The Right Biometric Solution Depends On The Use Case

by Tim Sloane 0

Security concept with fingerprint touch identification and authe

This article raises many issues making it hard to know where to start. First perhaps is that a bank should not use iPhone’s native security to identify a corporate treasurer authorizing million dollar transactions on a daily basis. That said, I trust my relative obscurity, limited bank account, and iPhones security makes it unlikely someone will duplicate my fingerprint from a doorknob and crack my bank account. Primarily because the balance isn’t worth the effort:

‘ “There is no one perfect biometric modality,” Arun Vemury, director of the Biometrics Technology Engine at the Homeland Security Department told the Federal Drive with Tom Temin. “It really comes down to what are you trying to use it for? What are the needs of the specific operations, so you can find the right setup, technologies and fit?”

He said the expansion of biometrics is all about tradeoffs between three categories: what you know, what you have and what you are.

For example, it might seem like fingerprints are more secure than passwords. After all, passwords can be cracked through brute force or man in the middle attacks. But no one else has your fingerprints, or your face, right?

“One thing people don’t realize about biometrics is that technically, they’re not secret,” Vemury said on Identity Governance Month. “We walk around and show our face to the world. We leave our fingerprints all over everything we touch.”

Ideally, people work as hard as they can to keep their passwords and PINs secret and difficult to figure out. But they don’t take the same precautions with their biometrics.’

However, putting all the eggs into the fingerprint basket is also stupid. Google, Apple and everyone else needs to wake up and implement multi-factor authentication. This will enable the user to pick the appropriate solution for the situation at hand (face on a crowded train, voice for the call center when at home, fingerprint whenever) and use these in combination (voice passively and a fingerprint challenge as appropriate).

Then there is confusing my personal security with the security needs of a corporation and with identification of a person in a crowd on a large scale, such as that used at stadiums and airports:

‘“We’re in this situation where, as technology comes out, and honestly as it becomes more pervasive, more people will be incentivized to figure out how to beat it,” Vemury said. “Not only because it’s there and it can be beaten, but because the targets on the other side become more enticing as this stuff starts to get used beyond government applications but now for financial services and other places where people could find financial benefit. They’re going to get more creative, more people are going to look at it, they’re going to figure out how to beat it.”

And that’s not the only trade off involved in biometrics. DHS is one of the largest users of biometrics in the world, but as it implements these new technologies, it’s not always receiving the cost benefits that it should.

“When you put a technology out, people don’t actually understand how to use it. And these errors start to accumulate,” Vemury said.

So DHS sees new costs in training its employees to use these new technologies, and new costs in the support it takes to fix these errors.

There’s also a trade off between security and facilitation. The more secure a biometric system is, the more slowly it moves. And that can be a problem in situations like airport security. The answer, Vemury suggested, could come in the form of a combination of technologies.’

Biometrics are complex, but trying to discuss the problems with biometrics and while pulling examples from 3 or 4 totally different use cases simply confuses everyone.

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the quoted story here