What Device-Based Authentication Vendors Want You To Think

tl;dr: on device biometrics link a device to a person, but who is that person? | a device, with its interceptions and apps harvesting credentials is not secure enough | a server-side biometric template can't be overridden, and can be used across any digital channel | we call it BIDaaS - Biometric Identity as-a-Service
What Device-Based Authentication Vendors Want You To Think

As we well know, the traditional banking branch is in decline as almost 70% of smartphone users prefer to use mobile banking apps, with over four billion sessions annually.

But an increasingly connected world brings with it an increasingly sophisticated cybercrime threat. Cybersecurity comes in many forms and today’s banks or financial institutions have put into place additional security measures to ensure that the person accessing an account, via a mobile, call center or browser, is indeed the person authorised to do so.

Banks have done this to offset the risk and impact of enterprise-level security breaches, and moved the access management and authentication from a central application, to the end-user’s device.

When accessing our accounts, most banks ask us to input a password, key in randomly selected letters or numbers from a special word, or use a randomly generated one-time passcode (OTP) via an app, phone or hardware to grant access.

More agile or customer experience-first banks may use a biometric factor—a fingerprint or facial scan for example. We feel safer because our biometrics prove who we are…


What consumers aren’t often aware of though, is the fundamental flaw of using a device as a source of authentication.

Misdirected trust, security veneers and wishful thinking

… It’s not that the bank typically ‘trusts’ the device, without really knowing that the user is who they say they are. Adding on an OTP (often by SMS message to the very device being used as centre of the trust) offers little in the way of security. SMS messages and emails can be intercepted via social engineering or through network weaknesses, as was the case with SS7.

…It’s not even that for banks, maintaining device-based security is ‘secure enough’ whilst they focus on the capricious ‘customer experience’. Customers are happy because adding in security features like Touch ID make their data seem more secure but, as breaches amass, soon they—as well as the banks—will realise that these biometrics are nothing but a veneer, relying on the device is just not enough.

…Furthermore, there is a lot of marketing, based on wishful thinking, that device-based authentication is secure because it’s not a scalable attack vector.

Not only is this simply not true when considering remote mass attacks (3,4), but completely discounts the dangers of the free app that you—and a million other users—downloaded, that might be harvesting your credentials (5,6,7,8).

As just shown, whilst, in theory or on paper, the approach seems secure, history shows us that it is always the implementation that results in breaches. We simply cannot rely on the multitude of different mobile vendors implementing mobile security correctly.

The glaring truth: you’re authenticating the device, not the person

…The fundamental flaw is that the device is not the person. A phone could be pocketed, a password known, guessed or intercepted, an OTP delivered directly into the hands of the person that isn’t you, accessing your account. How would a bank know that you are not who you say you are, if the device seems legitimate?

Biometric authentication that is linked to or embedded within the device (i.e. a user’s stored photo matches a requested selfie) is just as insecure; a thief could easily reset the biometric data on the device, or simply bypass it altogether by selecting to use a password instead.

In short, no bank can control who enrols their biometric data onto a device.

The only way in which biometrics—or any security or access measure—can be truly reliable is if it is stored away from the device. Just as the security process has been pushed to the end user, the identity against which they are compared should be pushed away from the end user, to the cloud.

To illustrate, let us consider device-based identity management and a cloud-based identity management, in the context of accessing a bank account:

From the table, one can see that if you have the device and the password (both easy to steal), bank accounts can easily be accessed. There is no way for a bank to determine that a user is who they say they are, if the ‘what you have’ and ‘what you know’ credentials match. Even biometric methods of access are linked to the device, meaning that they can easily be overridden.

However, when the digital identity is stored in the cloud—in such a way that it cannot be breached—we can see that it would be impossible for an account to be hacked if someone were to steal a device.

Once the identity is created and stored on a server, it becomes the ‘control’ that cannot be overridden, and from which all risk-based assessments are generated. Even if a device is stolen and passwords are intercepted, it would be impossible to behave like, look like and sound like somebody else.

We call this BIDaaS: Biometric Identity as-a-Service

BIDaaS is when the combination of images, voice recordings and behavioural data is converted from raw data to a digital construct and stored away from the device, on a server in the cloud. It is stored in such as way that it can never be reassembled; revocable templates are used to create it and render it useless in the unlikely event of a breach.

You have a unique, verified digital identity to which all future banking transactions can be compared, that truly enables a bank to be sure that the user is exactly who they say they are.

One identity to rule them all

Furthermore, this digital identity can be linked to multiple channels – not just a device but a web browser, call centre, branch or even ATM. Multiple channels can rely on a single ‘version of the truth’, when it comes to an identity.

With enough interactions, a user will be able to skip the security questions when calling their bank, or will be recognised within a branch without requiring identification.

It’s time to ditch the vanity security measures

It’s time to focus on a server-side authentication model based on an unbreachable digital identity. A single version of the truth upon, which access to all channels can be corroborated.

A digital identity that is kept safely away from personal identifiable information, and that conforms to the highest regulatory best practices for collection, storage, usage, transportation and disposal.

Share on linkedin
Share on twitter
Share on facebook
AimBrain - Simply Smarter Authentication