September 5, 2018
Do you remember the time when business meetings were conducted in-person? A visit to the bank to make a deposit was a face-to-face transaction. Even a phone call to your friend’s home was a fixed landline and you recognized his voice when he answered. These interactions, as antiquated as they seem, were a type of biometric authentication, in which you verified another person through voice and facial recognition.
“Throughout human history, face-to-face engagement was the most common way of interacting with people,” said Andrew Jamieson, technology and security director for UL’s Identity Management Security group. “Today, we mainly interact with people online. We interact with businesses through applications, web interfaces, online chat systems and social media. With these new forms of communication, it’s much more difficult to identify who you’re talking to.”
As a result of this digital world we now operate in, biometrics as a form of security authentication has moved to the forefront. Passwords and PIN numbers, non-biometric authentication methods, were once the access control of choice until stronger security measures increased the complexity for users. For example, passwords must now meet character length requirements, including upper and lower case letters, as well as a combination of letters, digits and special characters.
“It just becomes burdensome for customers. What we’re seeing now is a move away from traditional passwords and PIN numbers towards biometrics, which makes authentication better and easier for users,” added Jamieson. “But biometrics by itself is not the solution. It should be combined with other security solutions to form a holistic authentication strategy.”
Today deployment of biometric technology involves using multiple inputs to maximize security. Whether it’s a combination of fingerprint sensors, facial recognition, or tracking a user’s location or behavior, these inputs make up a multi-tiered authentication strategy for optimal security control and access.
Avenues for biometric implementation
In addition to adopting a multi-modal biometric authentication strategy, successful implementation of biometrics requires two critical paths.
Firstly, the user should maintain control over their own biometric data. A good example is the use of fingerprint and facial recognition sensors to access mobile phones – a generally secure mechanism where that data lives on the device, controlled by the user only.
Secondly, with card access to commercial buildings, passport verification in airports, and digital drivers’ licenses when driving, biometric data should be entrusted to a centralized organization that uses the data to authenticate individuals for multiple purposes.
“This approach to biometric implementation works well because of the tangible benefit that a larger organizational body accrues in the use of that data to identify people and increase the security of their systems,” explained Jamieson. “When it comes to situations where the customer doesn’t have control of the data such as a government entity, we need to be very careful that the data is secured and maintained so the customer doesn’t lose faith in those systems. If customers migrate away because of fears that their data could be compromised, that poses a risk to wide adoption of biometrics.”
Barriers to biometric adoption
Unlike passwords, which can be easily changed, biometric inputs are permanent, creating even greater personal privacy concerns.
“If a password is compromised, it can be easily changed. But you can’t change the way you look, you can’t change your iris pattern,” said Jamieson. “So it’s very important when we implement biometric systems that we have very strong and well-understood mechanisms to protect that data, to prevent the compromise of that data, and have plans in place for what happens if that data is compromised.”
Differentiating fresh biometric data from data collected from a secondary source, such as high-quality photos on the internet from which someone can pick up fingerprints, iris patterns, facial images, etc., presents another challenge. Liveness detection or anti-spoofing technologies can help gain an understanding of not only who the person is but also the authentication of their intent at a particular point in time, such as the intent to unlock a phone, enter a building, etc.
The path forward for biometrics
Companies looking to incorporate biometric authentication into their products should establish a firm reason for pursuing biometrics as part of an authentication strategy, outline the tangible benefits of biometric data for increasing their identity authentication and security processes and assess the enterprise-wide security implications before making the investment.
“Don’t do it because it’s new and cool; make sure you understand why you’re doing it and the value it is going to provide your customers. Think about how it’s going to be used, where the data is going to be stored, how that data could be compromised and what happens if it is,” added Jamieson. “Assessing that from the outset will set up companies for success and create a trusted environment for wide adoption of biometrics in the future.”
Related , Not your father's lab testing