Making biometrics secure
Biometric authentication must balance convenience with the need for privacy and security, writes Alan Hodgson
Disruption is an often overused term, but it is the only word that adequately describes the profound effect that smartphones and other mobile devices have had on our lives. They have transformed society and the way in which we interact and exchange information.
Having a mobile device with significant sensor, processing and communications capabilities has proved to be attractive to a wide variety of applications, particularly in combination with the capability to link information and identity. However, the challenge is for users and industry to find the balance between ensuring the privacy and security of personal data, required to use these different applications, while maintaining user convenience. The role for international standards is to make a significant contribution to addressing these issues and facilitating the wider implementation of applications with all of the above capabilities.
Authentication — from PIN codes to biometrics
One of the early challenges with mobile devices was the need to verify that the user is entitled to access the device. Early generation smartphones required the input of a personal identification number (PIN) code, to deter theft or unauthorized access to services. However, the capabilities now built into smartphones allow identity verification by the acquisition of biometric data.
A good example of the use of biometric authentication is the fingerprint reader, an embedded device forming part of a trusted system to guard against software attack. From the consumer perspective it provides a convenient and secure method of verification and has a user convenience advantage over PIN keying systems.
However, smartphone systems have the capability of going much further, using embedded subsystems to transition from fingerprint recognition to vision-based biometrics such as iris patterns and facial features. There is a technology trend towards further form designs of wearable smart devices where biometric authentication will be the norm. Innovations in IoT, Smart Cities and electronic retail suggest a growing need for standardization on the “security vs user convenience” question and to provide guidance to the value chain.
The need for technology standardization
Increasing numbers of applications are being developed for the wearable smart device platform, starting with the smartphone. However, as increasing numbers of these use mobile identity authentication through biometrics on a single platform, thus, if one application is perceived to be compromised it could affect the public perception of all the applications using the wearable smart device platform. International Standards for biometric authentication could play a key role in protecting public confidence in this technology. This need for technology standardization comes from three directions:
- Consumer needs
From a consumer perspective, the transition from PIN numbers to biometrics was motivated by increased convenience, with the belief that the balance with data security had not markedly changed. However, stories in the press around large-scale data theft and cyber security issues are starting to diminish this belief. For the user, the issue is one of trust; which can be impacted by both real and reported issues. International standards can help reassure customers that their privacy and security is being protected.
2. Government and regulatory body needs
National programmes are being introduced that use biometric identification as a gateway to government services and to facilitate mobile ID for driver’s licenses and passport programmes. Governments are also responding to the need for security of critical infrastructures, with initiatives like the NIS Directive in Europe. The International Air Transport Association (IATA) aims to use biometrics to provide a seamless travel experience through airports using only mobile devices.
In the absence of truly international standards, the rules of engagement look likely to be set by a series of country- and industry-driven initiatives. Various industry consortia are already active in this area, but it would be logical for all concerned if this technology were the subject of international standardization.
3. Industrial needs
Industry sees both a consumer and government need for mobile identity authentication solutions that it is keen to fulfil, but there is currently no holistic framework from international standards. It has noted the consumer frustration with multiple passwords and seeks to provide solutions. Consortium reports contain a call to action for consolidation around the use of standards for mobile ID authentication and note that standardization is still in an early stage.
The common thread emerging here is the need for international standards to support industrialization.
Achieving mobile data security and privacy with standards
Effective standardization for mobile data security and privacy will require a systems approach due to the overlap with emerging systems such as IoT, Smart Cities and Active Assisted Living. Security and authentication look likely to be key to the smart automotive sector too.
This complexity can be seen as a benefit in that some of the necessary standardization work is already in progress and a challenge because the work is underway in disparate international and industry standards bodies with their own issues and communities.
Failure to protect the privacy and security of consumers will impact on their standard of living and their future interaction with the electrotechnical environment. The smartphone, as the first in a disruptive series of mass market mobile and wearable devices, has made a step change in society’s ability to exchange information and in turn develop and prosper. For example, smartphones have led to widespread and convenient access to data, information and services, facilitating new business models and commercial transactions. International standards for these innovative technologies have the capability to make a substantive economic and social contribution while maintaining the balance between human and technological development.
The relevant structure
A large number of industries are involved in mobile biometric authentication, including hardware, software and application. From an international standards perspective, though a substantial amount of detailed work exists or is under way at industry and national level, standardization will require more liaisons between relevant IEC and ISO standards committees.
For example, some of the issues around data security and privacy are within the scope of the IEC and ISO joint technical committee for information technology (ISO/IEC JTC 1) whose subcommittees are working on key technology areas, such as biometrics (SC 37), artificial intelligence (SC 42) and personal identification in (SC 17).
Additionally, IoT issues are likely to become very important as is the imaging testing structure, which has been developed in ISO TC 42: Photography. Some of the future design factors around wearable devices are being charted by IEC TC 110:Electronic displays. One early task will be a gap analysis to define what is missing.
A logical option for bringing these together in a central forum would be under IEC TC 124: Wearable electronic devices and technologies, which has most of the relevant liaison structure in place, or alternatively some of the ISO/IEC JTC 1 groups highlighted above.
Constructing a roadmap for future work
This article outlines the need for international standardization to protect the privacy and security of the highly personal biometric data of individual consumers, with sound commercial and governance arguments.
From a commercial perspective, research published in 2017 by a leading payment solutions company on biometric-based payment solutions, showed that the absence of a single standardized form of biometric authentication is an impediment for implementing these solutions. From a governance standpoint, during the days of hard copy documents, governments dictated how identity was verified, using driver’s licences and passports, however now they are losing control to smartphone manufacturers and apps.
It also highlights areas where work is already in progress, how this could be coordinated, and notes that other emerging areas could benefit, for instance, autonomous and connected vehicles. International standards could make a significant contribution to the social and technical environment of the emerging connected society.
Significant challenges arise due to the scope and complexity of the issues involved. There is a need to assess the gaps in standardization, which are relevant to our requirements, and to work with industry to construct a roadmap for future work.
A plan to do this will be proposed during an industry meeting of a new event called Digital Document Security Conference to be held in May in Berlin. The Conference aims to bring together some key industry and government players to examine the role that International Standards may play in this debate.
This is an edited version of an article that originally appeared in the print edition of IEC e-tech.
Dr Alan Hodgson is a consultant scientist with over 30 years experience in a variety of printing technologies and imaging science. He chairs IEC Technical Committee 119 on printed electronics.
