Picking up on one of the points made in the debate this week about identity and authentication that it is the government’s responsibility to manage identities, I was kind of surprised by this view. This view stated that banks have no control over identities because governments issue identities in the form of passports, driving licences and social security numbers. Therefore, it is the government’s role to protect identity and ensure that unique identities are provided to citizens.
This was called a ‘cop-out’ during the debate, namely that we are abrogating our responsibilities if we think that it is governments who should manage identities. I think there is a more important point being made here.
If it is the government’s responsibility to issue identities, is it also the government’s responsibility to manage those identities? As most governments, especially the UK’s, seem more leaky than a rusty bucket when it comes to data protection, should they really manage our unique identities?
If not governments, then who? Banks? Corporates? Citizens?
Equally, if governments are responsible for issuing identities, then we will very soon be dealing with a full-scale rollout of biometric banking.
After all, most Asian, European and American government agencies are
now issuing biometric identities. Biometric passports and identity
cards are proliferating everywhere.
Go into Hong Kong and the government identity card that has been in play since 2003 has been biometrically based.
Fly into America and stick your finger up at George Bush, as well as
your thumbs, hand and face. All are captured by immigration as
foreigners move across their borders.
Fly through Europe these days and many airports allow you to sign up
for iris recognition programmes to speed you through the customs hall.
Soon, all of these developments will come together for biometric
passports, identity cards and driving licence standards to try to avoid
forged or stolen documents to be used as identity.
And, as these developments occur, all banks will start to accept biometrics as identity for authentication.
In fact, I am amazed we are not seeing this today.
Sure, I’ve seen major roll-out of fingerprint banking systems in some countries – Mexico, India and Indonesia in particular – but this is because most citizens in those countries do not have government issued identities. They don’t have passports or driving licences, therefore the banks take it upon themselves to issue identities, in the form of biometric bank debit and credit cards.
Just look at Grupo Mello, ICICI Bank and Bank Danone in each of these countries (Mexico, India and Indonesia respectively) and they are all using fingerprints for identity management, as it is the easiest way to manage and secure authentication. And they are doing this in a mass, scalable and proven system.
Grupo Mello in Mexico for example, manage over 8 million biometric accounts and hundreds of thousands of fingerprint authenticated transactions each day.
But in developed economies, biometric banking is completely missing today.
The nearest you get is the full-scale rollout of palm-reading ATMs in Japan.
These ATMs don’t read palms by saying: “I predict you will be coming into some money”, but they do identify the unique vein pattern every human has running through their hands. The blood and veins in your palm therefore form a unique and accurate recognition system.
These ATMs have been rolled out by Hitachi and Fujistu in some numbers, and are generally accepted across Japanese society. The only prohibiting factor for other economies – America and Europe specifically – is the cost of such systems.
But biometric banking is coming.
Alongside mother’s maiden names, PINs, signatures, cards, key fobs, watches and whatever else you happen to have with you, your bank will soon want to check your eyeballs, face, fingers or other data to authenticate the transaction.
This means we will move from something you know and something you have, to something you are.
This triangulation of authentication – what you know, have and are – will combine to tighten the grip against fraudsters.
One day, within five years, most customers will stick their fingers up at their banks to authenticate as happily as they do today to demonstrate their unhappiness.
Just keep your finger on the pulse and watch that space.
Postnote: I have heard all the arguments against biometrics – they cut your hands off, they force you at gunpoint to the ATM, they pick your eyes out like Minority Report etc. These fears have been proven true in early trials in some countries, such as South Africa and Brazil, but by recognising a hand is alive by using latent fingerprints or by using CCTV at the ATM, you manage these issues such that these behaviours are minimised over time.
In some countries, maybe, but governments can't force anything that banks can't deliver, and retail banks don't exactly take the lead in the implementation of new technology.
UK banks in particular have been abysmally slow in this respect. In fact, any significant change to their retail services infrastructure is so uncomfortable for UK banks that they'll openly fight it via the courts (high fees to customers) and the competition commission (failure to process electronic payments faster than cheques).
On that basis, I'd say that almost everything else would be achievable using biometrics before banking would be.
Posted by: Simon Deane-Johns | June 14, 2008 at 12:26 AM