Picking up on one of the points made in the debate
this week about identity and authentication that it is the government’s
responsibility to manage identities, I was kind of surprised by this
view. This view stated that banks have no control over identities
because governments issue identities in the form of passports, driving
licences and social security numbers. Therefore, it is the government’s
role to protect identity and ensure that unique identities are provided
This was called a ‘cop-out’ during the debate, namely that we are
abrogating our responsibilities if we think that it is governments who
should manage identities. I think there is a more important point
being made here.
If it is the government’s responsibility to issue identities, is it
also the government’s responsibility to manage those identities? As
most governments, especially the UK’s, seem more leaky than a rusty
bucket when it comes to data protection, should they really manage our
If not governments, then who? Banks? Corporates? Citizens?
Equally, if governments are responsible for issuing identities, then
we will very soon be dealing with a full-scale rollout of biometric
After all, most Asian, European and American government agencies are
now issuing biometric identities. Biometric passports and identity
cards are proliferating everywhere.
Go into Hong Kong and the government identity card that has been in play since 2003 has been biometrically based.
Fly into America and stick your finger up at George Bush, as well as
your thumbs, hand and face. All are captured by immigration as
foreigners move across their borders.
Fly through Europe these days and many airports allow you to sign up
for iris recognition programmes to speed you through the customs hall.
Soon, all of these developments will come together for biometric
passports, identity cards and driving licence standards to try to avoid
forged or stolen documents to be used as identity.
And, as these developments occur, all banks will start to accept biometrics as identity for authentication.
In fact, I am amazed we are not seeing this today.
Sure, I’ve seen major roll-out of fingerprint banking systems in
some countries – Mexico, India and Indonesia in particular – but this
is because most citizens in those countries do not have government
issued identities. They don’t have passports or driving licences,
therefore the banks take it upon themselves to issue identities, in the
form of biometric bank debit and credit cards.
Just look at Grupo Mello, ICICI Bank and Bank Danone in each of
these countries (Mexico, India and Indonesia respectively) and they are
all using fingerprints for identity management, as it is the easiest
way to manage and secure authentication. And they are doing this in a
mass, scalable and proven system.
Grupo Mello in Mexico for example, manage over 8 million biometric
accounts and hundreds of thousands of fingerprint authenticated
transactions each day.
But in developed economies, biometric banking is completely missing today.
The nearest you get is the full-scale rollout of palm-reading ATMs in Japan.
These ATMs don’t read palms by saying: “I predict you will be coming
into some money”, but they do identify the unique vein pattern every
human has running through their hands. The blood and veins in your palm
therefore form a unique and accurate recognition system.
These ATMs have been rolled out by Hitachi and Fujistu in some
numbers, and are generally accepted across Japanese society. The only
prohibiting factor for other economies – America and Europe
specifically – is the cost of such systems.
But biometric banking is coming.
Alongside mother’s maiden names, PINs, signatures, cards, key fobs,
watches and whatever else you happen to have with you, your bank will
soon want to check your eyeballs, face, fingers or other data to
authenticate the transaction.
This means we will move from something you know and something you have, to something you are.
This triangulation of authentication – what you know, have and are – will combine to tighten the grip against fraudsters.
One day, within five years, most customers will stick their fingers
up at their banks to authenticate as happily as they do today to
demonstrate their unhappiness.
Just keep your finger on the pulse and watch that space.
Postnote: I have heard all the arguments against
biometrics – they cut your hands off, they force you at gunpoint to the
ATM, they pick your eyes out like Minority Report etc. These
fears have been proven true in early trials in some countries, such as
South Africa and Brazil, but by recognising a hand is alive by using
latent fingerprints or by using CCTV at the ATM, you manage these
issues such that these behaviours are minimised over time.