and there is a possibility that the FIDO components will be available
for developers to build mobile-based multi-factor authentication enabled applications;
a very promising move.
I expect to see more clients and
devices being launched throughout 2014 that are FIDO Ready™. These FIDO enabled
devices will run a Multifactor Authentication Client (MFAC) that supports
FIDO’s Universal Authentication Framework Protocol (UAF) and interfaces with a FIDO
server.
Currently,
Nok Nok Labs is the only provider of both the FIDO Ready™ client and server components
with its S3 Authentication Suite.
The device
OEM (could be a smartphone, a tablet or a Windows PC) would pre-install the
MFAC and then a service provider, the Relying Party, (could be a financial
services provider or a mobile network operator running it on an Authentication
as a Service basis) would run the MFAS.
The MFAS has
the capability of interfacing with policy and risk engines (including Risk
Based Authentication) and also federated identity providers to link the client
identity with multiple online services – brokering identity using strong mobile
based MFA.
Over the past
five years, we have witnessed a lot of development in the ‘last mile’ of
authentication and identity assurance; standards such as SAML and OpenID have
introduced a framework in which user identities can be shared amongst online
services.
The FIDO
Alliance and Nok Nok Labs are attempting to standardise the ‘first mile’ of
authentication – an event at the beginning of the authentication process
proving that an authorised person is allowed access to a digital service or to
authorise a transaction.
These are
early days for FIDO and Nok Nok Labs but I firmly believe that they are
establishing the building blocks for agile omni-channel authentication and
identity verification that will have an important part to play in improving the
levels of trust in an open connected world.
Wednesday, 26 February 2014
Samsung leads the way in mobile biometrics with the Samsung Galaxy S5
In an announcement to a packed auditorium at Mobile World
Congress 2014 on the evening of the 24 February 2014, Samsung launched their
latest flagship Galaxy smartphone, the S5, containing an integrated fingerprint
sensor.
We still need more information on the specifics of how the
sensor will operate and interact with the associated services but this is what we know.
The S5 fingerprint sensor is a swipe located on the front of the device underneath the physical home
button.
In a promising move from Samsung, they have initially linked
the sensor to four consumer and enterprise services that include:
- Phone unlock
- Private Mode protection. To protect important documents contained in a secure vault
- Mobile payments via the pre-installed PayPal app
- As part of a multifactor authentication (MFA) solution (Fingerprint + Password) for Knox 2.0 authentication
The mobile payments app is provided by PayPal who have been working on the development of the supporting ecosystem for a number of years. By leveraging a combination of hardware and software services that include:
- Integrated fingerprint sensor
- Hardware security environment provided by TrustZone (Secure Element, SE and Trusted Execution Zone, TEE)
- Secure authentication protocol and infrastructure (mobile client and server) as part of FIDO Alliance OSTP and commercialised by Nok Nok Labs
- Merchant service infrastructure to support PayPal mobile payments
Hill Ferguson, chief product officer, PayPal, commented on the development; "By working with Samsung to leverage fingerprint authentication technology on their new Galaxy S5, we are able to demonstrate that consumers don't need to face a tradeoff between security and convenience."
The fingerprint template is securely stored within the SE
and is protected by ARM’s TrustZone environment. This makes it difficult to
access or tamper with the biometric template and also allays privacy concerns
of having to store a fingerprint in a networked database.
This is extremely positive news for the whole industry.
This is an extract from an analysis of the Samsung S5 found in a Goode Intelligence Market Intelligence report (Fingerprint Biometrics Market Intelligence third edition)
Wednesday, 19 February 2014
The Changing Face of IT – The Twin Challenges of Mobile and Service Oriented IT
More and more frequently, users are accessing corporate information from
a variety of devices – not just corporate-issued PCs, but from mobile devices
and tablets that may have a dual purpose as personal devices.
In a recent
white paper I wrote, published by Goode Intelligence, I explored the key
questions IT needs to consider as they
search for more convenient methods to secure and protect access to sensitive
information; sometimes on infrastructure that they do not own or control.
I invite you to listen to a short video discussion that I had with Ian
Williams, Head of Market Intelligence, RSA that is now available on YouTube.
What are the new IT challenges brought on by mobile and cloud adoption? The Changing Face of IT – The Twin Challenges
of Mobile and Service Oriented IT
For additional details, the full white paper is available for download; “Next Generation Authentication for the Mobile Ready Enterprise”
Tuesday, 21 January 2014
From Swipe to Touch to Invisible Touch - The Evolution of Fingerprint Sensors in Smart Mobile Devices
From Swipe to Touch to Invisible Touch - The Evolution of Fingerprint Sensors in Smart Mobile Devices
Readers of a certain age will possibly remember Genesis, the English prog-rock band that featured first Peter Gabriel and then Phil Collins on vocals. In the 1980s they released a rather poor 13th album called ‘Invisible Touch’. Little did they know that we would use that title in a rather obscure pun in an article on the evolution of fingerprint sensors in smart mobile devices (SMD) – the album cover is rather relevant though! And if you hear ‘Invisible Touch’ wafting over the speakers
at a product launch at MWC 2014 – you know where they got their idea from.
This blog explores the evolution of fingerprint sensors designed for consumer electronic devices including smart mobile devices; from swipe to touch to ‘invisible touch'. This blog first appeared in the January 2014 edition of the Goode Intelligence Market Intelligence publication; "Fingerprint Biometrics Market Intelligence" (published 28 January 2014).
Smartphone OEMs rush to embed fingerprint sensors
Despite the intense media attention that accompanied Apple’s
launch of Touch ID embedded fingerprint sensors on mobile phones have been
around since 1998. Ever since Siemens
developed its prototype device back in 1998 there has been steady stream of handsets being biometric-enabled.
Fingerprint sensors
are becoming a common-feature of flagship smartphones with an increasing number
of mobile device OEMs joining Apple in launching high-end devices during the
latter part of 2013. This included HTC, Fujitsu and Pantech. So far, all these
Android-based devices have used swipe fingerprint sensors, sourced from either Fingerprint Cards (FPC) or Validity Sensors. For these android
devices, the sensor is being located on the rear of the smartphone (see image
of HTC One max below).
HTC One max (with Validity swipe sensor located
underneath rear camera)
Apple Touch ID - leader for smartphone touch sensor
Apple is so far the
only mobile device OEM to have launched a device with an embedded Touch
Capacitive sensor (shown below). The sensor uses capacitive touch technology to
take a high resolution (500 pixels per inch or ppi) from small sections of a
fingerprint (from the subepidermal layers of the skin).
Source: Apple
There are advantages in
using a touch sensor over a swipe sensor on a mobile device:
- The user experience is usually superior
- Greater accuracy; there appears to be fewer failures as the finger is better positioned for touch. For swipe, the finger has to be swiped accurately over the sensor to ensure that the fingerprint is read correctly. On some smartphone implementations, especially on larger devices (phablets), the location of the sensor on the rear of the device makes this difficult when holding the device with one hand
- The sensor can be built into a hard button on the front of the mobile device, e.g. home/power button
Non-Apple smartphones - first swipe then touch
Goode Intelligence
believes that for the first quarter of 2014 a number of Tier 1 mobile device
OEMs will launch flagship models that incorporate a swipe sensor. This will
include further HTC models and releases from LG, Lenovo and Samsung (Samsung
may want to launch with a touch sensor to match the user experience of Apple’s
Touch ID).
The three remaining fingerprint
sensor manufacturers who can supply to the mobile device industry, Fingerprint
Cards, Idex and Validity Sensors (part of Synaptics) are all in the process of
commercialising their versions of the mobile-ready touch sensor.
Fingerprint Cards is
probably in a more advanced state of commercialisation and has gone on record
to say that their touch sensor (FPC1020) has been sold
to a “Tier 1 OEM” for a “flagship smartphone with a targeted launch date in the
summer of 2014”[1]
Idex and Validity will
follow FPC in launching their own touch sensors during 2014 and GI expects to
see them appear in smart mobile devices and other consumer electronic devices.
Next generation consumer fingerprint sensors - Invisible Touch
The third stage to the
evolution of mobile device-based fingerprint sensors is driven by the need for greater
user convenience combined with a trend to remove physical buttons from smart
mobile devices. Partly as a result of the reduction of the bezel-size and driven
by the trend for larger touch screen sizes.
The elimination of
physical buttons creates a problem for component suppliers including
fingerprint sensor manufacturers as it removes an obvious place to position the
sensor. It also provides them with an opportunity for new markets for their
products.
The positioning of the
fingerprint sensor underneath, or within the touch screen, is the next stage in
the evolution of consumer fingerprint biometrics and enables mobile device OEMs
to remove physical buttons. It also ensures that the convenience of identification,
touching a finger on the front of a mobile device, is maintained.
GI believes that all
of the fingerprint sensor manufacturers currently operating in the consumer and
mobile space are well advanced in their research and development efforts to
make this a reality:
- Idex released this video after demonstrating a proof-of-concept device that placed the fingerprint sensor within the touch screen display
- Validity Sensors is now part of Synaptics who are one of the world’s largest suppliers of touchscreen technology. Synaptics are also developing fingerprint sensors built into the touchpads that are embedded into laptops and notebooks
- FPC has demoed demoed touch sensor capabilities with Windows for integration into Windows 8 (8.1) products and also works with CrucialTec, manufacturer of the optical TrackPad (OTP)
This includes Apple
and the resources that were integrated as a result of the AuthenTec acquisition.
‘Invisible Touch’ is not
only suitable for smart mobile devices; any consumer electronic device that
uses a screen has the potential to integrate a touch fingerprint under or
within the screen. This could include smart TVs, single-use gaming handhelds,
tablets, touchscreen monitors, hybrid notebooks and touchscreens integrated
into domestic appliances and smart house control technology. Whether anybody
would want to authenticate using their fingerprint for their fridge is
debatable (although perhaps if you wanted to stop a young child from turning on
an oven or keeping your teenager out of your wine cooler?).
This is a potentially
huge market and is part of the wider Consumerisation of biometrics that will
revolutionise how we interact with technology.
This opportunity will be explored in an upcoming analyst report published by Goode Intelligence; "Emerging Markets for Fingerprint Biometrics".
[1]
FPC wins first 1020 touch sensor DW from Global Tier 1 OEM for their flagship
smartphone. 20 December 2013: http://www.fingerprints.com/blog/2013/12/20/fpc-wins-first-1020-touch-sensor-dw-from-global-tier-1-oem-for-their-flagship-smartphone/
Labels:
alan goode,
android,
Apple iPhone 5S,
authentec,
authentication,
biometric,
biometrics,
fingerprint,
fingerprint sensor,
goode intelligence,
identity,
Idex,
ios,
Samsung,
Touch ID,
Validity Sensors
Subscribe to:
Posts (Atom)