As I write this piece, the theme from the movie of a similar name has me moving to the tune in my head; you know the one. As you are now also air-whistling, you are probably wondering what this has got to do with biometrics? Well, if you follow the various contradictions of biometrics, you will be aware of the ongoing debates on the advantages (read: good) and disadvantages (read: bad). April was no different with the concerns of data breach, twins, user acceptance once again being highlighted. The reality though is that biometrics continues to grow as an authentication factor, especially in hands-free interfaces spurred on by a variety of voice-first assistants such as Alexa, Siri, Bixby on smartphones, smart speakers, connected automobiles and an ever-increasing range of intelligent consumer electronics. Even if you take the aggressive growth forecasts with a pinch of salt, a multitude of uses outside of financial services, where the majority of applications presently reside, such as e-voting, healthcare and education, together with massive strides in multi-modal innovations such as Aimbrain’s lip-sync addition to voice and facial biometrics all point to a boom in biometrics.
The Good
Biometrics has been key to removing the inconvenience and risks of physical forms of 1st factor (something you have) authentication such as drivers’ licenses, passports, ID books etc, especially for customer onboarding, access control, border control and policing. However, the greatest advantages of biometrics (3rd factor; something you are) has been in remote transacting, which traditionally relied exclusively on 2nd factor (something you know) authentication via:
- Contact centers – where voice biometrics has proven to be extremely effective in displacing security questions that frustrate for users and agents, and weakened due to the easy availability of the biographic information upon which these questions are based, due to large scale data breaches, phishing and vishing
- Notebooks and PCs – mobile computers are now equipped with cameras and fingerprint sensors, and PC’s, especially those in government departments, are hooked up with external fingerprint sensors that are used for login and various workflow authorizations
- Mobile Devices – by including sophisticated fingerprint sensors and high-resolution front cameras on most modern smartphones, manufacturers have removed the cost barrier to biometrics. This has resulted in accelerated user familiarity with biometrics, and a surge in adoption, and user adoption for phone unlocking, mobile-app login and even transactions authorisations.
As organizations take the ‘digitize or die’ route to growth, user authentication remains a key focus to ensure that security does not negatively impact the ability to scale. While biometrics overcomes UX and security issues from security questions, PINs/Passwords and OTPs; it does come with new challenges that need to be addressed.
The Bad
In comparison to the inconvenience, declining reliability and increasing cost of 1st and 2nd factor methods, biometrics appeared to be the savior; especially for organizations wanting to digitally transform with urgency. Influenced by science fiction and clever marketing, many implementations deployed biometrics as a sole authentication method. Not only did this meet internal resistance but attracted wide ranging criticism from a variety of naysayers who were able to find cause in a number of biometric limitations. We covered some of those applicable to voice biometrics our report: “Voice Biometrics, What Could Go Wrong?”, and list some of the more general ones hereunder:
- Environment – different biometric modalities are not suited to certain environments. For example, voice doesn’t work well in noisy areas, facial struggles with in poor lighting, fingerprint readers are adversely affected by dirt and dust.
- Twins and Impersonators – this is a problem across all biometrics, in very much the same way that humans could be duped by twins and impersonators who can use voice, facial and other disguises
- Synthesis and Spoofing – the game of leapfrog between the good guys (scientists, vendors and security professionals), and the bad guys (hackers, fraudsters and mischief makers) is inevitable
- Privacy and Irrevocability – some biometrics, such as facial and to a certain extent voice, can be used to recognize an individual. Consumers who choose to be anonymous or pseudonymous are uncomfortable with providing biometrics that can be linked back to them. Also, unlike PINs and Passwords, which can be changed, biometrics are more permanent in nature. This is an interesting conundrum as it is this very permanence makes it suitable for authentication. Nonetheless, fears abound on the re-usability of breached biometric data.
Reality
The reality is that that security questions and username/password methods cannot scale with the growth of authentications demands in the digital domain. OTP’s and security tags are too inconvenient and can be easily breached. There is no ‘silver-bullet’ solution, hence multiple techniques, including biometrics are the only way for organizations to scale securely. The ‘bad’ aspects of biometrics must be mitigated so that edge-cases do not compromise an entire deployment. Some of the techniques are:
- Context Awareness – solutions must apply biometrics that are suitable to channel, context and use-case
- Risk Based – modality strength and user friction must be adapted to the value-at-risk, real-time and historical user behavior
- User Based – individuals that are most likely to perform poorly for a particular biometric such as twins or eroded fingerprints are unfortunately outliers who must be treated with additional methods. This is important in the enrollment phase
- Data Encryption and Separation – even de-identified, encrypted data must be broken up and stored in different places, and only recombined for verification purposes
- Liveness, Continuity and Random checks – don’t treat authentication as a single ‘event’ in a user process, rather use techniques such as behavioral biometrics or random, multi-factor checks to ensure that the originally authenticated user is still the one that is transacting.
The debates on the good and the bad of biometrics are not expected to subside. The reality however is that doing nothing is not an option. Accepting that biometrics have limitations, like all other factors do, and adopting a holistic, eye’s wide open attitude is the best approach.
Categories: Intelligent Authentication, Articles