The biometric trust
This is a guest post by Robert Capps, VP and authentication strategist at NuData Security, a Mastercard company.
During the first three months of 2019 alone, more than 1.9 billion records were exposed during data breaches. More than 14 billion records have been exposed or stolen since 2013 – more data records than people living on earth. This data includes user names, passwords, full legal names, phone numbers, addresses and even credit card information, credit ratings, and more. In short: today fraudsters have all the data elements they need to impersonate most consumers at their fingertips.
It is a state of affairs that is affecting large governments and individual consumers and is shaking everyone’s confidence in the business of online commerce and finance. The race is on to create a whole new authentication system that everyone can have confidence in, but the how and the what, along with the policies and standards required to govern such an authentication paradigm is still largely up for debate. The market is now deep into innovation and coming up with a variety of solutions from physical biometrics including fingerprints and facial recognition, to passive biometrics that can identify a person by how hard they type, how fast they swipe and hundreds of other device, location, and behavioral identifiers.
A recent report from Paysafe shows that despite the tidal wave of evidence, consumers still trust passwords over biometrics. The fact is; however, biometrics are much safer than passwords. Many consumers don’t trust biometrics for security because of a lack the understanding of how exposed their passwords are and how much more effective their biometric identifiers are. However, users can’t be blamed for their skepticism as most companies are not clearly explaining how the data gathered is used and stored. But that the industry is moving towards biometrics in favor of security and safety is a fact.
Biometrics in the offline world
Airports and sporting events are just one example of industries implementing facial recognition, fingerprint, or retinal scans to process streams of people moving down checkpoints or hallways. For airports, sporting events and brick and mortar stores, facial recognition is convenient and easy to move people through at a faster pace, but at the same time, some municipalities are now banning the large-scale deployment of facial recognition in public, to prevent abuse. However, transparency of the process, how data is stored, and what it is used for, will help people understand and make better decisions.
There is currently no universal disclosure laid out or enforced to give consumers the how, when and why their biometric data is collected, processed, analyzed and shared with third-parties. Many feel they lose control of what happens to their biometric data once it’s entered into the world of 1s and 0s. This is not surprising considering data theft and misuse are rampant.
Your biometrics stay in your device
While many people are leery of the latest authentication technologies, there are some key protections inherent in the new solutions. For example, most physical biometric authentication solutions in the market today store biometric authenticators on the consumer’s own device, and do not transmit the data to organizations for central storage and verifications. This benefits user privacy as the consumer biometric data never leaves the hands of the consumer. If the merchant has a data breach, the user’s biometric data is not at risk.
To reduce consumer exposure to biometric misuse, the majority of biometric verification technologies use what we could consider as templates. Templates are formed by measuring specific pre-determined points of a consumer’s biometric, such as a fingerprint, and storing and verifying only those points. These biometric templates can’t recover or produce a full, high fidelity copy of the consumer original biometric, making their theft very low risk if they were inadvertently disclosed. To give a loose example, this is like mixing paint from dozens of colors in a can; you can see the resulting color but you don’t know the exact shades that were part of the mix.
Physical biometrics form an important safety net to verify that the correct human is present and authorizing a specific interaction or transaction. However, these physical biometrics verification steps still are an interruption to the consumer experience. There is another type of biometrics that is inherent to the user’s behavior: passive biometrics. This type also gathers users’ behavioral data (how they type, for instance) and melds all that information into one identifier. This way companies can passively verify users behind the scenes and only ask for a physical biometrics authentication when they detect risk.
Passive biometrics as an additional layer of security allows companies to verify users behind the scenes and to ask for additional authentication only if they are in doubt. Online behavior cannot be replicated by cybercriminals, making it inherently safe for consumers. The hundreds of human characteristics to identify one individual makes this authentication resilient to attackers.
Transparency as the best tool
The result of the Paysafe report is a call to action for companies to do a better job explaining how the user data is processed and stored and what are the risks, if any, for users to share their biometrics. Informing users of the security processes helps them make better decisions and, hopefully, realize that passwords are what they should actually be worried about.
About the author
Robert Capps is a recognized technologist, thought leader, and advisor with over twenty years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.