Home / Crime / Mobile is the authentication tool

Mobile is the authentication tool

The more I think about mobile as an authentication tool, the more attractive it becomes.

First you can geolocate customers using mobile.  XYVerify does this using telco masts, rather than mobile devices, as it can then use an independent verification mechanism to determine whether you really have you phone with you.  This is the sort of tool that we are already seeing being used in some locations for determining if the customer at the ATM really is the customer, by checking they have their mobile with them.

Second, you can authenticate who the customer is interactively using One Time Passwords (OTP) by text messaging.  Again, used by some banks, an interactive text or app based OTP process means that the mobile can offer a great second level authentication tool.

Third, you can check it’s really who you think it is using mobile biometrics, and this is the biggest growth area.

A while ago, Bank Intesa in Spain was using mobile apps for iris recognition.  Nick Ogden, the founder of WorldPay, has created Voice Commerce to offer voice verification by mobile.  Apple has launched the iPhone 5S and 5C with mobile fingerprint authentication.  Meanwhile, my favourite authentication is Nymi by Biomix, a watchstrap that uses your heartbeat as verification.

The reason the latter is my favourite is that mobile is rapidly moving from devices to wearable, and so we will soon have mobile chips embedded in jewellery, watches, handbags, shoes and fashion times.  Yes, it’s back to the internet of things, but it goes beyond the internet of things to the knowledge of everything.

Intellisensing and locating customers and verifying and authenticating them through the internet of things will become the norm.

It will be the case of knowing who is where doing what in real-time, and being able to check it is who you think it is without forcing an action – a token or PIN being activated – but by sensing it who you think it is through the network.

We are very near to this today and getting nearer every day, so let’s stop worrying about fraud and risk with mobiles and start thinking far more about fraud and risk minimisation with mobiles.

That’s far more constructive and creative.

About Chris M Skinner

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here…

Check Also

Kim Jong-un isn’t that clever … is he?

OK, so I said earlier this week that I normally get asked about security by …

  • Again Amen,
    The phone is the single greatest thing to happen to Fraud PREVENTION since someone invented a safe.
    To add to your list, you also have the camera for facial recognition, voice biometrics, the device itself (IMEI, DeviceID, Device Fingerprint). Things like Trusted Zone from ARM becoming standard…
    The people who develop the mobile apps need to think about how to use these to combine a strong user experience and improve fraud prevention. Fraud prevention has been lazy in my view, and turns into business prevention.
    +1 for getting more creative!

  • Paul

    Maximally unknown dynamic assemblies of behavio- and biometrics is the likely next step. Main challenge is transferable rights and multiple persona’s/avatars.

  • George Raad

    Very interesting conversation, which I am very familiar with. My company has developed the World’s smallest GPS Wristband with all the functions of a smart phone. I do not want this post to sound like some kind of a cheap sales pitch, however, we are advancing the use of Mobile Communications in a way that will revolutionize the industry. We are months away from releasing the Plasma Phone. What is it? It is a fully operational Wearable Mobile Network that communicates via GSM Networks around the world.The greatest advantage is this device has absolutely no plastic and is fully conformable to anyone, It Is Liquid!! This device ensures security for the highest levels. It can be used as a geolocator, Fingerprint Verifier, heartbeat monitor even retina scanning. It has 2 way voice communication abilities and your conversations are always kept private via a RF earpiece that is placed BEHIND the ear not in the ear. Watch for it in the coming Months. I am very open to answering any questions anyone has and explain this technology in greater detail.

  • Hugh

    Agreed, this is constructive. It’s useful to know where the customer is and be able to enforce elevated authentication, but I don’t believe it’s the complete answer as it overlooks an important point about mobile malware.
    Depending on the specific technology (e.g. Android vs iOS vs WinPhone) smartphones and other mobile devices are susceptible (and the target of) online banking malware. Cyber criminals make a lot of money from online banking fraud and are focussing significant effort on developing this malware.
    Just like banking malware on traditional PCs, mobile malware is capable of keylogging, initiating transactions without the customer’s knowledge and intercepting text messages to authenticate fraudulent transactions. There are publicly reported losses of about £30M across many European banks in the second half of 2012 (just search for malware known as ‘Eurograbber’). Right now there doesn’t seem to be a reliable way to confirm that a device isn’t compromised.
    So in short you can’t just rely on authenticating the mobile device or even authenticating the customer – you also need to consider authenticating the specific transaction, preferably using some method that can’t be influenced by malware on a compromised mobile device. The key seems to be making this more customer-friendly than a separate token or whatever.