Only biometrics can unify the age-old opposing
forces of user-experience and digital security, says Isabelle Moeller, Chief
Executive, Biometrics Institute. When it happens, the effect will be
Thanks, in no small part, to the whims of
Hollywood, biometrics have become something of a go-to metaphor for bleeding
edge, bullet-proof security. It’s easy to see why: iris scanners make great TV.
Sadly, reality is always different to the big
screen. The last five years have lifted biometrics out of Mission Impossible
and dropped them into the lives of everyday consumers, where they are fast
assuming a central role in digital identity management. Popular engagement with
voice recognition in telephone banking and smartphone fingerprint scans, are,
thankfully, sobering perceptions. Security breaches, while unfortunate, have
underlined that biometrics are far from infallible and most certainly are not
an ‘overnight solution’ to the world’s digital ID problems.
Neither are they toothless, however. On the
contrary in the right hands biometrics, like chilli peppers, can be powerful
ingredients that give real punch to the security mix. What’s more, in the world
of digital identity, particularly in user authentication, there is an urgent
need to spice things up; the industry faces serious challenges.
The recent proliferation of digital services
and cloud-based platforms, each requiring independent user verification, is
making mincemeat of the username and password (UNP) model. Ubiquity compels
even the diligent to reuse at least some of their UNP credentials, dramatically
increasing the security implications of a hack. Indeed, many of the most
popular cloud-based services already automate this practice, enabling users to
apply their ‘unique’ UNP to a variety of other accounts (a process known as
single sign-in, or social login). The risk posed by this kind of identity
federation is obvious: a hacker needs only to crack one UNP to gain access to
all the user’s associated accounts. Various services exist to help mitigate UNP
vulnerability (password ‘vaults’ and management applications) but few would
disagree that these are at best sticking plaster solutions; the days of UNPs
Two-factor or multifactor authentication
solutions are far more impenetrable but, compared to UNPs, adoption rates
remain comparatively low, largely because the multifactor approach fails to
deliver a smooth and convenient user experience. Physical authentication
tokens, often used in e-banking, are easily lost or stolen but more importantly
the authentication process itself is laborious. Typically, receipt or
generation of a random key or number sequence occurs on one device (a
smartphone), which must be combined in some way with another unique piece of
information known only to the user, before being inputted into a second device
(laptop, tablet, PC etc.). Replacing all UNPs with this multi-step model is no
solution at all; today we login to so many different platforms that
interruption and end-user frustration would dominate the digital experience.
Enter biometrics. There is little doubt that
the future of digital identity lies in using multiple factors to verify a
user’s authenticity. The key difference will be that one or more of those
factors will be delivered biometrically, enabling the authentication process to
be vastly simplified and greatly accelerated. Apple’s Touch ID is an excellent
example of how a biometric can make an authentication process both fast and
convenient as well as secure. Indeed, with biometrics ‘in play’, a digital
world in which the authentication process disappears entirely from the user’s
experience could be right around the corner.
When appropriately deployed, behavioural
biometrics such as typing styles, app navigation habits, or the pressure
applied to touchscreens, leave a data trail almost as distinctive as a
fingerprint or face. The identifying power of these behavioural factors can be
harnessed by multifactor authentication solutions and, when combined with
conventional biometric data, can be used to continually and automatically
confirm and reconfirm the user’s identity without interrupting their user
experience with off-putting ID challenges.
Adaptive and risk-based authentication
solutions are also gathering momentum. These solutions monitor the user’s daily
journey through their apps, platforms and devices and use this data to ensure
an authentication challenge is only issued when the system deems it absolutely
necessary, according to pre-determined policies set by the issuer.
When these fields are mastered,
biometric-powered multifactor authentication will finally unify the age-old
opposing forces of convenience and security, and a brilliant and incredibly
secure end-user experience will be established.
Imagine almost never having to be challenged
again when logging into a cloud service, a mobile app, social platform,
collaborative workspace, email inbox, remote VPN…
We are not there yet. More work needs to be
done to identify and increase the reliability of behavioural biometrics.
Capture technologies are still developing and their integration into
intelligent solutions must be handled with care if we are to stay ahead of the
hackers. Privacy issues also remain a key concern, as does the storage and
sharing of biometric data once it has been captured. This is the space
inhabited by the Biometrics Institute Digital Services Working Group, which is
one of the few places globally where the boundaries of these solutions are
being explored in an open, collaborative and commercially neutral forum.
Crucially, it encompasses the full spectrum of stakeholders too, including
academics, vendors, end-users and privacy advocates.
The importance of this work cannot be overstated.
Collaborative efforts are essential to ensure the true enabling power of
biometrics can be realised in the digital space without putting the
individual’s biometric data at risk. Cross-industry collaboration at the
Institute also accelerates the evolution of these technologies, shortening the
lead time before full deployments are possible and end users benefit. In this
instance, this can’t come soon enough. The world of digital services is
evolving at a tremendous pace and the threats to personal data security are
increasing as a result. Only when biometrics have been successfully integrated
will multifactor authentication solutions be able to deliver the user
experience demanded by today’s digital consumer. Mass adoption will then follow
and all that inhabit digital world will be safer for it.