July 20, 2012

4. Polling the Device

The raw technologies involved with mobile computing give it certain advantages when it comes to authentication. “In some ways, mobile is better than a PC for authentication, because you can factor in things such as location,” says ABI Research’s John Devlin. “Combinations of transactions can get flagged very quickly, and then blocked and challenged.” For example, if successive mobile logins were to occur thousands of miles apart, using verifiable location data based on cell phone towers, the bank may infer that one of the two logins has to be a fake.

Ordinarily, downloaded apps can be granted permission to access the location data associated with a device. Beyond location, there’s a big opportunity for banks to strengthen their authentication practices by tapping into the full complement of data and services available on mobile devices.

For example, suppose a bank makes a copy of a user’s contact database and then, before authorizing a transaction, checks to see whether those same contacts are present on someone’s phone. That way, someone who just steals the user ID and password for a bank account would be unable to log in; the thief would have to steal the person’s actual phone, or somehow copy that person’s entire address book along with the bank credentials.

Another approach is examining the physical behavior of how people use their smartphones. “When looking up phone numbers, some people always search the contacts list, while others type the number first,” says Forrester’s Cser. “There are several ways to do the same things, and if you observe someone’s behavior over a long period of time, you’re going to see repetitive patterns that are different, person by person.”

“You can argue that this is biometric information, and there would be a huge set of concerns around privacy,” Cser adds. Whether it would ever be possible to realize some of these enhanced OS-based techniques in Apple iOS remains an open question. Nevertheless, the possibilities afforded through digging deeply into the phone’s data store are sure to make such ideas hard to rule out entirely.

5. Device-Based Authentication

If security at the device level becomes enough of a differentiator in the market, we may see the industry shift to entirely new business models that place device manufacturers and network operators in the driver’s seat.

Mobile operators and device manufacturers were caught flat-footed with the rapid success of Apple iOS, and they’d surely relish the opportunity to figure out some new way to differentiate themselves with a more advantageous bargaining position relative to the operating system companies.

Devlin sketches out the possibilities involved with having the secure area on a smartphone available— for an annual fee — to financial institutions and other payments, e-wallets, and loyalty application providers. “The network operators want to be in charge of that,” says Devlin. “Part of the delay of NFC coming to market is who controls the secure market, who’s paying for it, and who makes revenue from it.” Device-based authentication could be embedded into the handset by the device manufacturer or network operator; or located on a removable SIM card or microSD card to be provided by a bank or other player.

With these considerations in mind, banks should keep a sharp lookout and maintain a nimble footing when evaluating the evolving possibilities in the mobile ecosystems emerging within their respective geographic markets.