Before the advent of computing many decades ago, transactions were mostly person-to-person. User authentication or identification was generally a matter of establishing a trust relationship either because the person or persons were known to each other or proof of identity was supported by their physical presence.
Computers and the modern day Internet forever changed this paradigm. Few would argue that the vast majority of transactions today are between people and machines. In the early days, the problem of identity was less about security than about managing access to a shared resource. All that was required was a way to interact with mainframe computers separately. And so was born the notion (or some might say the curse) of usernames and passwords. Although this concept was not designed to serve the needs of online transactions, to this very day we remain dependent on methods and technologies that fall short of providing assured authentication or real personal identification.
So the obvious questions that emerge from this are: What are the best technologies or methods for assured authentication and personal identification in a digital world? Is assured authentication even possible? Is security the main driver for authentication? And must this be at the expense of user convenience? Are we finally at a tipping point for biometrics adoption? Is biometrics the most effective means of assured authentication? And if so, what has the industry done to address issues of performance, privacy, liveness detection and threats to loss of digital identities?
I will discuss each of these issues here. But the short answers are: Yes, there is no question that we need better methods of authentication today; No, it is not necessary to trade off security for convenience; Yes, there is definitely a role for biometrics, the one authentication factor that can reliably answer the question ‘who’.
And because biometrics has a central role to play in today’s authentication solutions, it is important that we revisit and review the many myths and misperceptions associated with biometrics. Many vulnerabilities have been addressed and technologies will continue to improve as biometrics moves from only being a forensic tool to becoming a compelling mainstream solution as service providers begin to appreciate and fully understand that both user convenience and security really matter.
Let’s begin by recognising that biometrics is not new. People have been relying on biometrics since the dawn of man. The part that is new is the automated matching of identities as modern biometrics technology has progressed from a forensics focus to one of validating user identities in the digital world. Over the past few decades, many attempts have been made to make biometric authentication mainstream, but up until recently these have been met with numerous complications, such as less-than-perfect performance and poor reliability.
Many early adopters worked through these issues over time with better system design and modern sensor technology. Multispectral fingerprint sensors, for example, have raised the bar for biometric performance, demonstrating reliability in everyday conditions that challenged conventional technologies. This more-effective technology is based on the use of multiple spectrums of light and advanced polarisation techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin. That subsurface capability is important because the fingerprint ridges seen on the surface of the finger have their foundation beneath the surface of the skin, in the capillary beds and other sub-dermal structures.
Unlike surface fingerprint characteristics, which can be obscured during imaging by moisture, dirt or wear, the ‘inner fingerprint’ lies undisturbed and unaltered beneath the surface. When surface fingerprint information is combined with subsurface fingerprint information and reassembled in an intelligent and integrated manner, the result is superior biometric performance in any environmental or demographic condition and an authentication application that is more consistent, more reliable, and more tamper (spoof) resistant in the real world.
So the technology is there. However, mainstream markets remain skittish about legacy issues, preferring instead to extend familiar but outdated authentication methods – such as user IDs and passwords – to the breaking point.
They do so at their own peril. With the rapid increase in cybercrimes and identity theft, there is no question that we now have a pressing need for a better form of authentication than a password/user ID pair. Biometrics is the only form of personal identification that, by definition, focuses on the individual and answers the question of ‘who’ with a high degree of certainty. As such, it is an essential factor in modern-day authentication solutions.
Even those who are sceptical about a wholesale switch to biometrics acknowledge that adding an automated biometric identity check to whatever other factor is being used will greatly enhance security. Their scepticism isn’t entirely misplaced: no single factor will ever provide perfect authentication. But biometrics is the one factor that can transform a multi-factor solution into assured authentication.
So how does one assure authentication in this digital age? It begins by accepting the reality that no one single form of authentication by itself is 100%. Even a biometric (including DNA matching) is not perfect. Statistical error rates however are substantially reduced when multiple forms of authentication are employed. The use of biometrics as an additional tool or second factor greatly enhances our ability to get closer to 100% in the continuum to assured authentication. The reason for selecting biometrics as one of the two factors is clear. Knowing ‘who’ is the goal of assured authentication and biometrics is the only form of authentication that is focused on the identification of the individual, not something they have or something they know.
Multi-factor authentication with a biometric also enables new applications or self-service offerings that otherwise would not be practical as they may expose the provider to unacceptable risks. Combining a biometric match with a barcode on an ID card or on a smart device enables self-service authentication at a banking ATM, for example, by bringing transactions to an acceptable risk level.
In Brazil, ATM provider Itautec has demonstrated an application that allows a bank customer to withdraw cash or pay a bill by generating a QR code with a smartphone app and then authenticating the transaction with a multispectral fingerprint sensor at the ATM. Combining the ability to read two authentication factors on the same device (such as what we are beginning to do with multispectral imaging technology) enables a whole new set of applications by simplifying multi-factor transactions even further.
Another aspect of assured authentication can be seen in applications that do in fact require a true 100% level of service, sometimes for reasons that are less about security risk and more about customer expectations. Take for example automotive applications where anything less than 100% authentication is literally a non-starter. Sole reliance on the use of an automotive biometric is unacceptable, even as the industry explores biometrics for personalisation and telematics applications in vehicles. To make these applications viable there must be an alternative means of authentication available as a backup to guarantee user acceptance. This is how one brings assured authentication to a true 100%.
We should also not lose sight of the fact that digital biometrics represents an exciting new tool for a new age. Much like we’ve abandoned the typewriter and [Tip-Ex] for document production and editing, there is no longer a need for us to continue to rely on passwords for online accounts. Digital biometrics are no longer in the realm of science fiction, they are now poised for more widespread adoption. Today’s biometrics greatly enhances security and convenience as part of authentication solutions that address complex modern risks and requirements.
What about user privacy?
One of the concerns often raised about biometrics is the concern over user privacy. There is no question that we have a right to privacy. Few would argue that this is not an absolute right (although it is a bit ironic that the information that we freely and routinely volunteer about ourselves through social media is a much greater threat to personal privacy than any biometric).
That said, we need to be careful to separate our ‘right to privacy’ from the ‘right to anonymity’. In fact we do not have the absolute right to conceal our identity when applying for a job, boarding an aeroplane, entering a private place of business, or entering a country – just to name a few situations.
Our right to privacy is very important and biometrics best practices do allow for a number of protections and safeguards that can, and should, safeguard our identities. These best practices are easily implemented and they should represent an important consideration when choosing a biometric technology and a vendor who understand the risks and the means to protect us.
And for those inclined to dismiss technologies on the basis of them being either intrusive or exclusive, let me emphasise and point out that biometrics is the most democratic and inclusive of all other means of identification. There are no language, literacy, gender, race, ethnicity, or other human factor barriers. Little knowledge of how biometrics works is required for users to enjoy the full benefits. The technology is simple to use and arguably the most inclusive form of personal identification.
The security/convenience paradox
The security/convenience paradox is important to understand because security at the expense of convenience is a non-starter for markets where the user has a choice. Biometrics is uniquely positioned to provide both security and convenience. Passwords, PIN numbers, tokens and ID cards are not particularly secure, nor are they convenient. Most systems employing these methods in response to growing threats have become overly complex, are difficult to understand and generally block users from doing their jobs. Biometrics supports workflow, providing security while non-intrusively enabling people to do their jobs.
With the advent of the modern day Internet, our authentication needs are decidedly more complex – and yet we continue to rely on technologies that are hopelessly out of date, inconvenient and ineffective. What would it take to change this? Users have demonstrated that they will migrate to, and even pay a premium for things they want versus things they need. Convenience is what people want and security is arguably only what they need. So the long overdue ‘death of the password’ is not something that will be driven by something that offers greater security alone. The password will be replaced by a method that is more secure and more convenient.
Properly designed biometrics solutions can and should enhance both security and convenience. Multispectral imaging is an example of a high performing biometric that authenticates on the first try, shaving time and hassle off transactions and allowing ‘security’ to recede from the user’s perspective. In healthcare, biometric patient authentication is becoming important for reducing medical errors and for minimising fraudulent access to healthcare. Mexico’s Seguro Popular, a public health insurance program, relies on multispectral fingerprint biometrics to prevent fraudulent use of the policy. Importantly, officials report that the biometric actually facilitates faster access to medical service by authorised patients – a sure measure of convenience – while saving costs.
In addition to the security and convenience available to traditional authentication applications, knowing ‘who’ with some high degree of certainty enables services or information to be personalised or customised to users’ specific needs, role or access privileges. (In fact, these convenience characteristics will be the primary drivers behind enabling some exciting new biometrics applications.)
Threats to your biometric identity
Two additional issues about biometrics that need attention are concerns about the threat of spoofs and the loss of control over biometric identity. These risks are not static so therefore it is extremely important that vendors make provisions to dynamically respond to ever changing and growing threats as they emerge.
We are all painfully aware that thousands of new computer viruses surface every month and that these viruses expose us to new threats and require new countermeasures. Likewise, in the world of digital biometrics, no matter how good one believes their system to be, there are always those who make it their priority to find and exploit any vulnerabilities.
To that end, best practices mandate that sensors and systems be adaptable and capable of dealing with new threats as they surface. Like the antivirus business, biometrics liveness detection must be sophisticated enough to deal with new spoof techniques. Failure to do so could make the technology vulnerable to threats.
Governments understand this well. Some border crossings are so busy, however, that it might seem that moving people through quickly is a competing priority. Hong Kong Immigration solved that problem by deploying multispectral fingerprint biometrics. The technology alleviates long processing delays while reliably authenticating over 600 000 visitors every day and identifying fraudulent fingerprints (spoofs) with responsive liveness detection.
Finally, some have expressed concern about the potential for loss of a biometric template or identity. The core argument is typically that should a biometric template be stolen or compromised, would one’s digital identity be at risk? What is often overlooked is that biometric templates are generally proprietary and encrypted. Further, good state-of-the-art liveness detection ensures that a ‘stolen’ biometric has no value. Strong spoof detection and trusted platforms with proper protocols can and should be deployed to preserve the integrity of such information. There is also a variety of industry initiatives associated with developing cancellable biometrics. As with any personal identifiers there are proper and improper methods for data protection. It is simply not the case that biometrics are inherently more vulnerable or risky. Consider how easy it is to steal one’s social security number [identity number for South Africans – Ed.]
It is important that this remains a matter that is front and centre with the industry and that proper measures are taken to ensure the integrity of personal identity information, whatever form it may take.
Knowing ‘who’ matters
A biometric is, by definition, very personal for each of us. Biometrics is the only authentication factor that focuses on identification of individuals, not something they carry, or something they know. It is also the only technology that offers a higher level of both security and convenience.
In a digital world where authentication and identification must be assured and reliable, the role of biometrics is significant and should not be overlooked. It really does matter who we are, both to ourselves, and to the people with whom we have personal and transactional relationships.
We have long since reached a point where conventional technologies like passwords, PINs, ID cards, or tokens alone are not sufficient to protect us. Life is complicated enough already and having to remember multiple passwords, complex passphrases and answers to questions easily found on our Facebook accounts are simply not good enough, not convenient and counterproductive.
Biometrics is the only authentication factor that can answer ‘who’, and assured authentication that is enabled by some combination of biometrics and a second factor is the best way to design and develop solutions that meet today’s security needs. Education and good policy will ensure that security, privacy and convenience will always be preserved, even as technology advances. Consumer acceptance and appreciation of this technology as users begin to realise the full benefits will likely enable the widespread adoption of biometrics.
The threats to our identities are steadily rising. The cost and sophistication of a viable solution is now very close to the point where the question is not why use or deploy biometrics but rather why are we not deploying biometrics? And why on earth has it taken so long for us to get there?
Phil Scarfo is VP of worldwide sales and marketing for Lumidigm. He can be reached at firstname.lastname@example.org
© Technews Publishing (Pty) Ltd | All Rights Reserved