Behavioral and physiological biometrics – a marriage made in heaven
This is a guest post by Zia Hayat, founder and CEO of Callsign.
Ever since Apple introduced the Touch ID fingerprint scanner to the iPhone 5S in September 2013, biometrics as a means of identifying consumers has swiftly moved from the realms of science fiction to science fact. Now, using a person’s physiological attributes as a means of identification is moving beyond the fingerprint, as Samsung’s Note 7 is capable of iris scanning and users of Apple’s iPhone X are now able to open their phone with merely a glance. But following recent data breaches and a landmark court case in Illinois, physiological biometrics find themselves on the backfoot, with behavioral biometrics now offering a more robust and secure alternative.
Traditional physiological biometrics aim to replace “things that you know” – passwords, PINs, memorable information, etc. – with “things that you are”. This can include everything from fingerprints, faces and iris scans, to other more bizarre identifiers, including the shape of a person’s ear or a scan of the veins in their hand. While these systems may appear to have answered the question of “how” to secure a user’s identity in this digital age, there are many highly public instances showing they can be cumbersome to use and not as secure as we’d expect. Apple’s Face ID was hacked (albeit with a lot of effort) just a week after launch. Iris scans don’t tend to work well in sunlight. And have you ever tried opening your phone using a fingerprint scan after a day gardening or a sweaty gym session?
High-profile breaches and other eye-opening blunders also have consumers looking for more control over their personal information. New regulations such as the European Union’s General Data Protection Regulations (GDPR) and the California Consumer Privacy Act of 2018 are putting the industry on notice as to how businesses harness, leverage and store personal data. The trouble with physiological biometrics is its reliance on the user’s willingness to share highly sensitive personal information (e.g. thumbprint, iris scan, face, etc.), but without guarantees on how it will be stored or whether it will be shared with third parties.
Apple says fingerprint information is stored locally in a secure enclave on the Apple A7 and later chips, not in the cloud — a design choice intended to make it very difficult for users to externally access the fingerprint information. However, lower end devices may not take this into consideration putting this sensitive data at risk.
A worker in Illinois has also taken legal action against her employer for violating the state’s biometric privacy laws with a fingerprint-scanning time clock system. The complaint alleges that the clock-in system provided by Smith Senior Living – a fingerprint scanning system from Kronos – collected, transmitted, and stored her prints without prior permission, a violation of the state’s Biometric Information Privacy Act (BIPA). Although the state has some of the strictest biometric laws in the country, it’s clear that citizens are increasingly cautious when sharing their unique identification markers.
Despite these concerns, physiological biometrics are still crucial to the future of identification and authentication, due to their unique nature. But instead of relying on a one-size-fits-all solution, we need to consider a layered based approach to identification, which harnesses the power of both physiological and behavioral biometrics, to create a secure and user-friendly online experience, whilst also addressing users concerns and potential security flaws.
Advances in Artificial Intelligence and Machine Learning have put us on a path towards a more intelligence-driven identification process, which sees a user’s behavior when interacting with a device used as a means of authentication by using key data points and markers. These include location, which identifies whether the user is logging in from a known location — be that their home, their office, or even their journey to and from work. The device used to make a login request is also a key marker in the authentication process.
Technological advances now mean the behavior of the user also can be used as a means of identification by learning and processing a multitude of different data points – from the way a user swipes their phone to their individual key strokes – without having to track, record and store copious amounts of consumer data. Soon we’ll see more processing done at the local or device level where a much smaller (and more anonymous sample) of behavioral traits can be extrapolated with high accuracy. As no two people use a mobile or desktop device in the same way, it is almost impossible for someone to impersonate another user, even if they can meet the location and device requirements. The behavioral biometrics journey creates a way to develop a usable risk profile and create a more trustworthy identification process, with the ability to detect anomalies, where bot and replay attacks can be easily spotted. Using this much more amenable approach to biometrics also means that users can opt out of sharing highly personal information and data, insulating both the user and the enterprise against the risks posed by data breaches.
In an increasingly digital world, businesses need to square the circle of strong security and identification processes, whilst not inhibiting the user journey. By combining the unique identification markers offered by both physiological and behavior biometrics, we can create a robust, layered identification process, by utilizing the most unique data points and markers possible – the users themselves.
About the author
Zia Hayat is CEO of Callsign, a company which specializes in frictionless identification.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.