ING Direct Canada is currently piloting facial recognition for authentication, and it's working with Computer Sciences Corporation on the technology.
The user thinks he or she is taking a picture with the mobile device, but actually the smartphone is in video mode and is taking multiple frames in a short period of time. The video has an algorithm that recognizes a "likeness" in the image that it's capturing.
"At the end of the day we are focusing on four things: something you have, which is the computing device, something you know, which is your PIN, something you are, which is your face, and somewhere you are, which is your GPS location," Kithulegoda says.
He says the geolocation function of the smartphone places the device at the point of sale, or within a reasonable distance from the point of log in.
LAYERED APPROACH AT PAYPAL
PayPal is similar to a lot of the companies that we spoke with for this article: it doesn't like passwords all that much, considers them less than safe, and is in the market for something better such as biometrics - as long as it's workable with the authentication systems used by its partners, which is the current challenge.
"The short answer is yes, we're interested in biometrics at PayPal. We don't have anything that I can announce, but we're interested," says Michael Barrett, chief information security officer for PayPal.
PayPal offers a range of layered authentication options right now, with the newer additions designed to augment password identification.
The PayPal Security Key creates random temporary security codes that safeguard accounts at log in. There are two choices, including a security key that's a small credit card sized device that creates a unique security code; and a mobile phone security key that delivers codes by text message. PayPal's security includes email authentication, in which the company identifies itself via an Iconix app that produces a gold lock with a check mark next to the sender's logo for emails from PayPal. PayPal has long offered security tokens, which create new numbers every 30 seconds that are required for registration. The idea is that if the number is stolen, a crook can only use it for 30 seconds.
But it's always looking to improve the ID system. "From our customer's perspective, when you zoom out to the highest level, they want a solution that's easy to use and secure. People on the IT end tend to say if ID authentication is easy to use on one end it's less secure on the other. Many of the classic two-factor solutions [add friction] to the registration process and we don't subscribe to the model," Barrett says.
When it comes to handicapping biometric options or picking an entirely new way to authenticate users in the future, Barrett says it's hard to pick a winner at this point, given the proliferation of companies that offer them. He has a staffer on his team who is responsible for tracking leaders and laggards in the authentication space.
"If you looked at 2005 or 2006, there were about 20 vendors in the space. That number has gone up by 10 to 12 per year, so we're now over 100 vendors," Barrett says.
That growth is part of the problem with replacing passwords. If you think telecoms, banks and handset manufacturers having different mobile payment technology causes interoperability problems, consider the lack of standards or best practices posed by 100 competing biometric companies, many of which have only existed for less than ten years.
"They are all for the most part reasonable solutions, but they are so fragmented. There are a hundred solutions, none of which are interoperable with each other. It's a horrible market right now," Barrett says.
For the shorter term, Barrett sees promise in TPM chips (trusted platform module, which secures cryptographic keys and random number generators) where consumers can store a PIN. If the right PIN is entered, the TPM chip is unlocked and opens up to fingerprint, video recognition or biometric or sensors that are embedded in many newer models of PCs or mobile devices.
"I have an iPhone in front of me. How many sensors are on it? Counting them up, I have 16. If a phone has that many sensors on it, you can do a lot in terms of determining if the user really is who he or she says there are," Barrett says.
These sensors also include geolocation and other clues that can inform a profile of the person logging into the company's site - clues that can trigger fewer or greater layers of authentication, whether that be in the form of biometrics or something more traditional like a challenge question.
"There is a ton of contextual information around users' behavior patterns, such as 'what location are they logging in from, and is that similar to locations for other transactions?'" Barrett says, adding that can provide red flags for added authentication for some transactions, while allowing others to go forward with less intrusion.