By Isabelle Moeller, Biometrics Institute.
Only biometrics can unify the age-old opposing forces of user-experience and digital security. When it happens, the effect will be remarkable. Thanks, in no small part, to the whims of Hollywood, biometrics have become something of a go-to metaphor for bleeding edge, bullet- proof security. It’s easy to see why: iris scanners make great TV.
Sadly, reality is always different to the big screen. The last five years have lifted biometrics out of Mission Impossible and dropped them into the lives of everyday consumers, where they are fast assuming a central role in digital identity management. Popular engagement with voice recognition in telephone banking and smartphone fingerprint scans, are, thankfully, sobering perceptions. Security breaches, while unfortunate, have underlined that biometrics are far from infallible and most certainly are not an ‘overnight solution’ to the world’s digital ID problems.
Neither are they toothless, however. On the contrary, in the right hands, biometrics, like chilli peppers, can be powerful ingredients that give real punch to the security mix. What’s more, in the world of digital identity, particularly in user authentication, there is an urgent need to spice things up; the industry faces serious challenges.
The recent proliferation of digital services and cloud- based platforms, each requiring independent user verification, is making mincemeat of the username and password (UNP) model. Ubiquity compels even the diligent to reuse at least some of their UNP credentials, dramatically increasing the security implications of a hack. Indeed, many of the most popular cloud- based services already automate this practice, enabling users to apply their ‘unique’ UNP to a variety of other accounts (a process known as single sign-in, or social login). The risk posed by this kind of identity federation is obvious: a hacker needs only to crack one UNP to gain access to all the user’s associated accounts. Various services exist to help mitigate UNP vulnerability (password ‘vaults’ and management applications) but few would disagree that these are at best sticking plaster solutions; the days of UNPs are numbered.
Two-factor or multifactor authentication solutions are far more impenetrable but, compared to UNPs, adoption rates remain comparatively low, largely because the multifactor approach fails to deliver a smooth and convenient user experience. Physical authentication tokens, often used in e-banking, are easily lost or stolen, but more importantly, the authentication process itself is laborious. Typically, receipt or generation of a random key or number sequence occurs on one device (a smartphone), which must be combined in some way with another unique piece of information known only to the user, before being inputted into a second device (laptop, tablet, PC etc.). Replacing all UNPs with this multi-step model is no solution at all; today we login to so many different platforms that interruption and end-user frustration would dominate the digital experience.
Enter biometrics. There is little doubt that the future of digital identity lies in using multiple factors to verify a user’s authenticity. The key difference will be that one or more of those factors will be delivered biometrically, enabling the authentication process to be vastly simplified and greatly accelerated. Apple’s Touch ID is an excellent example of how a biometric can make an authentication process fast and convenient, as well as secure. Indeed, with biometrics ‘in play’, a digital world in which the authentication process disappears entirely from the user’s experience, could be right around the corner.
When appropriately deployed, behavioural biometrics such as typing styles, app navigation habits, or the pressure applied to touchscreens, leave a data trail almost as distinctive as a fingerprint or face. The identifying power of these behavioural factors can be harnessed by multifactor authentication solutions and, when combined with conventional biometric data, can be used to continually and automatically confirm and reconfirm the user’s identity, without interrupting their user experience with off-putting ID challenges.
Adaptive and risk-based authentication solutions are also gathering momentum. These solutions monitor the user’s daily journey through their apps, platforms and devices and use this data to ensure an authentication challenge is only issued when the system deems it absolutely necessary, according to pre-determined policies set by the issuer.
When these fields are mastered, biometric-powered multifactor authentication will finally unify the age-old opposing forces of convenience and security, and a brilliant and incredibly secure end-user experience will be established.
Imagine almost never having to be challenged again when logging into a cloud service, a mobile app, social platform, collaborative workspace, email inbox, remote VPN…
We are not there yet. More work needs to be done to identify and increase the reliability of behavioural biometrics. Capture technologies are still developing and their integration into intelligent solutions must be handled with care, if we are to stay ahead of the hackers. Privacy issues also remain a key concern, as does the storage and sharing of biometric data once it has been captured. This is the space inhabited by the Biometrics Institute Digital Services Working Group, which is one of the few places globally where the boundaries of these solutions are being explored in an open, collaborative and commercially neutral forum. Crucially, it encompasses the full spectrum of stakeholders too, including academics, vendors, end-users and privacy advocates.
The importance of this work cannot be overstated. Collaborative efforts are essential to ensure the true enabling power of biometrics can be realised in the digital space without
putting the individual’s biometric data at risk. Cross-industry collaboration at the Institute also accelerates the evolution of these technologies, shortening the lead-time before full deployments are possible and end users benefit. In this instance, this can’t come soon enough. The world of digital services is evolving at a tremendous pace and the threats to personal data security are increasing as a result. Only when biometrics have been successfully integrated will multifactor authentication solutions be able to deliver the user experience demanded by today’s digital consumer. Mass adoption will then follow and all that inhabit the digital world will be safer for it.
While the legal framework and policy creation for biometric data privacy remains a matter for lawmakers, commercially independent guiding principles for the design, deployment and operation of biometric technologies already exist. They are the product of international collaboration between academics, governments, vendors and other key stakeholders at the Biometrics Institute.
Only by sharing live deployment experiences, establishing guiding principles, creating best practice guidelines and promoting the responsible use of biometrics globally, can the industry truly claim to be representing the interests of end-users. Biometrics may be perfect, but our use of them is not. As the adoption of biometric technologies continues to accelerate, it is our collective responsibility to ensure we strike the right balance between delivering a great user-experience and mitigating security risks along the way.