Biometric authentication, such as retina scans, fingerprint scans and voice recognition, holds a lot of promise for identity and access management. Industry analysts laud the new technology and jostle to take the stand as the authority on the subject. But has this relatively new technology tried to run before it can walk? Andy Kemshall, Technical Director of SecurEnvoy, investigates.

Secondary authentication like facial recognition or biometric retina-vein recognition to authorise a higher value transaction... can revolutionise fraud management,’ said Andras Cser, VP Principal Analyst at Forrester, in April 2013. His peers at Gartner agree. Jackie Fenn, Vice-President and Gartner Fellow Emeritus, and Hung LeHong, Research Vice President, said in a research note: ‘Biometric authentication will enable a near-cashless world scenario.’

In May 2013, Ant Allan, Research Vice President, was similarly excited but more cautious, saying biometric authentication methods ‘promise better accountability and superior user experience, yet remain a niche choice.’

However, we need to read between the lines. All of these analysts are making predictions. They are talking about the future. No-one is recommending using biometric authentication now. It simply isn’t ready.


The gold standard for any authentication method is at least 99.9 per cent reliability. Chip and pin has it. Typing a preloaded passcode from a mobile phone has it. Biometric authentication, as yet, does not and varies between 40 per cent and 95 per cent depending on the level of security required, the latter being low security.

Two major companies in the ultra risky fields of payments and banking, PayPal and Barclays, have begun trials of biometric authentication. PayPal’s system in 12 Richmond stores is the first instance in the UK to use a customer’s photo to authorise payments.

The app for iOS, Windows OS and Android phones highlights nearby shops and restaurants that accept PayPal before the customer checks in by clicking on the required retailer and sliding an animated pin down on their screen. The customer’s name and photo then appears on the shop’s payment system and the retailer charges them by clicking on the customer’s image.

Tone of voice

Meanwhile, Barclays Wealth & Investment Management division is trying voice recognition on a portion of its customers. The system requires the customer to engage in ‘natural’ speech with a call-centre agent for 20-30 seconds until a computer can verify the voice calling against that held on file for the customer.

According to the bank, around 95 per cent of customers are verified during the first call; those that aren’t then have to go through the usual rounds of security questions on their first pet, best friend at school and so on, and so voice recognition adds to the already lengthy process. Using face or voice recognition to authenticate quick and convenient transactions in shops, cafes and banks seems ideal in our ever-busy lives.

However, in both cases there are risks that drag the reliability of the methods below the crucial 99.9 per cent line.

Visual identification

In the case of face / photo recognition, completion of the transaction relies on the shop assistant verifying the customer’s face, which could easily be subject to human error, however, using a real person is far more reliable than using a computer.

If the process is automated, there seem to be more documented cases of face-recognition failures than successes, from phone apps amusingly recognising distorted knees and other body parts as faces to the system used by the US Government, which cost millions of dollars but failed to pick out the Boston bombers.

Voice recognition is not new, and, like face recognition, is still in its infancy. We are not even yet at the stage where computers can reliably recognise what we’re saying, let alone who is saying it. The 99.9 per cent reliability is at least a decade away.


Fingerprint authentication is currently the biometric technology that is the closest to becoming a mainstream authentication method for businesses and consumers alike. Apple has already introduced fingerprint scanning technology as an authentication method on its new device, which, if combined with, say, a two-factor software token app, will represent the final death blow to traditional standalone hardware authentication tokens.

Apple’s decision will secure the use of mobile phones as authentication devices even further as fingerprint scanning effectively adds a third factor of security as it ‘locks’ the authenticate token (in this case, the iPhone) to the user, therefore protecting that token device if it is stolen. It looks like Apple’s influence in the market means this level of security will no doubt become standard across all devices.

While we welcome the extra protection from Apple, from a social side, people are still wary of authentication methods that involve their own body parts. Perhaps as a result of James Bond-esq movies in which, if a terrorist wants to use someone’s fingerprint, they might just take the whole finger! It is difficult to imagine a day when the public would be happy to put themselves in this position for the sake of their job.

Two factor authentication

The foundation of secure authentication is the identity of the user:- the real user must match the digital representation of the user; essentially, the right person needs to be accessing the right digital information. Two-factor authentication using mobile phones to authenticate processes such as payments and banking remains the way forward.

This uses two factors - first, something we own: a mobile device; second, something we know: a PIN. The mobile phone replaces something like a card reader and smart card, which is easy to misplace and less likely to be carried around at all times. Using technology within a device already owned by the individual, such as a preloaded short message service (SMS) or soft-token app authentication through mobile phones, is a more secure and cost effective method for organisations. It has a higher reliability rate and is far less prone to faults or replication from unwanted users trying to access an individual’s details.


SMS technology turns any mobile into an authentication device and is currently the most novel and effective solution. Combining this with end-user choice of an app means the user is in control and mitigates the need for a help desk.

This means the solution is as hassle-free as a password, but doubly secure. By contrast, face and voice recognition are only just learning to stand without falling over. We know not to run before we can walk first; and two-factor authentication currently stands on the firmest ground there is.