TSB Set to Roll-Out Iris Scanning for App Users

UK bank TSB is set to become the first in Europe to roll-out iris recognition capabilities to customers, allowing them to log-in to its mobile app.

The high street lender claimed the process would be quick and easy, but initially would only be available to those with Samsung Galaxy S8 smartphones.

After an initial iris scan to register the user’s biometrics, all a user has to do to unlock access to the banking app is look into the camera.

"It takes advantage of 266 different characteristics, compared with 40 for fingerprints," the bank’s CIO, Carlos Abarca, told the BBC.

"It's extremely fast – it takes less than a second to get in – and the gesture is very natural. And you don't have to remember secret numbers or passwords."

However, security concerns have already been raised about Samsung’s iris recognition technology.

Back in May, researchers at the Chaos Computer Club (CCC) revealed how the biometric authentication system could be fooled simply by taking a digital photo of the target’s eye, printing it out and placing a contact lens on top to simulate the curvature of the eyeball.

The best results were obtained using the night mode setting. CCC claimed a good camera with a 200mm lens at a distance of up to five meters would do the job.

Other systems, such as Apple’s Touch ID fingerprint scanning technology, are already gaining popularity as a quick and easy way for users to log-in to accounts and devices.

However, the balance between security and usability is a tricky one to get right and critics of biometric authentication argue that, unlike passwords, it’s difficult to force a reset once a hacker has cracked the system – because the user can’t change their iris pattern or fingerprint.

Richard Parris, CEO of Intercede, argued that biometrics shouldn’t be relied upon as the sole means of verifying a user’s identity.

“Rather than use biometrics in isolation, instead businesses need to be looking at strong authentication that incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan),” he said in an emailed statement.

“This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect.”

What’s Hot on Infosecurity Magazine?