Apple’s TouchID has kicked off renewed interest in the combination of biometrics and the mobile phone in the mass consumer market. The public, I’m pretty sure, used to see the biometric mass market in “Minority Report” terms. By which I mean they saw the use of biometrics to passively identify individuals for the purposes of commercial gain as being invasive, frightening and sinister. Which, of course, it is. But TouchID isn’t identifying individuals. It is authenticating them. And it is authenticating them to bring convenience to their transactions.
This is exactly the reason why the combination of the mobile phone and biometrics is so important: because it’s about convenience, not security, and is about authentication, not identification. Julian Ashbourn makes this point in his chapter on “Identity and entitlement” in his excellent new book “Biometrics in the New World–The Cloud, Mobile Technology and Pervasive Identity” (Springer, London: 2014). Biometrics as a convenient means of authentication are mass market, biometrics as a high security means of identification are not.
The brilliance of Apple’s use of TouchID is that it doesn’t really matter. I use TouchID absolutely all the time. Probably a hundred times a day. Every time I pick up my iPhone I unlock it by holding my left thumb on the home button. It means I can use the phone one-handed (standing up on the train, I might add). I love it. But if the phone is in my right hand, then I can swipe my finger across the screen and enter my passcode. And if for some reason my thumb doesn’t unlock the phone so I have to use the passcode instead… so what?
Convenience is something at which Apple excel. When I got on the bus last night, I had to press the home button on my old iPhone to wake it up, then swipe my finger to get to the unlock screen, then enter the 4-digit passcode, then touch my Arriva app to display my ticket to the driver. With the new iPhone, when I press the home button to wake it up, it will scan my fingerprint and skip over the swipe and enter passcode stages. That may not seem like much, but when you are at the front of the queue on the bus, or checking it at British Airways, or showing a ticket for an event or trying to show a loyalty card in a shop using Passbook and paying in Starbucks using their app, it will save a few seconds of fumbling.
There is a security benefit, of course. There will be a plenty of people who currently don’t lock their iPhones but will because of the fingerprint. Will TouchID be more secure than a 4-digit passcode that can easily be read over someone’s shoulder? Yes. Will TouchID replace 4-digit passcodes? No. You will still have a passcode for the odd occasion when your fingerprint can’t be read or for when your wife wants to look up something on IMDB on your iPhone and can’t be bothered to go into the other room and get her smartphone. Will TouchID make iPhones magically invulnerable and capable of storing your deepest thoughts perpetually and in complete secrecy? No. Biometrics in the mass market are about convenience, not security, as we have always factored in to our risk analysis for biometrics in mass market payments.
I have a feeling that I am going to be using Apple’s model — local biometric authentication for the mobile device, wireless communication between the mobile device and the local environment — a lot more in the future as all sorts of environments sprout Bluetooth beacons, wifi enabled by NFC tap in and internet geofencing. I’ll be walking into the restaurant, the shopping mall and the airport with my phone in my hand and my thumb on the home button.
Right now, the use of TouchID is limited to unlocking the iPhone and authenticating an iTunes purchases because developers do not have access to the fingerprint subsystem, but I’m sure that (given the competitive pressures as other handset manufacturers adopt similar technology) once the subsystem is tried and tested and tuned and optimised then they will be, so when I open PingIt or PayPal I will find myself using the home button instead of entering a passcode.
Crucially, given that Apple’s design influence and media mindshare are significantly ahead of its market share, the TouchID’s deployment is a boost for the whole biometric authentication sector and, since the launch of the Samsung 5S, the integration of biometrics will be central to handset design over the next cycle.
My confident prediction that consumers will adopt the technology in the mass market is, naturally, based on inside knowledge from our clients. Consult Hyperion advised Natural Security on their system that combines biometric authentication and contactless interfaces. At the end of their trial in France, some 94% of users said that they wanted to pay for all in-store purchases using the fingerprint authentication. France’s Groupement des Cartes Bancaires (CB, which has 62m card in circulation) is working with the Natural Security Alliance coalition and is expected to approve a new authentication standard based on fingerprints before the end of the year.
I want to finish by making a specific point about this emerging subsector that I think might be usefully explored and the forthcoming Mobey Day in Barcelona later this year. It seems to me that if the local authentication model (perhaps inside a standard framework, where FIDO is the obvious example) is seen to be core mobile transaction architecture, then there is the potential for a new and fruitful co-operation between financial services organisations and mobile operators. If mobile operators were to use convenient authentication to power a standardised, cross-operator identification service then
This is a positive vision: I go to buy something, I get bounced to my payment service provider, they request identification and authentication, I put my thumb on the home screen and the PSP gets back my unique identity and they can pay the merchant. In a recent WorldPay survey in the UK, half of all shoppers said that they wanted to use biometrics for payments. They may not have to wait much longer.