White
Paper
Mobile Eats The World!
The Rise of Biometric
Authentication
First Edition February 2016 © Goode Intelligence
All Rights Reserved
Published by: Goode Intelligence
www.goodeintelligence.com [email protected]
Whilst information, advice or comment is believed to be correct at time of publication, the publisher cannot accept any responsibility
for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or indirectly by what is contained in or left out of this
publication.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electrical, mechanical, photocopying and recording without the written permission of Goode Intelligence.
Goode Intelligence © 2016 www.goodeintelligence.com
CONTENTS
The Move to Mobile – Mobile eats The World! ...................................................................... 2
Move to Mobile – The Facts .............................................................................................. 3
Increase in Traffic and Transaction Value ...................................................................... 3
The rise of the mobile app – combining availability and simplicity .................................. 3
Rising Mobile Fraud ........................................................................................................... 5
Authentication Strategies for Mobile ...................................................................................... 6
Biometric Authentication - moving from what we know to what we are .............................. 7
Device-Centric Biometric Authentication Models ............................................................ 7
Case Study – Hong Leong Bank Berhad pioneers biometric authentication ...................... 8
First Wave of Mobile-Based Biometric Authentication .................................................... 8
Mobile Biometrics for Card-Not-Present Fraud Reduction .............................................. 9
Linking Mobile-Based Biometric Authentication to Risk-Based Authentication ............... 9
Does Consumer Mobile Biometric Authentication Technology meet the needs for the
Enterprise .................................................................................................................... 10
RSA Adaptive Authentication Biometric Capabilities ........................................................... 10
Summary ............................................................................................................................ 11
About Goode Intelligence .................................................................................................... 12
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 2 www.goodeintelligence.com
This white paper from mobile security research and consultancy specialist, Goode
Intelligence (GI) explores how mobile is eating the world and the effect this has on
authentication. Mobile-based biometrics is a viable option for providing convenient
and secure authentication to millions of consumers especially when combined with
trusted platforms.
THE MOVE TO MOBILE – MOBILE EATS THE WORLD!
Back in October 2014, Benedict Evans, Andreessen Horowitz, gave a presentation1 in which
he stated that mobile is eating the world. The presentation, updated in May 2015, examined
how the smartphone has become the dominant computer for the majority of the world’s
population.
This is not a developed world phenomenon. From the Sahara to the Andes, smartphones
are increasingly being used as the primary computer for every aspect of people’s lives and
disrupting traditional models of business.
1 “Mobile is eating the world”, presentation, Benedict Evans, Andreessen Horowitz, October 24 2014:
http://ben-evans.com/benedictevans/2014/10/28/presentation-mobile-is-eating-the-world
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 3 www.goodeintelligence.com
Move to Mobile – The Facts
Increase in Traffic and Transaction Value
Internet data shows that since 2012, the mobile share of ‘Black Friday’ has steadily grown;
both in traffic volume and in financial value. Figures from IBM show that smartphone traffic
during ‘Black Friday’ almost doubled between 2012-2013 to account for just under 40
percent of ecommerce volume; by 2014 it was accounting for almost one half of all traffic
and just under 30 percent of financial value.
Black Friday 2015 saw the continuation of this trend with an increase to over 36 percent of
eCommerce transactions (financial value) taking place from a smartphone.2
The rise of the mobile app – combining availability and simplicity
Mobile’s convenience factor is driving more people to access services from them; PayPal is
one company that is seeing increased activity via its mobile app with a quarter of its total
payment volume coming from the mobile channel during the Fourth Quarter of 2015. The
payment company has also seen an increase in usage by its active accounts, with 27
payment transactions per active account compared to 25 transactions in the same period
2 Source: Statista
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 4 www.goodeintelligence.com
2014.3 Mobile apps can provide more convenience and simplicity for people, and this can
lead to greater usage.
This trend is supported by transaction data from RSA’s Adaptive Authentication customers, collated from live traffic, which shows the percentage of traffic originating from mobile increasing threefold - from 15 percent at the beginning of 2013 to 45 percent by December 2015. This equates to an annual growth rate of 200 percent compared to 15 percent seen for web traffic.
Mobile is not only eating the world of commerce, similar pivotal shifts are occurring for other
services, including Enterprise and Healthcare.
3 Source: PayPal Fourth Quarter and Full Year 2015 Results
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 5 www.goodeintelligence.com
The rise of mobile commerce also has another important trend; the shift towards mobile
apps and a movement away from web browsers. This has important considerations for all
service providers and has a knock-on effect on how security and authentication is provided.
Rising Mobile Fraud
The rise of mobile computing across all verticals brings risks. There is an associated
movement of fraud towards mobile as we perform more activities on smartphones and
tablets.
Billions of Dollars of commercial transactions are being enacted on smart mobile devices,
and this has not gone unnoticed by criminals and hostile actors eager to defraud consumers
of their hard-earned cash.
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 6 www.goodeintelligence.com
Figures from RSA’s Adaptive Authentication customers detail the rise in fraud attempts
originating from the mobile channel with an increase from less than 10 percent during 2013
to 50 percent during 2015. Mobile fraud increased by 162 percent from 2013 to 2015;
compared to Web fraud which increased by a mere 1 percent.
AUTHENTICATION STRATEGIES FOR MOBILE
As mobile eats the world and fraud levels increase in the mobile channel, it is imperative that
organizations plan their authentication strategies appropriately.
Securing access to mobile apps and digital services on a range of mobile platforms and
different smart mobile devices can be challenging, but there are now a range of solutions
that provide convenient and secure authentication for consumers.
Goode Intelligence has been covering mobile-based authentication since 2009 and has
identified a number of key trends that are transforming how organizations manage user
authentication (both employees and customers) through the mobile channel.
One of the biggest technology innovations to hit authentication in recent years has been the
adoption of biometrics on smart mobile devices; moving from using what we know (PINs,
Passwords and Codes) to what we are – our biometric identifiers.
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 7 www.goodeintelligence.com
Biometric Authentication - moving from what we know to what we are
The combination of biometric technology and smart mobile devices is enabling a new
generation of user authentication services to be deployed.
Biometrics is providing a credible solution to the twin problems of replacing weak password
and PIN authentication mechanisms and solving the mobile authentication dilemma: how to
deliver convenient stronger authentication solutions to smart mobile devices.
Device-Centric Biometric Authentication Models
Apple’s mobile fingerprint-biometric authentication platform, Touch ID, has provided the
catalyst for the growth of device-based biometric authentication solutions, providing a simple
way for service providers to leverage the platform through its Touch ID API. The device-
centric model in which an integrated sensor collects biometric data and stores this data
(template) in secure hardware embedded in the chip (Secure Enclave / ARM TrustZone) for
subsequent local authentication processing has also been adopted by The FIDO Alliance.
Service providers, including financial institutions, are deploying biometric authentication
solutions to remove friction from account log-in and payment authorization scenarios. Goode
Intelligence forecast that during 2015, over 120 million people used biometrics on their
mobile devices to secure their interaction with financial services4. This includes mobile
payments, cash withdrawal from ATMs, accessing bank accounts from a mobile app and
when accessing contact center services.
4 Mobile Biometrics for Financial Services: Market & Technology Analysis, Adoption Strategies and
Forecasts 2015-2020, December 4 2015: http://www.goodeintelligence.com/report-store/view/mobile-biometrics-for-financial-services-market-technology-analysis-adoption-strategies-and-forecasts-20152020
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 8 www.goodeintelligence.com
Many financial institutions are planning to adopt mobile-based biometrics during 2016 in an
attempt to reduce friction in the authentication process, reduce rising levels of financial fraud,
and drive customer adoption of mobile banking.
Case Study – Hong Leong Bank Berhad pioneers biometric
authentication
Malaysia’s Hong Leong Bank Berhad is a pioneer and early adopter of biometrics in the
financial industry. Besides offering increased security, the bank is using biometrics
authentication technology as a way to increase customer trust and drive adoption of digital
banking. Through fingerprint authentication technology embedded in a mobile app, users
will be allowed to access and conduct transactions such as fund transfers and cardless ATM
withdrawals. The bank anticipates a 32% increase in its digital banking user base by end-
2016.5
First Wave of Mobile-Based Biometric Authentication
We are witnessing the first wave of adoption for mobile-based biometric technology where
biometric technology integrated into mobile devices by a device manufacturer is accessed
through APIs by third party services providers.
The integration of fingerprint sensors into smart mobile devices has been a huge enabler for
mobile-based biometric authentication. Goode Intelligence forecasts that there will be over
770 million smart mobile devices that will be equipped with fingerprint sensors during 2016.6
Other biometric modalities are being adopted on smart mobile devices for authentication
purposes. This includes face, voice, iris, behavioral and eye-vein; some of which make use
of the built-in capabilities of a mobile device and some that require special hardware and
sensors, e.g. iris biometrics requires modifications to the camera or a separate camera.
5 Malaysia’s Hong Leong Bank targets 32% growth in digital banking with biometric solution on app,
DealstreetAsia, October 12 2015: http://www.dealstreetasia.com/stories/malaysias-hong-leong-bank-targets-32-growth-in-digital-banking-with-biometric-solution-on-app-15321/ 6 Mobile & Wearable Biometric Authentication Market Analysis & Forecasts 2014-2019 2
nd edition,
October 30 2014, Goode Intelligence: http://www.goodeintelligence.com/report-store/view/mobile-wearable-biometric-authentication-market-analysis-forecasts-20142019-2nd-edition
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 9 www.goodeintelligence.com
Mobile Biometrics for Card-Not-Present Fraud Reduction
One area that needs urgent attention is eCommerce payments. As the USA begins to adopt
EMV chip payment cards, it must look at the example of EMV adoption in other regions.
Moving sensitive payment details from an easily-read magnetic stripe to a protected chip has
been a security success story in reducing card-present fraud for both ATM and in-store
Point-Of-Sale (POS) transactions. It has led to a shift by fraudsters to eCommerce
transactions in scenarios where the chip cannot be used: Card-Not-Present (CNP)
transactions.
Card Not Present (CNP) fraud increased by 10% from £301m in 2013 to £331m in 2014 in the UK
7
Technology innovation is once again required to reduce rising levels of CNP fraud, and
mobile-based biometric may well be the answer. The authority that manages EMV
standards, EMVCo, is working on updating 3D Secure (3DS), its online user verification
solution, to its second version (3D Secure 2.0). Currently, 3D Secure is based on a user
generated passcode. 3D Secure 2.0 builds on the original specification and opinion is that
biometrics is suitable in reducing CNP fraud and in improving the usability of the existing
passcode-based solution.
Linking Mobile-Based Biometric Authentication to Risk-Based
Authentication
We must not view biometrics individually, or in isolation to other security mechanisms;
modern authentication solutions are comprised of multiple features and services, and are
strengthened by an in depth approach.
For mobile-based authentication, these services can include device fingerprinting, geo-
location, threat and malware mitigation and tight integration to risk-based authentication
(RBA) services.
7 Plastic fraud figures, The UK Cards Association:
http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 10 www.goodeintelligence.com
Risk-based authentication provides a method of scoring the risk of a particular login attempt
or transaction and only reverts to additional levels of user verification when the risk score
exceeds certain pre-defined thresholds. If the organizational policy decides that a login
attempt or transaction exceeds these risk scores, then an additional level of user verification
is required. Mobile-based authentication is an ideal partner for risk-based authentication
services and can provide a quick and easy way to verify the identity of a user or ensure that
transactions are authorized.
Does Consumer Mobile Biometric Authentication Technology meet
the needs for the Enterprise
Leveraging device-based biometric authentication platforms such as Touch ID is an option
for organizations to quickly enable friction-free authentication to their customers and
employees.
On the surface, it does seem an easy choice to make for those organizations wanting to roll
out mobile biometric authentication features for their mobile apps, but caution should be
exercised to ensure that the technology is appropriate. Being appropriate means meeting
industry regulation, being compliant with company security policy, ensuring that as many
people as possible can use the technology (not relying on a solution that only works on a
single platform) and meeting the needs of a robust, scalable authentication solution.
For 2016, a mobile-based biometric authentication solution has to be enterprise and financial
services-grade and easily slot into existing regulatory frameworks and infrastructure
constraints. This can be achieved by building out the capabilities of trusted authentication
platforms to include support for some of the latest mobile-based biometric technology.
RSA ADAPTIVE AUTHENTICATION BIOMETRIC CAPABILITIES
RSA Adaptive Authentication is a risk-based authentication and fraud detection platform that
provides advanced protection across both Web and mobile users. The Adaptive
Authentication Mobile Module leverages RSA’s proven Risk Engine which includes a mobile-
optimized risk model that analyzes a variety of risk indicators, including mobile device
identifiers, location and behavioral profiles, to identify fraudulent or suspicious activity.
Adaptive Authentication can be used to secure multiple types of mobile channels including
mobile browsers, WAP browsers and mobile apps.
Adaptive Authentication offers integration through a web services call and a Software
Development Kit (SDK) that allows developers to embed strong authentication directly into
their mobile applications for banking, e-commerce, and enterprise access. The Adaptive
Authentication Mobile SDK also supports biometrics for step-up authentication including
fingerprint and EyeVerify’s Eyeprint ID. Supported platforms include Apple iOS, Android OS.
Eyeprint ID from EyeVerify is one example of a biometric authentication solution that can
support enterprise grade requirements. This mobile biometric, which uses the visible veins
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 11 www.goodeintelligence.com
and other eye-based micro features to authenticate a user, is software-based and can be
scaled to service both customers and employees. Several banks are already deploying
Eyeprint ID to their end users, and it is now built into the step-up authentication functionality
within RSA’s Adaptive Authentication mobile SDK.
SUMMARY
This white paper explored how mobile is eating the world and starting to dominate our digital
lives. We are increasingly using mobile to pay for digital goods, to make in-store contactless
payments, to bank with and to run our personal and company lives.
As a result of this trend, criminals and hacking groups are increasingly attacking the mobile
channel and are being successful in stealing money and targeting people’s personal and
business information.
Goode Intelligence believes that mobile-based biometric authentication can substantially
improve both the authentication user experience and plug-into existing security mechanisms
to provide a more secure and robust way in which to verify our identities and to authorise
transactions.
RSA has identified these trends and created easy-to-use features in its Adaptive
Authentication platform that support the latest biometric technologies including EyeVerify’s
Eyeprint ID solution; to meet the need for convenient mobile-based biometric consumer
authentication.
For more information on the biometric capabilities of the RSA Adaptive Authentication Mobile
SDK please visit this blog; “How a selfie or finger swipe can help prevent mobile fraud”.
Mobile Eats the World: The Rise of Mobile Biometric Authentication
Goode Intelligence © 2016 P a g e | 12 www.goodeintelligence.com
ABOUT GOODE INTELLIGENCE
Since being founded by Alan Goode in 2007, Goode Intelligence has built up a strong
reputation for providing quality research and consultancy services in mobile security, identity
and biometrics.
For more information on this or any other research please visit www.goodeintelligence.com.
This document is the copyright of Goode Intelligence and may not be reproduced,
distributed, archived, or transmitted in any form or by any means without prior written
consent by Goode Intelligence.