Financial services group the United Services Automobile Association (USAA) is to enable its members to use biometric authentication, including face and voice verification, to log in to their accounts on their smartphone. The function is expected to be available in early 2015.
“This extends the mobile app’s multi-factor authentication options to include a unique PIN, face and voice recognition — all of which work in conjunction with a security code generated by the app for each login,” the association explains.
“USAA’s facial recognition requires users to look at the screen and, when prompted, blink their eyes. For voice recognition, users must read a short phrase.”
The decision to launch biometric authentication across the US follows a successful pilot in California, Texas and Florida. In addition to the pilot states, the service is now rolling out to Georgia, North Carolina, New York, Washington, Colorado, Maryland, Arizona, Pennsylvania, South Carolina, New Jersey, Ohio, Tennessee and Illinois.
“USAA is committed to cutting-edge solutions to make our members’ financial transactions as secure as possible,” says Gary McAlum, USAA’s chief security officer. “The use of multi-factor authentication through biometrics is one of the most effective ways to increase security protection as traditional passwords become increasingly obsolete.”
“The recent enhancements to the USAA mobile app highlights our focus on the member experience we deliver,” adds Carl Liebert, USAA’s chief operating officer. “We’ll continue to find and develop all solutions that can make the lives of our members simple, easy and more secure.”
Next: Visit the NFCW Expo to find new suppliers and solutions
Why on earth do they endeavour to bring down security by putting biometric sensors on the phones, tablets and PCs which have been somehow protected by passwords?
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.
Whether static, behavioural or electromagnetic, biometric products are generally operated together with a password by OR/Disjunction (as against AND/Conjunction that is common for
2-factor authentication) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of
the vulnerability of biometrics (x) and that of a password (y). The sum (x + y – xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are even less secure than the devices protected only by a weak password.
These biometric products might look more secure in appearance, but it is just a false sense of security. Many of the consumers, who are trapped in the false sense of security, may well be piling up more of their information assets in the cyber space while some of the criminals, who are aware that those consumers are now less secure, may well be silently waiting for the pig to be fat.
False sense of security about a threat could be even worse than the threat itself. It is a conundrum how it is possible for so many security professionals to remain indifferent to such a nightmarish situation.