7.4 C
Friday, November 24, 2017
Home Tags Touch ID

Tag: Touch ID

Touch ID is a fingerprint recognition feature, designed and released by Apple Inc., and is currently available on the iPhone 5s, iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus, iPhone SE, iPad Air 2, iPad mini 3, iPad mini 4, iPad Pro and iPad Pro 9.7

On September 19, 2015, Apple introduced the second generation Touch ID, which is twice as fast as the first generation sensor.

Apple says Touch ID is heavily integrated into iOS devices, allowing users to unlock their device, as well as make purchases in the various Apple digital media stores (iTunes Store, the App Store, iBookstore), and to authenticate Apple Pay online or in apps. On announcing the feature, Apple made it clear that the fingerprint information is stored locally in a secure enclave on the Apple A7 and later chips, rather than being stored remotely on Apple servers or in iCloud, making it very difficult for external access.

Apple says Face ID will still only have a one-in-a-million chance of failing.
The iPhone maker says its new face unlocking tech worked as intended.
Awkward ergonomics means Face ID will never be faster than a fingerprint sensor.
Bezel-free design maximizes screen space, and hides some fancy features.
Infosec researcher tells Ars new iOS update will “f-up border searches.”
Apple is offering a fast option to disable Touch ID in the next version of iOS.
Prevent your fingers from unlocking your iPhone when you're in a sticky situation.
While we’re still waiting for a fresh iPad with barely there bezels to make an appearance, Apple has returned to its roots with a new 9.7-inch model simply called iPad.

And if you had previously balked at buying an iPad Air 2 because the price was too high, you might want to take notice.Apple hasn’t technically added a new model to the iPad lineup, but it has bolstered the low end.

Gone is the aging iPad Air 2 (as well as the whole Air branding), and in its place is a new model that looks exactly the same, with a 9.7-inch retina screen, Touch ID, 32GB or 128GB of storage, and the same color choices (silver, gold, and space gray). On the inside you’ll get an A9 chip—the same one that’s in the iPhone 6s—and the usual 10-hour battery.

That’s a relatively small upgrade over the 8X chip that was in the iPad Air 2, but the difference here isn’t in performance, it’s in price.To read this article in full or to leave a comment, please click here

Passwords: A long goodbye

The campaign to eliminate passwords has been ongoing, and growing, for close to a decade.

There are even some declarations that this might be the year, or at least ought to be the year, that it happens. Don’t hold your breath.

Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology. The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication. But McDowell said last fall, and said again this past week that passwords will, “have a long tail,” that is unlikely to disappear anytime soon – certainly not this year. There are a number of reasons for that, even though the security problems with passwords are well known and well documented.

As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken.
It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “ Brett McDowell, executive director, FIDO Alliance And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well.

They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc.

They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks. Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear. Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.” Joe Fantuzzi, CEO, RiskVision Beyond that, there are at least some in the security community who say we should be careful what we wish for.

They note that cyber criminals have always found a way around every advance in security.
So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet.

And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password. Indeed, there have already been multiple reports of biometric spoofing.

FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.” The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen. Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a ”contact lens” of the iris that would pass as the real thing for authentication. And there have already been demonstrations that a manipulated recording of a person’s voice can trick authentication systems. Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID.

As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user. Zohar Alon, Co-Founder and CEO of Dome9 According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords. Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.” James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint.

This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said. “But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.” Of course, not all biometrics remain only on the user device.
Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers. Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said. But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication. In other words, they are not trying to mandate that biometrics be the sole replacement for passwords.

Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.” McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.” It is implementers, he said, who decide what mechanisms it will support.
It could be, “a local PIN code for user verification vs. biometrics if you prefer.” He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.” The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice.

At the very least fingerprint plus a long, randomized PIN would be good.” He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.” Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications.

The more time and resources you require attackers to expend, the lower the chances of a successful breach.” Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it. “Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.” All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are. Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.” But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them.

At some point, new technology will win.” This story, "Passwords: A long goodbye" was originally published by CSO.

So, you've installed a password manager and replaced all of your lame and duplicate passwords with strong, unguessable ones.

That's a good start. Now you need to think about what protects that treasure trove of stored passwords.

A lone master password just isn't enough. You need additional authentication factors to keep those passwords secure.

True Key by Intel Security (2017) places more emphasis on multi-factor authentication than just about any competitor, and it works across Windows, macOS, Android, and iOS.

You can install True Key and use it completely without cost, if you don't need to store more than 15 passwords. Once you hit that limit, you must pay $19.99 per year, which isn't bad.
Sticky Password costs $29.99 per year; Dashlane and LogMeOnce go for $39.99 per year.

At $12 per year, LastPass 4.0 Premium costs less than True Key, but not by a huge amount.

Easy Start

Anybody can go to the True Key website, download the app, and start using it immediately.

During the process, you do have to create a master password of at least eight characters. You're encouraged, but not forced, to either use all character sets or create a lengthy passphrase, with spaces permitted.

Once the app is installed, it prompts you to install browser extensions for Chrome, Internet Explorer, and (new since my last review) Firefox.

An extension for Microsoft Edge is available, but it must be installed directly from the Store.

For Chrome, Firefox, and Internet Explorer, the extension communicates with the True Key app.

Edge doesn't permit that, so the Edge extension is basically a recreation of the app itself.

True Key works hard to ease you into password management.
It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser and displays a popup explaining that all you need do is log in as usual.
Intel's app also walks you through the process of clicking a saved item to automatically revisit the site and log in.

Once you've used the product a little, it suggests that you add another authentication factor.

The PC I used for testing has a webcam, so it suggested adding facial recognition.

Basic Password Management

True Key does all of the basic password management tasks you'd expect.
It captures your credentials when you log in to secure sites, plays them back if you revisit such sites, and lets you visit and log in to a site with one click.
If you're creating a new account, it notices, and offers to generate (and save) a secure password.

By default, it creates 16-character passwords using all character types—the resulting passwords are plenty tough.

This utility doesn't just assume that every login was a success.
If its algorithm indicates a high probability that the login worked, it saves the credentials but gives you an option to never save this site, or to skip saving it once.

But if it's not sure, it instead asks you whether or not to save credentials.
It's a subtle touch, and a nice one.

Most secure websites follow the same standards for the login page, which makes the job of a password manager easier.
Some, though, go wildly off-standard. LastPass and Sticky Password Premium handle weird logins by letting you enter all the data and then capture every field on the page. LogMeOnce works from a catalog of almost 4,500 known websites.

True Key handles oddball logins in its own way.
If it can't properly capture login credentials, it sends a report to its masters at Intel for analysis.

They aim to update True Key to handle that site (both for you and for all other users) within 24 hours.

You can also import passwords stored insecurely in your browsers.
If you choose to do so, True Key clears them from the browser and turns off the browser's password capture facility.

There's also an option to import from LastPass or Dashlane 4. New since my last review, you can export True Key's data in the JSON data exchange format.

There aren't a lot of settings to worry about, but you'll definitely want to change one of them. Like Zoho Vault, RoboForm Everywhere 7, and most other password managers, True Key logs you out after a period of inactivity.

But unlike most others, the default for this period is a full week! I strongly recommend setting it to no more than 30 minutes.

Furthermore, you should note that this is a per-device setting, not global to your account.

You can save any number of free-form color-coded secure notes.

There's also a Wallet feature that lets you save address, credit card, driver's license, membership, passport, and social security number data, with appropriate data fields for each type. You can create as many of these as you want, and color-code them. However, you can't use them to fill in Web forms the way you can with LastPass, Password Boss Premium, and most for-pay password managers.

True Key sticks to the basics.
It doesn't have the actionable password strength report or automated password changing ability you find in LastPass, Dashlane, and LogMeOnce Password Management Suite Ultimate.

The company tells me that this feature is planned for the next edition. You can't categorize, group, or tag your saved logins.

There's no secure sharing of passwords, or password inheritance, either.

But what it does do, True Key does well.

Security Levels

True Key's real strength lies in its ability to use multiple factors for authentication. Right from the start, you can require both the master password and a trusted device.

Any attempt to log in from another device requires additional authentication.

For example, when I installed it on an Android device, it asked to verify using facial recognition.

You can add other factors on the My Factors page. Your trusted email account is automatically available for verification.
If you wish, you can enhance facial recognition so it requires you to turn your head from side to side.

That's so that nobody can log in using a photo of your face.

And you can require authentication using a second device, typically a mobile device.

The second device receives a request for authentication, and you simply respond by swiping, much like the Keeper DNA feature in Keeper Password Manager & Digital Vault 8.

At the default Basic security level, you choose from a subset of these possibilities. You can't deselect Trusted Device; that's a given.

To that, you add either master password or face-based authentication.
If you raise the security level to Advanced, it adds the option to use a second device.

At this level, you must choose exactly two factors besides the trusted device.
I tried choosing all three and was baffled when it wouldn't let me save my settings.

The security level and authentication choices are specific to the device you're using.
If you want to always use Advanced authentication, remember to change that setting on each new device.

If you've gone out without your second device, or if it's too dark for face recognition, never fear. You can choose to use a different factor, such as email verification. On iOS devices you can use Touch ID as a factor. New in this edition, fingerprint verification is available for certain Android devices, but only those whose fingerprint readers meet Intel's criteria for accuracy.

When you use the Edge extension, you get another option for authentication, Windows Hello.

This is the same feature that lets you log into your Windows account using face recognition, fingerprint authentication, or a PIN on a trusted device. Which of these are available depends on the capabilities of your PC. My very new but low-end Windows 10 all-in-one has a lovely camera, but not lovely enough for Windows Hello to use it.

New since my last review, True Key can use a PC-installed fingerprint reader for authentication.
It also supports Intel's RealSense camera technology, and can protect its data using Intel's SGX (Software Guard Extensions) on CPUs that support it. (Being part of Intel pays off.)

True Key doesn't attempt to pull in every possible authentication factor.

Dashlane, LastPass, and Keeper support Google Authenticator. Keeper, LogMeOnce, and Zoho Vault can send a one-time password via SMS. LastPass, LogMeOnce, and Sticky Password can modify a USB drive so it serves as an authentication factor.

But really, True Key's choices for multi-factor authentication are well thought out, and work well together.

Kill the Password!

LogMeOnce lets you create your account without ever defining a master password, using a variety of other factors instead. With oneID, you can't create a master password even if you want to; it relies strictly on authentication using a trusted device.

True Key requires a master password to get started, but you can go passwordless quite easily.

At the Basic security level, you can authenticate using your face, not a master password.
If you wisely choose Advanced, you can authenticate with face recognition and a second device.

Password managers that do rely on a master password usually offer a warning that if you forget that password, they can't help you. (That also means they can't be compelled to unlock your account for the NSA, which is a plus.) Intel can't unlock your account, or tell you the master password you forgot, but as long as you've defined enough other factors, True Key lets you authenticate with those and thereby reset the master.

If someone else tries to reset the master password, you get an email alert, with an option to lock password recovery for a day.

Three failed tries triggers that lock automatically.

Other Platforms

I did my desktop testing on Windows, but True Key is equally at home on a Mac. You won't get the option to log in with Windows Hello, of course, but other than that the experience should be almost the same.

All of the same features and abilities are available in the Android and iOS apps, but laid out appropriately for the mobile form factor. New with this edition, you can configure mobile devices to use three authentication factors. On iOS, True Key installs as a Safari share-box extension, just as LastPass and Dashlane do. On Android, it offers instant login for Opera and the native browser.

You're not likely to lose a desktop computer, but it's awfully easy to misplace a mobile device.
If someone else gets hold of your device, the multi-factor authentication system should be able prevent them from accessing it.

To make it even tougher for a thief, you can remotely remove the device from the trusted list.

Multi-Factor Maven

Every successful modern password manager syncs passwords across all your devices.

True Key by Intel Security goes a step further, involving those devices and your biometric data in the authentication process.
It's easy to set up, easy to use, and attractive.
If only it also had the advanced features that grace its competitors, it would be even better.

LogMeOnce Password Management Suite Ultimate also offers many different authentication factors, but just two at a time.
It's even more feature-packed than long-time favorite LastPass 4.0 Premium. With Dashlane 4 you get all your password management needs in a slick package that's as attractive as True Key's.

These three are our Editors' Choice commercial password manager.

But if your main concern is multi-factor authentication, True Key has them all beat.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

People these days are just as likely to place an online order from a smartphone or tablet as from a Windows or Mac computer.

That being the case, a password manager that's locked into a single device isn't much use. Recognizing that need, Trend Micro Password Manager 3.7 syncs your passwords and personal data across all of your Windows, macOS, iOS, and Android devices, with almost exactly the same appearance and functionality on all platforms.
It performs all the basic functions of a password manager, but it lacks the advanced features found in top products. You can take it for a test drive at no charge, but the free edition stores only five passwords and five secure notes.

At $14.95 per year, it's not expensive. You pay $39.99 per year for Dashlane 4.

But I do suggest taking advantage of that free, feature-limited trial to see if this is the service for you. During the installation process you must create a Trend Micro online account, or log into an existing account.
In addition to the overall account password, you must create a master password specifically for the password manager.

As always, it should be something complex that you can remember, but that nobody would guess.

Don't rely on the built-in password strength meter.

Any password of eight or more characters that includes all character types is accepted.
Something like "1Monkey!" gets the top rating for strength.
It shouldn't. Next you install the browser extensions for Chrome, Firefox, and Internet Explorer. Under Windows, this product is completely browser-centric.

The browser extension handles things like password capture and replay, and when you open the management console, it opens as a page inside your default browser. You can also log in to the console without installing the extension, perhaps when using a friend's computer. All three browsers have the built-in capacity to capture and replay passwords, but they're not as secure as an actual password manager.

Trend Micro offers to hoover up the insecure browser passwords, delete them from the browser, and turn off the browser's internal password management. Hoping to import your data from another password utility? That's not so easy.

Trend Micro only imports from LastPass 4.0 Premium. Capture and ReplayTo start using the password manager, you just log into secure sites as usual.

Trend Micro pops up a little window offering to save the credentials you've entered, with smaller links that let you skip that step once or always. LastPass, Dashlane, RoboForm Everywhere 7, and many others let you enter a friendly name for the entry at this time, and assign it to a folder. With Trend Micro, you must click a link to edit the new entry if you want to put it in a folder or choose something other than the default name. In testing, I found a number of sites for which Trend Micro simply would not capture my login credentials. LastPass, Sticky Password Premium, RoboForm, and a few others include specialized tools for handling non-standard login pages.

Trend Micro does not. When you return to one of the sites for which you captured credentials, the password manager offers to fill in that data.
If you've saved more than one set, you get to pick the one you want from a drop-down list. New in this edition, the most recently used is selected by default in that list. When you click the browser extension's toolbar button, it displays a colorful list of your saved sites. You can sort the list by name or by recent usage, with any items related to the current site automatically placed at the top.

Alternatively, each character you type in the search box narrows the displayed list to items that contain what you've typed.

And of course clicking an item navigates to the site and logs you in. Password GeneratorSince you have Trend Micro to remember passwords for you, there's no need to think up a password when you create a new account. Just let the password generator do it for you. The generator defaults to using all four character types (uppercase letters, lowercase letters, digits, and symbols), which is good. However, you should crank up the password length from its default of eight characters to at least 12, or 16, or even more. Hey, you don't have to remember the password.

Dashlane defaults to 12, and KeePass 2.34 creates 20-character passwords by default. Password DoctorGetting Trend Micro to remember all of your passwords is a good thing, but if those passwords all consist of your schnauzer's name, you've got more work to do. When you open Trend Micro's management console it displays two big stats at the top—the total number of passwords, and the number of unsafe passwords.
If the latter is non-zero, a link to the Password Doctor appears. Following that link gets you two lists, one of weak passwords and one of passwords you've used more than once.

As noted earlier, this program sets a pretty low bar for defining a strong password.
If it says your password is weak, it's really weak.

Clicking the Improve Now button logs in to the site, leaving you to make the necessary change.

The same is true of sites that use the same password. You get a more substantial security report from Dashlane's Security Dashboard or LastPass's Security Challenge.

The resulting reports list all of your passwords, with a percent-based strength rating for each.

These two products can also automatically update you to stronger passwords for many popular websites. LogMeOnce Password Management Suite Ultimate also has the ability to update passwords automatically. Web Form FillingThere's not a huge difference between filling in your credentials on a login page and filling in your address and contact details on a Web form. Like many password managers, Trend Micro lets you enter your personal details and use them to automatically fill in address, contact, and payment information. LastPass lets you define multiple identities and multiple credit card entries. With Dashlane you can define multiple entries of each data type, perhaps entering three phone numbers and four emails, for example. When you click in a field, it offers a menu of available choices.
I'm especially impressed with its handling of credit cards, which display as images using the color and bank logo you specify. RoboForm also allows multiples of all field types.

Trend Micro, by contrast, limits you to just a single profile, and a single entry for each field. When you click in a field it recognizes, it displays a button that you can click to fill the form automatically. Hovering over the button offers a preview of just which fields it can fill. New in this edition, you can turn off this feature if you don't want to see that button. To test this feature, I selected items on the Target website and went to check out as a guest, but Trend Micro didn't fill the form.

The same happened on a Walmart website, and on a site designed to test form-fill products.

Given that other products do fill in these forms, I figured that this feature wasn't working in Trend Micro. With help from my company contacts, I learned that was incorrect.

They showed me some sites where it did fill in most of the fields. My contacts confirmed that, as with filling login credentials, Trend Micro doesn't handle nonstandard forms.

Those are major retailers, however—their omission feels like an oversight.

For a sanity check, I tried those sites using LastPass and Dashlane; both of them filled the Web forms correctly. Bonus FeaturesWhen the browser extension detects that you're about to visit a known financial site, it offers to open that site in a secure browser. Presuming you accept, it captures your login credentials as always.

Thereafter, it opens the financial site in the secure browser without asking. The secure browser is based on Chrome, but doesn't support extensions other than Trend Micro, doesn't let you change settings, and offers a bare minimum of controls.

There's no Address Bar, just forward, back, refresh, zoom, and print.
It also reportedly has a feature to derail man-in-the-middle attacks, but my hacking skills aren't honed enough to put that feature to the test. You wouldn't know it without reading the documentation, but this product also comes with a Keystroke Encryption Tool.
I found it by tapping the Windows key and typing "keystroke." To use it, you type in your password, click a button to copy that password to the clipboard, and paste it into the password field before a timer runs out.
I verified that it prevented a popular keylogger from capturing keystrokes, but that same keylogger snagged the password out of the clipboard, unfortunately. Your best bet is to employ powerful antivirus software to keep the keylogger from loading in the first place. As noted, the product's interface and features are almost identical on Windows, macOS, iOS, and Android.

The Keystroke Encryption Tool is Windows-only, but that's not a big deal. Previously the mobile editions were stuck in portrait mode. Now the more-readable landscape mode is available for Android and iOS tablets.

Adding to the existing Touch ID support for iOS, fingerprint support is now available on Android as well. A Basic Password ManagerTrend Micro Password Manager 3.7 handles all the basics.
It captures passwords as you log in, plays them back when needed, and offers a browser menu of all your saved logins.
It keeps secure notes for you, and helps you fill Web forms.
It even offers a secure browser for your financial sites. On the downside, it's baffled by unusual login pages and Web forms, and it lacks advanced features such as two-factor authentication, secure credential sharing, automatic password update, and digital legacy (naming someone to inherit your passwords). If you get this password manager free as part of Trend Micro Maximum Security, by all means use it.

But if you're a paying customer, consider our Editors' Choice password manager utilities, Dashlane 4, LastPass 4.0 Premium, and Sticky Password Premium. Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.
Is that saying much, though? Brits have more faith in their banks than government agencies to roll out authentication technologies based on biometrics, according to a new survey from Visa. Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe (60 per cent), than they are to trust government agencies (33 per cent). Nearly two-thirds of consumers (64 per cent) want to use biometrics as a method of payment authentication.

The growth in fingerprint authentication for mobile payments via Apple’s Touch ID technology and the like is driving increased acceptance of the technology. Consumers favour fingerprint authentication (88 per cent) as the most secure form of payment ahead of other biometric authentication options such as iris-scanning (83 per cent) and facial recognition (65 per cent). When asked whom they would trust to offer biometrics authentication as a service to confirm identity, the largest percentage selected banks (85 per cent) and payment networks (81 per cent) ahead of global online brands (70 per cent), and smartphone companies (64 per cent).

This level of trust in banks has grown significantly in the past two years, up by 20 percentage points from 65 per cent in 2014, when the Visa Biometric Payments study was first conducted. Only one in three thought government agencies could look after the data and do the job properly. “Visa is already supporting a number of institutions in the development of emerging forms of authentication,” said Kevin Jenkins, UK & Ireland managing director at Visa. “We will continue our role as an enabler of payments and will remain tech agnostic when working with banking partners to ensure that new and emerging forms of payment authentication take place securely, conveniently and discreetly.” Robert Capps, VP of business development at NuData Security, warned that physical biometrics such as fingerprints, selfies and voice authentication are far from foolproof. “Unlike passwords, physical biometrics can’t be changed.
It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data,” Capps cautioned. Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse.

As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud.
Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction,” he added. ®