Real world authentication: Identity-bound biometrics in action
By Kimberly Biddings, VP of Product, BIO-key International
Authentication for sensitive workplace data and materials has always faced challenges. Organizations need to balance convenience for their employees and security to keep a streamlined workplace running effectively. On top of this, not all workplaces are built alike. From banks needing to authorize high value transactions across multiple workstations to hospitals where medications are kept under lock and key, different industries require flexible and secure authentication methods to protect valuable resources and keep their organizations safe.
Traditional multi-factor authentication (MFA) methods rely on a variety of different methods, each of which with its own set of challenges, but with Identity-bound Biometrics (IBB) companies are starting to find agile and secure authentication methods with practical uses across industries.
Where traditional MFA methods struggle
While MFA has a variety of different methods for authenticating employees across different actions and platforms, they are not all convenient or cost effective. Many rely upon one-time passwords (OTPs) that are sent to a smartphone. However, there are many environments in which using a smartphone is just not possible, or can even be dangerous. To overcome this difficulty, a couple of different methods have been introduced. Hardware tokens are one option, a physical piece of equipment that is carried around to grant a person access to their equipment. But how can an organization be sure who used the hardware token? Physical tokens can be lost, handed off, or forgotten. The identity of the user is not being authenticated, but rather the presence of a token which the organization believes to be in a single person’s possession. This act of faith on the organization’s part is huge, considering the implications in high stakes environments. It’s also inconvenient for users who must keep track of and carry around a token, resulting in a system wrought with potential flaws.
Biometrics are an excellent addition to complete any MFA strategy as they can be fast and convenient for the user and build trust for an organization who can be certain of the identity of a person accessing a system by confirming something they are — their biometric measurement. Biometrics also offer tremendous security and convenience benefits as they can’t be lost, stolen, or forgotten. However not all biometrics are created equal. Device-native biometrics are a method by which a user’s biometric data is enrolled and stored on each device they use and the device is ultimately what is being authenticated to the organization or relying party. Take Apple Touch ID for example where a fingerprint is enrolled on a phone, and then that phone is authenticated when accessing an organization’s system. But what happens when someone other than the intended user is able to enroll their own fingerprint on the device? The organization has no control over the enrollment or way of delineating between the device and the user.
Identity-bound biometric (IBB) methods avoid this problem. Used for authentication and identification, IBB centrally stores biometric data in an irreversible way that cannot be stolen or re-used, to create a unique biometric identity that’s used to verify the person taking action across locations and devices. To get a better idea of how this flexibility benefits both organizations and users, let’s look at a few real-world examples.
The traveling investment advisor
Many banks have traveling investment consultants who work at multiple locations in a region, providing high quality investment advice directly to customers. In order to effectively perform their position, the consultant needs to quickly access new systems in each location, while the organization needs to trust that only the consultant has access to client banking information and accounts. By deploying Identity-Bound Biometrics with fingerprint scanners at each desktop and shared workstation the consultant can travel to different branches, even ones they have never been to before and have the same easy authentication experience of simply scanning their fingerprint. The bank can easily audit the locations where the consultant logs in and have confidence that only the authorized consultant is gaining access to customer data.
Let’s look into another place where this technology has been applied successfully.
Clinicians dispensing controlled substances
In order to secure controlled substances, such as morphine and other pain medication, hospitals long ago moved these drugs to locked cabinets. The original approach to restricting and securing access to these cabinets was to provide clinicians with keys and ask them to document who opened the cabinet and for which patient. Unfortunately in many hospitals, the predictable happened — clinicians with keys would open the cabinet without signing their name, either maliciously or because they were in a hurry. This meant that if medication went missing, there was no recourse for the hospital to figure out who was responsible. Traditional keys face many of the same challenges as other authentication methods that rely on something you have, such as proximity badges and hardware tokens — they can be stolen, lost, shared, and ultimately don’t identify the presence of an authorized person.
With Identity-Bound Biometrics doctors and nurses don’t need to carry around a key, badge, or token. With the touch of a finger to the scanner on the cabinet they can gain access and the organization can know who they are. From there the electronic lock on the cabinet can require information like dosage and patient name before opening. As clinicians look to best care for their patients and hospitals look to comply with regulations everyone can rest assured that only authorized users have access to the cabinet, it’s easy to get medications quickly for patients, and that there is a full audit trail should a discrepancy arise. This builds trust across the hospital and creates a secure environment for doctors to achieve the best possible patient outcomes.
Fitness center — Making it easier to get your sweat on
It isn’t just employers and employees that benefit from IBB either. Its convenience is perfect for customers as well. For example, when a person enrolls at a large chain of gyms they are commonly given a fob or membership card to enter the building. As previously discussed these can be lost, stolen, or washed with your gym clothes resulting in less convenience for the customer and greater overhead for the gym who have to produce cards or fobs both initially and as replacements. Furthermore these gyms often have many locations and commonly multiple entrances. So, while biometrics solve the problem of lost keys, only IBB allows a client to enroll their biometric measurement, such as their fingerprint, once at the gym when they sign up and then they can just scan their finger to grant them access to any of that gym’s locations.
IBB harnesses the security and convenience of using biometrics coupled with the flexibility and agility of centralized enrollment. From a gym to a bank to a hospital, IBB provides these benefits across industries and use cases. No matter the situation, it should be a key component of any complete MFA strategy.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.