14 DAY TRIAL // Authentication based on fingerprint recognition technology has been implemented by two banks in the UK for iPhone users, in hopes of minimizing the risk of unauthorized logins.
The feature works with iPhone models 5S, 6 and 6 Plus, and once activated, no additional authentication information would be required for certain operations as the process would rely on Touch ID technology implemented by Apple in the devices.
Biometric technology does not replace passcodes
The two banks taking this bold step, RBS and NatWest, are both part of the Royal Bank of Scotland Group and told the BBC that there are about 880,000 customers who rely on their mobile banking apps installed on the aforementioned devices for online banking activity.
Touch ID was introduced in iPhone 5S and refined in subsequent versions of the device, but security experts warned since it became available that there were flaws that would allow a malicious actor to bypass the technology.
Additional security codes, like one-time passwords (OTP) generated by two-factor authentication (2FA), necessary to complete certain transactions have not been eliminated, though.
Fingerprints are more exposed than a password or a 2FA security code that is set to expire after a predefined period of time, simply because they can be encountered both in the physical space and the virtual one.
Fingerprints can be created from photos
In late December last year, at the Chaos Computer Club hacker conference in Hamburg, security researcher Jan Krissler explained how fingerprints can be recreated without having to interact with the target or collecting the biometric information from objects they touched.
He said that the feat could be pulled from multiple images of the victim’s fingers fed to VeriFinger, a fingerprint identification software available for consumers, that relies on a powerful algorithm and high accuracy in detecting the characteristics of a fingerprint.
Krissler’s example at the conference was German Defense Minister Ursula von der Leyen, whose fingerprint was recreated from images at various press conferences.
RBS and NatWest took some security measures to make sure that access is authorized only to the rightful owner of the account. As such, if three login attempts fail, the user has to enter the authentication password. Also, the additional codes would still be required for some transactions and limits have been set for new payments.