We are seeing a biometrics boom across many industries, from banks deploying selfie biometrics to laptops requiring fingerprint authentication. As we jump at speed towards a mobile-first world, biometrics will take an increasingly important role with new deployments and capabilities. However, fighting against this innovation are concerns about the security of biometrics and myths designed to create fear – iris scans burn your eyes!
Busting biometric fallacies and providing insight on the biometric landscape, Derek Northrope, head of Biometrics for Fujitsu Americas, separates biometric fact from fiction with CBR’s Ellie Burns.
EB: In your experience, what is the most common myths associated with biometrics?
DN: I suppose the biggest myth, that actually encapsulates a large number of other myths, is that Biometrics behave in real life the same way they do in the movies. This manifests in a number of, strangely divergent, ways. Some people have an un-realistic expectation of how magically accurate a system is or inversely that they are so inaccurate that they are easily beaten. Others believe that a single biometric scan can reveal their entire life history inc
luding what they ate for breakfast and who their first crush was. The reality is much more middle ground.
The second biggest myth is that all biometrics are created equal. Various biometrics have different strengths and weaknesses, including things like: Accuracy, Usability, Cost, Speed, Identification v’s Authentication and Ability to be forged.
Any organisation looking at using biometrics needs to understand these factors, linked to their risk profile to determine the best Biometric, or Biometrics, for them. A good solution can tie all of these biometrics together into a single cohesive identity framework.
The third is that Biometrics, in and of themselves, are a magic bullet for identity and security. For low risk, or low cost, activities this may well be the case, however for higher risk transactions Biometrics should form part of a layered security approach including other factors such as the traditional, something you know, something you have.
EB: Is there any truth at all in some of the dangers associated with biometrics – or is it all hokum?
DN: Like all good myths there is some truth to the dangers, however, a good understanding of the issues above will mitigate them. For example, can someone copy your fingerprints and beat the TouchID? The short answer is Yes. The longer answer is that there is a cost and effort associated with beating the TouchID and that cost and effort needs to be replicated for each new person you are trying to ‘spoof’.
The simple fact that it needs to be replicated for each person means that risk profile shifts from stealing a small amount from lots of people, to stealing a large amount from a few people. This is where a better understanding of the myths mentioned above comes in. Knowing that TouchID can be beaten, at a cost, means that it is fine for transactions with a value less than that cost, however for higher value transactions it should be combined with additional factors, or indeed replaced with a more secure biometric like PalmSecure.
EB: What is the most common biometric myth perpetuated by enterprise execs?
DN: That biometric solutions cost too much to implement. This is where a good understanding of myth number two combined with a deep understanding of the various risk profiles either within their organisation, or for their customers can help. One example is that in various industries implementing biometric time clocks can have a return on investment, from a reduction in buddy punching, of less than 6 months. Another example is the implementation of voice biometrics into a help desk to automate things like password resets can, with the use of Biometrics as a Service (BIOaaS) offerings, have an immediate ROI. Once this biometric framework is in place, and paying for itself, it can be expanded to include other biometrics, in other use cases, to increase security and reduce risk.
EB: How do you see biometrics being received/adopted by business today?
DN: For staff we are seeing a greater adoption of Biometrics to secure information and to automate tasks such as password resets or remote access authorisation. For customers we are seeing biometrics being used as a means to have a greater level of trust that person we are dealing with, who isn’t physically present, is who they claim to be.
What will biometric authentication look like in 50 years time? Continue reading to find out
EB: Can you see any regional variations in biometric adoption – US versus the UK for example?
DN: For sure, we have regions like the Nordics and parts of Asia that use biometrics in National ID cards and so some of the variations come from a greater level of understanding and acceptance of biometrics. Other variations come from the level of maturity and infrastructure of the financial services capabilities of each region.
For instance, parts of Africa have skipped the branch type banking model and gone straight to online and mobile banking and purchasing. In various parts of the world NFC and Chip and Pin POS stations are the norm whereas other regions it’s still the traditional swipe and sign. Biometrics is the natural progression for mobile commerce with the widespread adoption of biometrics in consumer smartphones.
EB: How does enterprise adoption stack up against consumer adoption of biometric authentication?
DN: At this stage consumer adoption far outweighs the enterprise adoption of biometrics. However as mentioned earlier a greater understanding of the ROI and security possibilities of BIOaaS offerings means that we should start to see a greater update in enterprise adoption soon. Consumer adoption in the financial services market will likely remain the clear leader though.
EB: What is the main factor all businesses need to consider for successful biometric implementation?
DN: I would say two main factors:
- What is the business need we are trying to address. i.e. not be a solution looking for a problem but actually solve a real business need.
- What is the risk profile, or profiles, that we are addressing. These risks can be a combination of things like Financial, Security and Reputational risk. Various staff, or customers, can have different risk profiles while performing different tasks. This then leads to a better understanding of the Biometric, or biometrics, required to solve the business problem.
EB: Why is biometric authentication so important in today’s world?
DN: Authentication is massively important in today’s world as the majority of transactions, be they financial, healthcare government or security related, can boil down to a simple two-step process. Who are you, and are you able to conduct this transaction?
In the distant past the first part was relatively easily determined as people conducted business face to face and there wasn’t a lot of global mobility. Everyone in the small town a person grew up in knew who you are on sight because you had grown up there. This is no longer the case, transactions are often conducted remotely via the internet and can occur anywhere in the world.
Authentication can only happen after you have been enrolled into a system, in some systems a lot of effort goes into determining the true identity at this point, i.e. financial and government services, in other systems any claim is accepted, i.e. gym membership or creating a new email address. However in all instances we have a vested interest in confirming that the person who is trying to access the service is the person who was registered, i.e. Authentication. In a similar vein the best encryption in the world can easily be bypassed if the access method isn’t strong enough.
EB: In 50 years’ time, how do you expect biometrics to have evolved? What place will it have in the world?
DN: In 50 years’ time biometrics will be much more pervasive in everyday life, my home and office will know who I am as I walk in the door for example, my car will only start for registered people and my phone will only for me, and my health and financial records will be much more secure than they are now.
However this greater coverage in everyday life will need to be balanced by greater controls and safeguards around commercial entities sharing, or selling, my biometric information. To be fair this isn’t something specific to biometrics, if loyalty cards are already selling information about my shopping habits to other industries like insurance agencies and financial service providers then it may already be impacting my day to day life. Biometrics are just better at correctly authenticating the user.