There is money to be made for merchants who support mobile payments. However, cyber criminals have noticed and they want their cut, too. The newer and more untested the technology, the greater its potential vulnerability.
So it is with mobile wallets.
Though security is top of mind, organizations repeatedly fail to secure data as it transitions to the cloud. As vendors rush their mobile wallets to market, without any industry standards in place, there is no guarantee that security best practices are being implemented.
This is true for user authentication, which is becoming increasingly difficult. Authentication in the age of IoT, BYOD (Bring Your Own Device), and cloud services introduces challenges unaddressed by usernames, passwords, or tokens.
Enterprises widely adopted hardware tokens when they first came on the market 20 years ago; they implement time-based security codes and Public Key Infrastructure (PKI). But when it comes to the consumer market, which comprises the majority of online users, hardware tokens are a poor fit. As the demand for remote login and flexibility continues to rise, organizations are struggling to find and deploy authentication methods that are effective, easy to use, impervious to theft, and scalable.
An unquestioned part of modern life, usernames and passwords have been the standard for authenticating to online services for decades. Only recently have additional measures, such as enforcing increased password complexity or two-factor authentication (2FA), increased in usage. These newer methods of authentication have been slow to gain traction with everyday consumers because they are fragmented in nature, with no widely accepted standard.
Efforts to increase password complexity have failed because most people use the same common characters to fulfill these complex password requirements. With the rise of mobile computing, inputting complex passwords is burdensome; most users choose easy-to-type passwords that criminals find easy to guess.
To overcome password insecurity, providers have also offered 2FA software-based solutions such as SMS codes and time-based software token applications but these have shown to be vulnerable to malware attacks that plague many user devices. 2FA hardware tokens are a usability nightmare. In short, 2FA solutions do not provide sufficient security for organizations that require an end-to-end security solution.
However, on-device biometrics is a security trend that is starting to become commonplace. Several smartphones and computers have integrated biometric sensors often a fingerprint sensor. These devices also include a Trusted Platform Module (TPM) or Trusted Execution Environment (TEE) that handles the verification of biometric information separately from the primary devices core operating systems, which are susceptible to malware.
Equipped with biometric sensors, these new devices are able to change the way that users authenticate to services they use every day such as email, social media, and banking. More importantly, with such devices now widely available, the platforms providing these services have a major incentive to make biometric-based authentication available as a key user benefit.
Because a biometric signature is a unique identifying factor, biometric authentication is a conclusive, logical way to prove ones identity. However, users must exercise caution, as using biometrics is not a panacea for the security problem. Organizations should implement a security program that uses biometrics as one tool for proving user identity and ensures that sensitive data is only accessible by the individual to whom it biologically belongs. This means TPMs and TEEs are where a persons unique biometric signature should be stored, and other security tools should include robust encryption and tokenization schemes.
For the mobile wallet ecosystem, biometric authentication would make a tremendous impact. As part of a comprehensive security strategy, biometric authentication helps provide the level of security that our mobile-driven world demands.
George Avetisov is CEO of HYPR Corp.