Apple Inc. showed how to combine biometrics and tokenization in a mainstream product, and now companies of all sizes are working to build on this combination.
The FIDO Alliance, an industry consortium focusing on modernizing authentication, has gotten traction for its specs defining the use of biometrics for authentication. Visa Inc. has renewed its focus on the Visa token project for e-commerce and mobile purchases. And a handful of startups, including New York-based HYPR are developing in a market that HYPR's CEO, George Avetisov, calls "biometric tokenization."
The reason tokenization comes into play is that systems like Apple's Touch ID are more about convenience than security at this point; an iPhone locked with Touch ID can still be unlocked with a PIN instead. Many industry experts say biometrics could replace the password, but only when paired with another technology such as tokenization or hardware identification.
"With biometrics there are a lot of device security concerns...about the inherent security within the device, especially with the growing issue with malware," said Chris Bucolo, senior manager of partner relations for Sikich LLP's security and compliance practice.
HYPR's approach leverages Apple's Touch ID and turns the user's fingerprint data into a token which then allows bank customers, for example, to confirm a wire transfer or deposit. The security platform can also work with other biometric traits. Within HYPR's system, biometric data does not pass through a mobile device's operating system, nor is it sent to any third parties, reducing the risk of data breaches.
Apple has recently taken heat for the security of Apple Pay, after fraudsters were able to link stolen accounts to Apple handsets, essentially turning the iPhone into a cloned card. But Avetisov notes that this was not a failing of Apple's biometric security.
"The customer's card number has already been compromised" in that scenario, he said. "That doesn't have to do with the Apple Pay system so much."
Avetisov said linking the biometric to the SIM card would be helpful, but these steps towards more advanced identity management systems could take some time since many players would need to work together.
But pairing biometrics with a secure hardware infrastructure is one of the only ways many industry experts say data can be shielded from fraudsters. "Software is a hard place to hide something," said Sami Nassar, vice president and general manager at NXP Semiconductors. If the token is hidden in software running on the application processor in a mobile device, theres always a chance that the software could be cloned, Nassar said.
Last week, HYPR announced its biometric authentication software development kit (SDK) for general availability. And in the next couple weeks, it plans to announce its first client, said Avetisov.
While Avetisov knew that business had a use for HYPR's biometric software, the company initially targeted consumers with a fingerprint scanning sticker that could be adhered to the back of a mobile device for triple-factor authentication of Bitcoin wallets. But like many consumer-facing companies before them, HYPR's mission has morphed.
"A lot of parties from the banking and mobile payment sector are starting to reach out to us to white-label the technology," Avetisov said. "Mobile banking has been the most imminent sector in which such a biometric crypto-system is needed."
Two of the largest Bitcoin wallets are also looking into HYPR's software to use for authentication on employees' personal devices that have access to a Bitcoin private key, he said.
According to a report from Gartner and Acuity Marketing, by 2016 there will be more than one billion biometric-enabled devices in the market. In another report, Acuity predicts that by 2020, the mobile biometrics industry will have an annual revenue of $34.6 billion.
"Everyone agrees there's a lot of potential," said Bucolo. "All these young folks want to do everything on mobile. And they're adopting biometrics, especially facial recognition because [it feels] like selfies."