December 6, 2017 -
When Aware launched its Knomi framework in October, it marked the arrival of a new approach to using biometrics to realize the convenience and security of password-free mobile authentication. With support for several modalities and device- or server-centric implementations, the Knomi mobile biometric authentication framework appears unmatched in its flexibility.
Knomi leverages Aware’s many years of experience enabling large-scale systems with biometric capture and matching algorithms. The framework of biometric algorithms is provided as SDKs and APIs designed for integration into existing mobile applications and authentication workflows, as opposed to a more black-box, bolt-on approach. Its modular design enables a range of implementations that can meet the specific requirements of many different use cases, with innovative UX features and high-performance algorithms for biometric matching using face, voice, and keystroke dynamics. Knomi also places a strong emphasis on liveness detection.
Knomi components can also be configured to support different architectures. The Knomi D configuration enables a device-centric approach, with biometric matching, template storage, and liveness detection occurring on the user’s mobile device. Knomi F provides FIDO Certified authenticators, client, and server for a standards-compliant, interoperable, device-based implementation. Knomi S moves the matching, liveness analysis, and template storage to the server.
The advantages of multiple modalities
In addition to providing face, voice, and keystroke dynamics as modality options, Knomi offers the ability to capture them simultaneously. Applying multiple modalities enhances biometric performance in terms of false match and non-match rates, and also enables some creative approaches to liveness detection. Capturing biometrics simultaneously avoids sacrificing convenience for the user.
Applying multiple modalities also accommodates a wide variety of different user situations and preferences. While voice authentication might not be ideal in noisy or crowded environments, it can the best option when hands-free authentication is desirable or where taking a biometric-grade “selfie” face image is difficult.
Knomi also enables businesses to realize a multichannel approach to authentication. They can authenticate users as part of a support call workflow, or with keystroke dynamics during online chat interactions. Multimodal authentication also contributes to risk-based approaches, in which users are prompted to authenticate dynamically by different means based on factors such as location, geo-velocity, device identification, or previous failed attempts. This flexibility to build out a variety of authentication options is what sets Knomi apart.
“Passwords are a fifty-year-old technology conceived for vastly different computing and network environment. They’ll continue to have their place, but passwords are a severely outdated authentication technology in terms of both security and convenience,” David Benini, VP of Marketing and Product at Aware told Biometric Update in an exclusive interview. “Secrets alone are an inadequate security measure to address the challenges posed by today’s sophisticated threats. And unlike passwords, biometrics have many ways to evolve and improve, as we’ve already seen; they will continue to get better and better, to a point where we’ll barely know they’re there.”
Device- or server-side authentication
By enabling authentication either on the user’s device or on the company server, Knomi allows organizations to choose their approach based on the appropriate security stance for their situation. Client- and server-side authentication come with security and feature trade-offs, as organizations using server-side databases must protect them against data breaches, while those using on-device verification must plan for device theft or related criminal attacks, such as man-in-the-middle hacks. While media coverage of major data breaches has emphasized the risk of server-side authentication, there are benefits, such as the added controls that can be achieved with a centralized approach, or the algorithm improvements that can be realized through analysis of the server-based data.
The needs of applications also vary according to the industry they are used for. Banks, enterprises, and governments all require secure mobile ID, but have different responsibilities to their end users.
Employee authentication has traditionally been a more centralized endeavor, in order to provide the organization with control over accounts and associated privileges. They also do not face the same regulatory environment as organizations authenticating customers and citizens. Consumer-facing applications might rather opt for on-device authentication to maximize scalability and to minimize the risk of large-scale breaches of personal customer data.
Regional factors can also play a role in determining the appropriate authentication architecture. Performing biometric matching and liveness detection on the server might be the best option in locations where simpler phones are more common, or where network capacity poses constraints on app downloads. The regulatory environment in a given region might also provide a motivation to go with a FIDO approach that avoids central storage of user data.
Standards compliance for regulation compliance
FIDO authentication standards are increasingly recognized as the preferred alternative for a device-centric architecture, and work by the FIDO Alliance continues to facilitate an authenticator marketplace that allow organizations to use products that are not only proven interoperable, but that have also been independently verified to meet a minimum level of functionality in terms of matching performance, data security, and liveness detection, Benini says.
With the imminent finalization of PSD2, strong customer authentication will soon be required for payments in the European Union. FIDO standards are a perfect fit for PSD2 compliance, and will further drive the adoption of authentication frameworks like Knomi. At the same time, demand for stronger server-side authentication is growing in some geographies and verticals.
Getting down to getting rid of passwords
Aware recently demonstrated Knomi in the FIDO pavilion at Money20/20 and at the Gartner IAM Summit, where many potential customers had their first opportunity to see it in action, and learn about how they can leverage its flexibility to meet their particular requirements.
“The folks we talk to about mobile authentication are diverse, but tend to have a few things in common: they really want to give their customers a password-free experience, and their challenges in doing so are unique in some way,” Benini says. “Knomi follows the model of our other products by providing biometric algorithms that can take the shape of the problem they’re needed to solve. We don’t try to tell customers how they should do authentication, but rather help them to best fit biometrics into their infrastructure and workflows to address their specific use cases and requirements.”
Aware has had a quarter-century’s worth of successes providing biometrics software that performs reliably at scale, in part by placing maintenance and support among their highest priorities. Knomi is the latest product of that mission, and is sure to help organizations realize the security and convenience of password-free authentication.