Biometric Identification — New Tools to Improve Authentication Processes
Each person is unique and possesses one-of-a-kind characteristics and qualities. Generally, we identify people by their physical characteristics, such as height, weight, ethnic background, and hair color among other things. Now, with the power of advanced technology to scan and analyze microscopic details of our physical selves, biometric identification enables secure and speedy methods to help authenticate people at scale.
Biometric identification refers to uniquely identifying a person by evaluating one or more distinguishing biological traits. For example, many phones now need a fingerprint or facial scan to access. Numerous other biometric markers are in use in various secure access applications such as retina and iris patterns, voice waves, hand geometry, earlobe geometry, and even DNA.
When compared against passwords, biometrics offers a more user-friendly and secure option of authentication. Passwords, as they are hard to remember, cause friction for the consumer leading to unsafe practices and security vulnerabilities. Leveraging authentication methods that are nearly invisible for consumers while providing enhanced security improves adoption and reduces risk.
Mobile Payment Authentication
The use of biometric information for identity purposes is expanding on multiple fronts. A new report from Juniper Research predicts that 1.5 billion people will use mobile biometric software by 2023. That is a jump from 429 million that are using the technology today.
While fingerprint scan is the most common input for mobile biometrics, there’ll be an increasing use of voice and facial recognition. According to the report, “mobile payment security will broaden hugely thanks to the implementation of pure software solutions … The key battle now will be to convince users, particularly those in Europe and North America, that these methods are just as secure as traditional hardware-based security.”
Biometrics for Travel
The US is increasingly using biometrics at border check points. They have been implementing facial recognition at various land border crossings and are now setting up at airports for international outbound flights.
As demonstrated by the fact that the Department of Homeland Security has approved the technology, these systems deliver high levels of security. Another significant advantage is the speed these systems offer; by delivering higher throughputs security can process more travelers, cutting lines and improving the travel experience while still providing the necessary levels of security.
Biometrics on ID Cards
While identity documents such as drivers’ licenses and passports have long had photographs, including biometrics adds a powerful new security feature. An estimated 120 countries now have electronic passports that include chips that can include digital photographs for comparison, fingerprints or other biometric data.
The EU has recently proposed to make it mandatory for any Member State that issues National ID to include two fingerprints and a facial image in machine-readable form. The argument for this introduction is to limit the use of forged documents by criminals and extremists. However, many privacy advocates, such as the Electronic Frontier Foundation, believe they “comprise the cornerstone of government surveillance systems that creates risks to privacy and anonymity.”
Who has access to the information? What controls over their collection and distribution exist? What are a person’s rights over that information? What obligations are associated with that data?
The complex interaction between security and privacy has many tangents and is a key debate of our era. As opposed to other identity data, such as an ID number, which can be reset, biometric data is fixed; if the information is stolen, it’s difficult to fix the resulting issues. The trade-offs and precautions taken to ensure security and privacy are carefully balanced needs consideration throughout the implementation process.
Biometrics and the Public
Regardless of the complexities of introducing biometrics, the public seems onboard with their use; in an IBM Future of Identity study, 67 percent of respondents are comfortable using biometric authentication today. That number jumps to 87 percent who would consider it in the future.
Of course, it depends on what purpose of the biometric information and who is storing the information. Not surprisingly, for financial applications security considerations rank five times higher than convenience (70 percent to 14 percent). However, in social media applications, convenience was more valued than security (36 percent to 34 percent).
Major financial institutions also generate the most trust when it comes to handling biometric data, with 48 percent of respondents stating they would trust them to hold that data. In contrast, only 15 percent would trust major social media sites. Note though, the significant use of social medial logins to access multiple other services; a breach of those logins could entail allow attackers to gain access to numerous sites and services.
Biometric acceptance also varies on the region. APAC is the most comfortable, knowledgeable and accepting of biometric authentication, followed by the EU and then the US. When it comes to being knowledgeable about the topic, 61 percent of APAC respondents stated they were, compared to 40 percent for EU and 34 percent for US.
The study concludes with the observation that the offering of choice is the best approach. A risk-based approach, where the level of authentication depends on the level of associated risk, offers a flexible approach to balance the needs for security with convenience and privacy. If extra security is required, an additional authentication step is introduced.
The offering of choice also extends to the type of biometric. Different groups are comfortable with different types of biometric authentication. By offering choice, companies can allow people to choose which way they are comfortable with. Also, delivering more authentication approaches increases the acceptance level and diffuses the potential opportunity of any one system hack.
Strong Customer Authentication
Biometrics though, is only one technique for authentication. The best approach for verifying and authenticating customers is a risk-based approach that layers multiple data points and technologies to make an accurate assessment. Consider the Strong Customer Authentication (SCA) requirement, which comes into effect for the EU in September 2019. The SCA requires that a customer’s identity be verified, using at least two of the following independent elements:
- Knowledge (something only the user knows, e.g. password or PIN)
- Possession (something only the user possesses, e.g. mobile phone or ID card)
- Inherence (something the user is, e.g. fingerprint or facial recognition)
Relying on a single identity authentication data source is rife with potential trouble; systems with one data source have one point of failure, corrupted data can’t be offset and varying data sets can’t be analyzed and optimized for maximum insight and performance. Layering multiple data points and technologies provides a method to triangulate true identity, enabling the information from different angles to better determine accuracy.
This consortium view of identity, using multiple data sources and multiple identity attributes, helps create a robust, scalable, trustable identity.
The use of biometric authentication is growing in different industries, use-cases and official programs. While there are concerns about the level of trust and impacts on privacy, the technology is making inroads into everyday use. For those looking to implement solutions, careful consideration of their customer needs and desires is a necessary first step. What techniques will they accept? It’s also about ensuring that implementation is secure, privacy is maintained and the public knows how you will handle their unique information.
Improving the customer experience and security simultaneously is a powerful goal for improving identity authentications. Biometric authentication, if implemented properly, demonstrates significant potential to push that goal forward.