Selfies for mobile security might sound like something dreamt up by a group of millennials. But the technology is gaining traction in banking and beyond as a new approach to online digital identification.
For example, Lloyds Banking Group is rolling out selfie-based authentication technology for online account set-up. Customers applying to open a current account with Bank of Scotland are invited to submit pictures of their UK driving license or passport, along with selfie images to confirm their identity.
HSBC is similarly giving businesses the option to complete ID security checks on a mobile device using selfie-based verification.
Weak Passwords Are a Big Security Problem
The use of selfie-based authentication is more than a concession to fashion.
Conventional username and password login techniques are getting depreciated. People routinely pick weak passwords. Hackers are finding it easier to crack login IDs using brute-force techniques, trying every possible combination.
In addition, many users continue to re-use passwords across multiple sites. The practice means a password leak at a social networking site leaves any more sensitive accounts that share the same login credentials wide open to attack via a process known as credential stuffing.
Password login techniques are no longer reliable when used on their own.
Biometric Security on the Rise
Image recognition technologies, by contrast, are improving in reliability to the point where banks and financial institutions feel confident enough to apply them as an authentication tool.
For example, MasterCard is running a pilot program ‘selfie pay’ to replace passwords with selfies. Mastercard is allowing online shoppers to take a selfie to verify their identity for payments. It offers a more convenient method to sign-in and a faster checkout process than password/username login combinations.
The credit card issuing organization is also testing a range of other alternative authentication methods. This includes voice recognition and cardiac rhythm through a wearable wristband.
Online authentication techniques available for banks used to come down to a trade-off between three desirable features: effective, easy and low friction. Only two from the tree options were possible.
A positive user experience along with strong security is becoming possible through multi-factor authentication, often involving biometrics beyond fingerprint scans.
From Fingerprint Unlocking to Multi-Factor Authentication
Fingerprint recognition technologies have left the arena of spy films and gone mainstream with the introduction of Apple’s Touch ID technology on more recent iPhones. However, fingerprint recognition technology is difficult to offer through an online service. In addition, high-resolution copies of fingerprints can be stolen and cloned, another drawback to the technology that has pushed interest in alternative biometric techniques.
Industry best practice has moved towards multi-factor authentication. Passwords haven’t gone away but are increasingly becoming the “something you know” component in multi-factor authentication schemes. These can include an SMS message sent to a pre-registered mobile device or behavioral tracking technologies based on typing techniques as well as selfie-based authentication.
The government, as well as private industry, is embracing the shift away from passwords. For example. part of the UK government’s defend strategy for cyber security involves supporting Fast IDentity Online (FIDO), an emerging industry standard to improve authentication by moving away from sole reliance on passwords to secure internet-connected applications.
Selfies Beyond Banking Security
Selfie-based authentication technology has applications outside banking security. For example, some start-ups such as ShowU are touting the technology as a more general online digital identification technique for social media logins and more.
A user would take a selfie using the ShowUp app. A friend or family member would be required to vouch for the authenticity of this image before it is securely stored on file as the reference photo. From then on when a person logs into their online account, they take another selfie while reading out a randomly generated phrase displayed on the screen. The approach is to ensure the selfie is unique to that moment, and that the camera is pointing at a live person and not at a photo.