If you work in financial services and you haven’t heard of PSD2, stop reading now. If you’re still reading and have an interest in cybersecurity, here’s a question the ‘experts’ can’t seem to agree on: Are Apple’s biometrics secure enough?
For those of us who regularly use Touch ID or Face ID, you already know they’re better than using a password. Once you start using Apple biometrics, you don’t want to use anything else! The technology is superb. Apple has found that delicate balance between user experience and security. The iOS Security paper from November 2018 is a masterclass on how to implement advanced security features, from the silicon to the software.
Yet, many experts – including those behind the PSD2 regulation – are taking the position that Apple biometric security isn’t secure enough as an inherence factor in Strong Customer Authentication (SCA) – or at least, this is the position in some of the regulatory guidance (some other guidance has a different take). Here are a few excerpts from recent publications:
The PSD2 Regulatory Technical Standards document isn’t much help in describing what’s strong and what isn’t:
The EBA is of the view that such elements [defining acceptable inherence factors] and specifications are too detailed for the RTS themselves and could undermine future innovation, and the need to be technology- and business-model neutral.
Here’s guidance from UK Finance, from October 2018:
A biometric on a device e.g. Touch ID on an iOS mobile phone, can act as an inherence authentication element provided the PSP is sufficiently factoring in risks.
Yet, in Accenture’s point of view from March 2018, we read:
Currently, the only RTS-compliant technologies are those that require a separate security device. Since authentication methods using a separate security device are not convenient for users, banks need to develop innovative, secure and convenient authentication methods (such as biometrics) using multi-purpose devices.
Superior customer experience
Accenture’s take on Touch ID is that it doesn’t cut it as an inherence factor. So what’s the deal? The argument against Touch ID and Face ID appears to be based around the fact that these are device-side credentials. In other words, the decision that you are who you say you are is taken by the device, not sent back to a server for validation. This does pose problems – for example, the mobile phone can be taken offline and hacked over multiple failed attempts (where a server-side validation would block access after three failed attempts). OK, but in the PSD2 journey, where I want to approve a payment I’ve just made, and where the system can timeout the SCA challenge, does it actually matter?
What else is wrong with it? It appears that Touch ID also has a problem with what’s called “channel independence”. In other words, the authorization needs to be on a different electronic channel from the payment I’m making. So if I try to pay for something on my mobile phone, I can’t use Touch ID to authorize it. The problem is that if someone steals my phone, and also removes my finger, they will have both factors they need to complete the SCA challenge (sorry to be so gruesome!).
Right, let’s cut to the chase: The arguments against Touch ID and Face ID may have some technical grounds, but saying they aren’t secure enough doesn’t make practical sense. As a practical matter, is it more or less secure to use Touch ID or to use a password? Given the resounding arguments against passwords, the answer must be that it’s more secure to use Touch ID, in large part because of the superior customer experience.
So why doesn’t the regulator make this clear? Are the experts really going to maintain that Apple biometrics aren’t strong enough to use as a valid factor in SCA? Let’s hope not, for our customers’ sake.
Further reading: Is open banking a threat or a customer experience upgrade?