Biometric security: One size does not fit all

By Andrew Jamieson, director of security and technology, identity management and security unit, UL

We "give away" our biometric data all the time — in photos, as DNA, to other systems. It's basically public information.

Anyone could be taking a picture of your ear or eye right now, or looking it up on social media, so biometric markers can be vulnerable to exposure if not managed properly.  

Biometrics have rapidly expanded into consumer applications such the financial market for customer authentication to payment services and withdrawing cash from ATMs in high-fraud markets. By 2020, nearly all smart devices including mobile phones, tablets and wearables will have some form of biometric security enablement. 

While the above seems to justify the adoption of biometrics in the banking industry, it is essential to understand the impediments to broader adoption. Many technologies that would be enabled by biometrics are still vulnerable to spoofs and hacking.

For example, mobile apps continue to pose serious security risks due to vulnerabilities that might exist within their software. Such vulnerabilities may be exploited to steal information, control a user’s device, exploit hardware resources, or result in unexpected app or device behavior. 

It's not all about the device

A lot of media attention — and some academic — is paid to the "falsification of the biometric trait", such as replicating a fingerprint, using a mask to fool a facial recognition system, or using a video to confuse an iris pattern-matching process. However, after the capture, this trait is transformed into  digitized data, so we must also be concerned with how this digitized data is protected.

If one can make a "copy" of this digital data, it might be possible to pose as the person by whom it was originally provided. Although there is a strong history and culture of physical and logical security for PINs and card data, this is not the case for biometric data.

It is because biometric data often can be easily cloned for use in "presentation attacks" (e.g., cloning the data input), it should be used in conjunction with a second factor for higher security.

Additionally, biometric systems targeting higher security should include mechanisms to prevent presentation attacks such as "liveness detection." This is critical for preserving trust in the integrity of biometrics authentication, increasing consumer acceptance and industry adoption. 

The benefit of robust biometrics in the authentication process is the ability to mitigate the potential for truly scalable attacks. Fraudsters want to find a process for committing fraud and then repeat it again and again. Introducing additional layers of authentication, such as a hybrid approach that combines technology and human verification, makes this far more difficult to manage.

Layer by layer

Instead of relying on a one-size-fits-all solution, any widely deployed security mechanism needs to incorporate a layer-based approach to identification — one that harnesses the power of both physiological and behavioral biometrics — to create a secure and user-friendly experience, while simultaneously addressing user concerns and potential security flaws.

Technological advances now mean that the behavior of the user also can be used as a means of identification. Machines can learn and process a multitude of  data points — from the way users swipe their phone to the timing of their individual keystrokes.

These behavioral biometrics create a way to develop a usable risk profile, and act as part of a more trustworthy identification process that has the ability to detect anomalies that can signal bot and replay attacks.

Using this much more amenable approach to biometrics also means that users can opt out of sharing highly personal information and data, insulating both the user and the enterprise against the risks posed by data breaches.

However, such new technologies are also fraught with concerns around the ability to perform "hidden" tracking of users; as we learn more about ways to identify ourselves as individuals, it becomes harder and harder for us to remain anonymous in all aspects of our digital lives.

Biometrics can undoubtedly be an easy and convenient way to identify a customer and, when used properly, can be secure as well. One must realize, however, that biometrics is not a remedy for all problems.

It is essential to understand how any specific biometric authentication process works, when to use it, and when not to use it. In an increasingly digital world, businesses need to square the circle of strong security and identification processes without inhibiting the user journey.

By combining unique identification markers offered by biometrics, we can create a secure, robust, layered identification process, utilizing the most unique data points and markers possible — the users themselves.