New approaches and technologies to fulfill the online security promise of biometrics
Biometrics are often associated with strong security both in the public consciousness and within the industry. Part of the reason for that is the implementation of biometric physical access control systems in highly secure facilities. Part of it is by comparison to passwords as a security mechanism for logical as well as physical access, a standard bearing little weight in truly sensitive applications.
However, biometrics are sometimes even thought of as a security risk in and of themselves, with the irrevocable nature of the harm that could be done if criminals gain access to people’s biometric data cited in a daunting wave of lawsuits under Illinois’ Biometric Information Privacy Act.
Not only are biometrics used in many security applications already, there may be potential for biometric technology to further enhance the security of others, and even to replace legacy technologies, expanding the market, and helping businesses and end-users protect themselves and their digital assets.
Mastercard Executive Vice President of Identity Solutions Product Bob Reany told Biometric Update in an interview that he believes consumer biometric implementations have already had a significant security impact, though he concedes that more could be done. Further, he points out that next-generation interactions continually shift security needs.
Some in the biometrics industry, however, such as IriTech VP of Business Development Tommy Phan and Infinity CEO Alfred Chan, see biometric technology as only scratching the surface of its potential to provide security, particularly for logical access control. Biometrics were used much more for high-security applications than convenience ones prior to the introduction of the iPhone 5S, Precise Biometrics VP of Sales Fredrik Sjöholm points out, often in conjunction with a physical token such as an access card. The convenience-driven focus of early smartphone fingerprint and facial recognition technologies, then, may simply be a temporary aberration in the general industry trend.
Idemia Senior Vice President of Civil Identity for North America Matt Thompson, who previously served as Senior Director of Identity Services for Capital One, says that biometric security measures have, in fact, dramatically improved security for some applications. It is knowledge or secret-based systems, which Thompson notes are still the primary method in the market for remote identity proofing, which are the weak point.
“A lot of the existing solutions in the market are outdated,” Thompson states.
There is still a need for improvement though, Sjöholm notes, as digital identification takes on an ever-increasing role in people’s lives.
“With the expanded usage of smartphones to manage our payments, hold our drivers’ licenses, soon also passports and other critical user data, the focus on security has however increased significantly,” he says. “The leading payment networks have been one driving factor, expecting the same security level when using mobile payments or payments through a biometric contactless smart card, as they do on traditional card payments. Government institutions will require stronger authentication standards to allow usage of national IDs in smartphones.”
Sjöholm identifies the strength of the platform, the implementation of the system in a trusted environment such as a secure element, anti-spoofing and liveness, and the management and storage of data as the key determinants of a biometric system’s security robustness.
Innovations and developments which could convince the public and security experts alike that biometrics are ready to secure online identities and logical access could potentially come from one or more of a few different avenues.
Liveness detection and anti-spoofing
Liveness is mentioned by both Reany and Thompson as an area for further improvement to biometric security. Further, liveness detection could solve, or at least mitigate, some of the key concerns with biometric authentication, including the theoretical vulnerability of stored biometric templates.
There are many possible points of failure in the chain of trust, Reany says, and while security tools like key management have worked effectively for years, preventing scaled attacks on networks like those processing payments, there are still challenges for some applications.
“Liveness detection is one of those points,” he states. He is confidant, however, that liveness and other aspects of security are improving. “For biometrics implemented on a phone, when I first started playing around with it four or five years ago, the security wasn’t there. But the technology has changed. You have to consider some of the scanners that have only become available in the last few years, systems that use multiple cameras, and Microsoft Hello, and then you have infrared technology which has allowed us to do some new things. So the technology is addressing some of the security issues.”
FaceTec meanwhile, has launched Liveness.com to not only provide background information on liveness, but also list both vendors who have and have not been certified by iBeta presentation attack detection (PAD) attacks. Aware has published a white paper providing further information on the certification process, and noting the limitations of certain measurements in assessing the true effectiveness of liveness technologies.
The security challenge for biometrics with many new applications is about the different conditions in which they are captured, according to Sjöholm, which has created a relatively new issue for the industry.
“With wider adoption of biometrics for new use cases, including non-supervised presentation of biometrics, protection against spoofed fingerprints and faces will be increasingly important,” he observes.
Phan says IriTech has developed a patented liveness technology based on pupil dilation to bring liveness to secure iris verification. It is working on bringing that technology to its product, along with tolerance of outdoor environments, and expects them to be available soon.
Idemia is focusing its biometric research and development efforts on liveness and building methods to detect and prevent replay attacks, Thompson notes.
“It’s an ongoing thing where we have to continue to invest in R&D to build in advanced capabilities as fraudsters identify attack vectors that defeat our existing process,” he explains. “The process has to constantly evolve. I think this is where behavioral comes in as well, because when you have multiple silent authenticators working in the background it gives you more signals to prevent spoofing or fraud attacks.”
But is the proverbial arms race against biometric spoofs the best or only way to provide robust biometric security for remote logical access control? The question appears to be open.
Iris recognition and cryptography
Infinity claims to have found a way to consistently produce biometric hashes, which could enable very strong user authentication without storing user biometrics.
IriTech also has developed biometric cryptographic technology which allows users to store encryption keys anywhere convenient, because they also require the user’s iris biometrics to use, and provide no access without that additional factor, Phan explains. The company does not store biometric data, which eliminates the risk associated with data honey pots.
Honey pots are a big part of the reason Reany declares himself “not a fan” of keeping biometrics and other sensitive identity data in the cloud.
Iris biometrics are often considered more secure but less convenient than most implementations of face and fingerprint recognition, but Phan points out that not all iris recognition is the same, and some relies on the peri-ocular area, which he says is “similar to facial recognition. It’s not 100 percent iris recognition.” Phan identifies this as an example of convenience-focused biometrics.
“It’s meant for 1:1 matching, so its not very secure,” he says. “The application is not really iris security.”
Chan likewise sees the intended use of consumer biometrics, including smartphone fingerprint sensors, as inadequate to high-security applications, and is pitching Infinity’s Quantum Crypt, which he says can generate a ‘true biometric hash’ as the way of the future for biometric security.
Until an application is successfully implemented, however, there will be skepticism within the industry that biometric cryptography is truly viable. Chan admits similar claims have been made in the past, but with little to show in the way of success stories. He says Infinity is prepared to overcome this skepticism, however.
“We were able to clearly demonstrate the process of a stable and repeatable bio-code generation,” Chan states. “There were no hidden paths through the process of enrollment and verifications. This is done live with existing biometric devices provided by our partners.”
He says the company’s achieved biometric hashing with stable code by using a fundamentally different approach. Infinity “split the extraction of biometric scan information to provide two codes instead of one,” Chan explains. A public code indicates where to find the measurable biometric features sought. “The second code is the private biometric code issued from binarization of these features measurable on a stable base.”
IriTech is providing its technology for highly secure biometrics to existing cryptocurrency wallets on the market.
Phan says cryptocurrency wallets and then exchanges are the first and second markets for the technology, but also sees voting as a major potential use case. IriTech has already done some exploratory research on voting applications with a partner.
The Indian market offers the potential to disrupt the market by lowering the price of new technology with its scale. The government has tested IriTech iris scanners, Phan says and he has also heard that the government is trying to encourage native iris recognition as a standard smartphone feature in the future.
“The government is now looking for integrated devices,” he says. “They want the camera inside a phone, and that’s why they tested our solution. We are discussing a first manufacturing batch of about 250,000 devices.”
That is important, Phan argues, because the technology’s availability will open up new applications.
“I think that’s the first step for developers to be able to utilize that iris camera to develop their own applications for banking, payments, and more with iris security, not just to log into the phone.” In the meanwhile, price and availability of quality sensors are the main barrier.
Thompson also says that what he characterizes as “early-stage biometric authentication methods” still seem to have a consumer comfort level gap to bridge. Both he and Reany decline to comment on specific technologies, but acknowledge that with digital security’s constant evolution, their companies keep tabs on new technologies in development.
System architecture and standards
Where they both see consumer biometrics solutions offering enhanced security over some of the popular initial deployments is in system architecture. Distribution of sensitive personal data on its own is enough to bring an enhanced level of security to local biometric solutions, Reany argues, whether they are biometric payment cards or smartphone implementations.
“I can’t claim that the security is perfect, I’m just saying it’s a really bad business model to attack individual devices,” he says.
According to Phan, IriTech’s biometric hashing goes a step beyond that, making user’s keys dependent on his or her iris biometrics.
“They don’t even need to keep it secret,” he says. “Hackers who somehow get into their email to get their key out, they still cannot repeat the original seed data without the live iris of the real owner.”
Thompson sees architecture as an important aspect of ensuring robust security, but argues that his work with Idemia on mobile driver’s licenses enables individuals to leverage the most authoritative system of record, which already holds facial biometric data for nearly every adult in the U.S. Where he agrees with Reany is on the importance of user control.
“Putting the access in control of the citizen, and using their biometrics with their consent, but doing it in a way that you’re not replicating or retaining the biometric template when a citizen is requesting to have their identity verified,” he says.
When asked if innovative architecture is how small, relatively inexpensive fingerprint sensors can provide sufficient security to back payment cards, Sjöholm assents, but only to a degree.
“Architecture is one key component, the software algorithms capturing and processing the fingerprint images must be developed according to security standards, but also run in a secure hardware environment,” he explains. “At the same time the biometric templates must be stored securely and not be accessible from the external attack.
“The software algorithms must also be able to capture a sufficient volume of unique data points when analyzing the fingerprint to guarantee a high level of security.” This is a particular strength of Precise, according to Sjöholm.
Evaluating claims, whether for architecture or algorithms, old technology or new, requires testing and standards. In that area, there is some consensus.
“Better standards would really help,” Reany says. “I think it’s happening, but it’s lagging innovation.”
Mastercard is also one among several large companies that are investing significantly in self-sovereign identity (SSI), which if applied as a system architecture for biometrics would eliminate vast databases of sensitive data while returning control to users.
For something like biometric hash technology, testing to some kind of standard may be necessary to convince stakeholders it is reliable. Chan says Infinity is working with an organization to define standards and set a framework for testing such technology.
“Existing biometric standards require the measurement of FAR/FRR performances. We are working on the process to be aligned to this.”
Inifnity has been engaging with customers since May, according to Chan, performing demonstrations and working to refine the user experience. Bringing the final commercial solution to market in collaboration with partners is the company’s next step.
All stakeholders interviewed by Biometric Update see significant potential for biometrics to enhance the security of logical access control. On the extent to which new technologies are ready, or even necessary, to provide the requisite protection for highly sensitive transactions, there is less of a consensus.
“I believe the tools are here now,” Reany argues, when pressed.
Adoption of existing technologies is the key to enhancing security with biometrics, with additional layers adding more robust protections for sensitive applications, according to Thompson.
“The thing that keeps derailing our efforts is not taking a human-centric enough approach to designing these solutions, and while security is obviously paramount, it needs to be done in a way that takes the human that uses it into consideration,” he contends. “I think that’s been largely lacking in the way we’ve been trying to leverage some of these capabilities like biometric authentication or better advanced identity proofing methods.”
Such technologies will need to be proven in testing, and possibly also real-world implementations to convince the skeptics. If they can provide enhanced liveness, data protection, and biometric accuracy, they must also be able to meet user experience expectations, and be implemented in sound architectures.
access management | Aware | biometric data | biometric liveness detection | biometrics | cryptography | data protection | data storage | digital identity | FaceTec | IDEMIA | Infinity Optics Solutions | IriTech | Mastercard | Precise Biometrics | spoof detection | tokenization