Banks Reject Apple's Face ID. Should You?

Face ID Online Banking

Last year, when Apple introduced Face ID with the iPhone X, the Silicon Valley giant had to convince everybody that the new biometric authentication system is very secure. Experts from the company put together technical papers and presentations, explaining how the front-facing camera uses infrared light to ensure that all the facial features are where they are supposed to be. They said that it works under a variety of conditions and used figures to illustrate how much better Face ID is compared to Touch ID, its predecessor. Apparently, 1 in 50,000 fingerprints might be able to fool the reader on older iDevices. By contrast, Apple said that the odds of successfully deceiving Face ID sit at about 1 to 1,000,000 (the chances of a twin cracking it are more substantial, but Cupertino's people still insist that it's unlikely).

Software developers and financial institutions deemed this good enough, and soon, online banking apps, which had already been fitted with Touch ID functionality, started supporting Face ID. People all over the world are now used to the convenience of logging in to their accounts and processing payments via biometric data only. In about ten months' time, European users will need to change their habits a bit.

EU: "Biometric authentication on its own isn't good enough."

On September 14, 2019, the European Union will complete the implementation of the second incarnation of the Payment Service Directive. Known as PSD 2, the directive is supposed to regulate the way financial organizations and payment processors in the EU handle online transactions.

According to it, people will no longer be able to log in and process payments solely through the biometric authentication system on their device. After PSD 2, there will be a second step during the authorization process which should, in theory, give users an additional layer of security.

Banks still have a lot of time to figure out what they're going to do to stick to the directive, but we're pretty sure that some of them are already considering their options. After all, for many organizations, the changes will probably involve a significant redesign of the whole system which, in turn, means plenty of planning and work. For the user, the transition will probably be more abrupt.

PSD 2 doesn't seem to attract a lot of media attention, and Mark Curran, director of payments and open banking at Clydesdale and Yorkshire Bank, told Forbes that the majority of people will likely be quite surprised when one day, their banking apps receive an update that makes them compliant with the new requirements. They probably won't be too happy about it, either.

One step forward, two steps back

Normally, this wouldn't be considered bad news. Effectively, with the new directive, the EU is imposing two-factor authentication (2FA) on online banking operations, and as we all know, two-factor authentication is better than single-factor authentication, right?

The details are still somewhat murky. It's unclear how the second factor will be implemented, but it's safe to say that it will either involve users' passwords or a token that is texted or generated on another device. The theory is that regardless of which option a bank chooses, the second factor will give its customers additional security. The problem is, it will also make the experience a whole lot more complicated which is very likely to frustrate users. And frustrated users make mistakes.

If they are required to enter their online banking password every time they need to manage their finances from their phones, for example, they will likely change their banking password to something fairly simple and easy to type. The other mechanism does seem to be a bit more reasonable, but it too isn't without its pitfalls.

The bigger question: "Is the whole change necessary?"

Everybody knows that it's possible to fool a fingerprint reader. We also know that, for all its clever infrared light and facial recognition software, Face ID can also be bypassed. Does that mean that an attacker is going to go after you with a fingerprint collection kit, go through all the trouble of replicating your digits or handcrafting an exact copy of your face, steal your phone, and crack the biometric authentication to siphon off all your money? For most of you, the answer is probably no.

We're not saying that banks shouldn't offer two-factor authentication. On the contrary, if regulatory organs use their powers to say that from now on, every single bank client will have 2FA as an option, that would in all likelihood be a better incentive for users to get to know it and figure out how it can help them. Putting them in a situation where they have no other choice can backfire in a spectacular way, especially when they already have a secure and convenient enough authentication mechanism.

Legislation changes like last year's GDPR do suggest that someone in Brussels is aware of the current cybersecurity problems the world is facing and is at least trying to do something about it. With PSD 2, however, they seem to have fixed something that wasn't really broken.

November 5, 2018

Leave a Reply