TSB is to introduce iris recognition as a way for customers to unlock the bank app and access their account, the first in Europe to use this form of biometric technology.
From September, TSB customers with a Samsung Galaxy S8 and S8+ will be able to use the phone’s built-in iris scanner in order to log into their account on the mobile app by glancing at their phone, instead of inputting an ID and password.
The bank says this form of biometric authentication is the most secure as it uses 266 unique characters compared to 40 for fingerprints – which can also still be used to log in to the TSB app.
The bank’s chief information officer Carlos Abarca said: “Iris recognition allows you to unlock your TSB mobile app with a simple glance, meaning all of those IDs, passwords and memorable information become a thing of the past.
“As well as a more customer-friendly approach to identification, iris recognition is also the most secure method of authentication available today. We want our mobile app customers to continue to have a fast, easy-to-use experience; iris recognition delivers that and, when combined with our other security measures, an unparalleled level of cyber security.”
Iris scanners are expected to follow fingerprint scanners in becoming commonplace on smartphones – Samsung first introduced the scanner on the doomed Galaxy Note 7 last year, before adding the system to its flagship smartphone, the S8, which launched earlier this year.
However, cyber security experts have warned that while using new forms of security should be encouraged, it should not be assumed that biometric passwords and log-ins cannot be compromised.
Richard Parris, chief executive of IT security firm Intercede, said: “Biometrics is fast becoming the de facto security measure for a wide range of business and consumer applications.
“However, German hackers were recently able to trick a Samsung Galaxy S8’s iris scanner with a picture of the device owner’s eye and a contact lens.
“This was the same month that HSBC’s voice recognition security system was fooled by a journalist. Biometric authentication is not entirely immune to potential attack and therefore should not be relied on as the sole means of verifying a user.
“Rather than use biometrics in isolation, instead businesses need to be looking at strong authentication that incorporates three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, an iris scan).
“This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect.”
Etienne Greeff, co-founder of cyber security firm SecureData, also warned of the implications for consumers should their account still be hacked.
“What happens when your biometric security settings are hacked? You can’t change your voice, you can’t replace your eyes, you can’t reset your fingerprints,” he said.
“It’s good to see businesses like TSB looking to replace passwords, which are flimsy and easily breached, but hackers are wise to biometrics and it won’t stop them from trying to get their hands on your data.”
Mr Greeff said “more consideration” of security techniques was needed in order to better protect consumers.
TSB said its new system places security and customer experience at the “forefront” of its digital services.