Scott Nicholson at Adapt provides and insight:
“Banks generally have high levels of security requirements to fulfil prior to deploying new technology throughout its lifecycle, but for me, this decision raises a number of concerns. There is always a balance between business benefit/ performance versus security. However, the recent announcement to use fingerprint based security for users of the iPhone 5S or 6 appears to show a lack of true understanding of the potential implications.
Whilst fingerprint authentication is deemed to be more secure than password requests, organisations such as Computer Chaos Club hacked the new functionality just days after it was originally released and also claimed to be able to clone fingerprints using commercial software and high resolution photographs. Whilst companies will release security updates to remediate identified vulnerabilities, it is usually just a matter of time before a new exploit is identified. Have these companies thought through all aspects of this decision, not just security aspects but the privacy impact and their compliance with UK Data Protection Act 1998? Whilst customers have been requesting this service we have to ask ourselves, are they truly informed of the potential implications?
In recent years we have seen many security breaches due to password compromise – often due to technical flaws in the protection of the password rather than the password itself. In dealing with the aftermath and trying to move forward after a breach, there will always involve a changing of password or private key. However, when using fingerprint data for the first time we are talking about using ‘the unchangeable password’ so organisations need to feel confident in all of their security controls and that they are adhering to privacy requirements, otherwise they will face a huge amount of pain dealing with the aftermath of a breach.”