What the rise of wearables means for authentication

Reading the coverage of CES this year, it was possible to draw two conclusions about wearable technology. Firstly, wearable technology is now an established market – a fast-growing segment with lots of innovation that is now much more than just fitness bands and smartwatches. The second is that the variety of “innovations” suggests that wearable technology hasn’t quite decided what it’s for yet – for example the Pavlok, which shocks you out of bad habits, or a $370 belt that measures your waist size in real time.

The most-hyped innovations at CES aren’t always winners. 3D TVs were everywhere at the 2013 event but were conspicuously absent by 2015, thanks to consumer indifference. Netbooks were predicted as the next big thing in 2009, but for most people the tablet meant a low-powered laptop was unnecessary. At the moment, it seems that wearables - despite some initial scepticism and some silly ideas – is a trend and a market segment that is here to stay. Fitness bands and smartwatches already have some traction, and there were some genuinely great ideas on show such as a sock that monitors a baby’s vital signs, and in-ear technology so swimmers can enjoy music just as runners can.

If, five years from now, everyone has a wearable device, what does that mean for the prevailing advice, which is to build applications and services around smartphones? If the smartwatch becomes a ubiquitous device, used by consumers to be entertained, to interact and even transact, what implications will this have for security and specifically authentication? If people are increasingly used to using a smartwatch for most low-interaction tasks, then having to remove a smartphone that’s tucked away in a pocket may mean ‘frictionless’ authentication may have more friction than consumers want.

The added biometric data that wearable devices may be able to produce open up new ways to identify people. Where a person has been, their temperature, heartbeat, blood pressure and so on – all of this data could potentially be used to authenticate a user.

In the arms race against fraud, complex and interlinked data that can identify a user is clearly a winner for financial services. A fraudster may potentially be able to subvert a fingerprint, but replicating a fingerprint, a heartbeat and skin conductivity is a different prospect altogether. But no institution wants to fundamentally change their authentication infrastructure every time a new authentication method becomes more widely available.

Today forward thinking financial institutions are taking a ‘mobile-first’ approach to authentication where the smart device capabilities – location, biometrics, behaviour, etc – are used to provide a better user experience without compromising security. Nobody sane would argue that the shift to mobile is likely to stop or even slow down anytime soon. But what happens if smartwatches become more popular than mobile? Or what if the next iteration of Google Glass shakes off its nerdy ‘glasshole’ stigma and gains wide adoption? Almost a decade from the launch of the first iPhone, can we say what the most popular device will be in another ten years? Possibly a wearable device like Glass, maybe even something that plugs directly into the brain a la Neuromancer, but most likely a much more powerful iteration of a smartphone.

Maybe even the smart belt will - against all expectations - fire the public’s imagination and become the next must-have gadget. Do you have a smart belt strategy? Will your customers be able to use smart jewellery to identify themselves?

Financial institutions are only now starting to make use of mobile devices, and it might seem with the growing wearables trend that there’s a risk of being left behind again.

However, in the foreseeable future, wearables will have to connect with and through a smart device. 

In this context, the key advantage of wearables from an authentication perspective is that they can improve usability (reduce friction) and increase security. For example, if a smart-watch is paired with a device and enrolled as a second "have" element, the service provider can detect whether the user is close to the phone or not. If the watch is "out of range" it could be an indication that the device is in the hands of a fraudster. In another scenario, if the user is making a mobile payment in a shop, they could type the PIN or use TouchID on the watch and avoid having to fetch the phone all together.

Whatever the scenario, the mobile device will remain central.

What’s important is that institutions take a “device-first” approach - one where new authentication technologies based on technology advances can be easily introduced without wholesale replacement of infrastructure. So when wearable tattoos go mainstream after CES 2020, these forward-thinking companies will be the first to integrate them into their authentication process.