RBS and NatWest to let mobile customers sign-in with biometrics

News by Doug Drinkwater

The gradual shift to biometric authentication continues with the news that two UK banks will allow customers to sign-in to their accounts by using Apple iPhone's fingerprint recognition technology.

The two banks in question are RBS and NatWest, and customers will be able to use this feature from 19 February, so long as they activate the feature with their security information within the RBS or NatWest mobile banking apps. After doing this, they will then after be able to use Apple's Touch ID fingerprint sensor to log-in, although three failed log-in attempts will force the customers into re-entering their passcodes.

Apple's Touch ID was introduced two years ago but this particular feature will be available to those with the iPhone 5S, iPhone 6 and iPhone 6 Plus smartphones and using the aforementioned apps, which are already used by 880,000 customers in the UK.

"There has been a revolution in banking, as more and more of our customers are using digital technology to bank," said Stuart Haire, managing director, RBS and NatWest Direct Bank. Both banks are subsidiaries of the largely government-owned Royal Bank of Scotland group.

The news comes at a time when biometrics have been gaining traction – earlier this week Microsoft confirmed that it was adding support to the FIDO standard, so that Windows 10 users will be able to log-in to services password-free. However, some continue to have reservations about the security of biometrics.

Apple's Touch ID was hacked within a day after launching on iPhone 5 in 2013, after white-hat hackers made a fake fingerprint from a photograph of a fingerprint left on a glass surface.

Ben Schlabs, a researcher SRLabs, a German hacking think tank which has previously found flaws with Samsung's Galaxy S5 fingerprint sensor, told the BBC: "The security implications are the same, it is just as dangerous. I think it has been shown that it is pretty easy to spoof it and the risks aren't fully understood."

Eerke Boiten, director of the Cyber Security Research Centre at the University of Kent, told SCMagazineUK.com said that the need to activate the feature with security information would mean “there is some scope for worry.”

“Biometric sensors like fingerprint scanners need to tune their acceptance criteria to balance false acceptance (the sensor says it is the person, but really it isn't) versus false rejection. Unavoidably, one goes down when the other goes up.

“People don't want to be locked out of their own phones - so for this kind of sensor, false rejection rates are set low, making false acceptance rates relatively high. Apple doesn't seem to have published these rates, but there also aren't reports out there of people unlocking others' iPhones. Funnily enough, in this context, it helps for iPhone thieves to belong to a large criminal organisation: more fingers to try!

“In theory, the sensor could be used in a three-factor authentication system for banking, requiring something people know (password), something they own (the mobile), plus something they are (the fingerprint). That must be more secure than just using the first two of those like many electronic banking systems do currently.”

However, he added that banks were moving towards removing the password entirely, a worry in light of iPhone fingerprint scanners being spoofed. “Either spoofing or false acceptance rate will seriously undermine the "something you are" factor once the mobile has been stolen.

“All in all, it looked like having a potential for increasing security, but (presumably because of an emphasis on usability) it creates new security risks of a different kind,” summarised Boiten, who also noted that Apple, having previously dismissed the idea of third-parties using Touch ID, was now doing exactly that.

Thomas Bostrøm Jørgensen, CEO of Encap Security, said in an email to SC that it was a watershed moment for banking: “Sure it's trickier to subvert a fingerprint than a password, but it's not impossible – Touch ID was ‘hacked' less than a month after introduction. One hacker has claimed to be able to recreate fingerprints from high-resolution photos. And while you can issue a new PIN or password you can't issue a new fingerprint – not without it being very messy. A single factor will always be vulnerable to attack.

“Apple has already suffered reputational damage from the iCloud breach that revealed a lot more than some celebrities wanted. Banks can't afford to make the same mistake with biometrics.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews