Only skin deep: The state of biometric security
Biometrics were supposed to solve the issue of identification once and for all. Are these systems reliable, accurate and secure?
Proving we are who we say we are has been a significant challenge for decades. The use of passwords remains the at core of identification, but using the unique characteristics of our bodies as an alternative method of authentication is growing in popularity, with fingerprints, voice, retinal scans and face recognition all developing in parallel.
The e-passport, for instance, is the most conspicuous use of biometric technology, having been introduced to UK passports in March 2006. If you have a passport from not just the UK but most other countries, it will likely be an e-passport, with a biometric chip inserted in the final page. Over the intervening 14 years, though, this has been joined by many other security services based on a range of biometric identifiers.
Accessing financial services and making payments have been the focus of many biometric technologies in recent years. As payments have increasingly moved to mobile devices, these have accelerated the development of biometric identification systems.
Research by MasterCard and Oxford University’s Department of Computer Sciences found 93% of respondents prefer biometrics to passwords. This isn't surprising, as consumers can have up to 90 online accounts all of which should have separate passwords, which isn’t practical. Commercially, moving away from passwords is also imperative, as the research revealed a third of transactions were abandoned because of forgotten passwords.
Already banks are embracing biometrics with voice and face authentication systems joining fingerprints as the preferred methods to identify their customers when accessing their accounts and making transactions. The current coronavirus crisis has also accelerated the use of biometrics as businesses have scrambled to put in place robust security for mass numbers of remote workers.
The core driver behind all biometric developments is to preserve the user experience, while also providing highly secure authentication. The current use of multi-factor identification processes, often using security codes sent to mobile phones, is not frictionless and can become a barrier between the consumer and business. HSBC, for instance, has pioneered the use of voice ID for telephone banking customers and claims its system has prevented £400 million of telephone fraud taking place.
Using the physical characteristics of our bodies has been the core focus of biometric identification for the past decade, but these are now also being joined by behavioural tracking to add a layer of authentication.
“We are now starting to see some interesting use cases for biometrics, for example, camera software that can recognise you by your walking gait,” Keiron Shepherd, principal security systems engineer at F5, tells IT Pro.
“In the future, imagine a scenario where gait analysis is carried out as you walk up to a building by the security camera, and then your RFID security pass lets you through the door, but only if the ID on the security pass matches the walking gait.”
It's now possible to assess how fast you type on your phone, or how you usually access online services, including your banking and payment activity. Tracking this behaviour could deliver a new and more accurate set of biometric data.
The question arises, however, as to whether consumers would give their consent for this information to the collected and used to create a detailed profile of their behaviour. An apparent reaction to this is the updating of the privacy guidelines from the Biometric Institute.
And guidelines are all that exist, as no universal, comprehensive and interoperable ID systems have been created with or without a biometric component. So far, businesses and organisations have developed their own bespoke platforms based on their authentication needs. Clearly, as artificial intelligence (AI) – in particular, machine learning – with its ability to offer more accurate pattern recognition than a human operative – is part of the future development of biometrics. However, moving too fast into automated systems is a concern of many who oversee and campaign for our privacy.
Is it really you?
As the mobile phone is now ubiquitous, it has become a focus for biometric security applications. We’re increasingly encouraged to make contactless payment where possible in the wake of COVID-19, and smartphones look likely to become the centre for identification and authentication for many people making everyday transactions. Also, over 20 banks across the world are testing contactless payment cards using the established VISA and MasterCard networks with added biometric security. Ensuring these systems can’t be compromised is a core component of more mass use of biometric security systems.
Cybersecurity crisis-planning checklist
Tips for planning and ensuring business continuityDownload now
Since biometric technologies became viable, the ways in which these systems could be beaten or undermined have filled news headlines. The 3D printing of fingerprints or the duplication of faces a la the Mission Impossible films have often been pointed to. While it’s true the issue of false positives has dogged the industry for some time, the biometric systems being deployed today are very difficult to compromise.
It’s not just in-person payments where biometric authentication is becoming more important. With the massive rise in smart speaker ownership – 1-in-5 UK households own one of these devices according to Strategy Analytics – voice has become another focus for biometric security. As more of us shop at home, ordering and paying via voice commands is increasingly popular as it’s frictionless – you can literally order and authenticate yourself in one breath – and is also seeing a big push from banks and retailers.
But there’s a dark cloud on the horizon. The rise of deepfake images and now deepfake synthesised voices is a real and present danger. Last year, an energy company was tricked into making a substantial payment via a phone conversation which was later revealed to be a faked voice of the company’s chief executive. There is still plenty of work to be done to remove this level of potential fraud.
Speaking to IT Pro, Joe Bloemendaal, head of strategy at Mitek, an identity verification provider says: “The rise of deepfake technologies is concerning for biometric security. Bad actors are taking advantage of more sophisticated AI and Big Data to defraud the public. The good news is that the ability to identify deepfakes will only improve with time, as researchers are experimenting with AI to spot even the deepest of fakes using facial recognition and behavioural biometrics.”
A biometric future
What the coronavirus pandemic has thrown into sharp relief are the weaknesses we have in the security systems that protect the most sensitive aspect of our lives. Proving who we are when using digital services is moving through rapid change.
The so-called onboarding process, where a new customer is authenticated, will continue to accelerate the use of digital systems – many of which will have a biometric component. Early adopters in Africa, for instance, have shown how these systems can work. In the West, the biometric market has become fragmented and confusing with many competing systems.
A future saturated in biometric identification, as portrayed in films like Minority Report where retinas can be scanned thousands of times, may not be around the corner, but mass face recognition is in active development. A major issue with these systems is the possible racial bias that can be inherent in these applications.
Research from the National Institute of Standards and Technology that analysed 189 algorithms showed higher inaccuracy rates for African Americans and Asians than with Caucasians. Add to this the possible bias with the AI systems that may be used to analyse these images, the reliability of accurate identification is called into question.
“It’s important to note that not all approaches to implementing biometrics are the same,” explains Andrew Shikiar, executive director of the FIDO Alliance. “The critical differentiator [is] how and where this most sensitive form of data is stored.”
“Breaches such as the one against the Biostar 2 platform last summer have demonstrated the risks associated with mismanagement of user biometrics,” he continues. “While it’s certainly inconvenient and damaging to have one’s password stolen, the impact of a stolen biometric is far worse as they inherently cannot be changed. While every organisation wants to optimise security and convenience, this should never be done at the cost of taking on added liability and risk to one’s brand and reputation.”
There is little doubt that biometrics will play an increasingly important role in security, particularly for making payments and accessing other financial services. Care does need to be taken when building these systems to ensure they are not just robust, but they are also free from bias.
To guide the development and implementation of biometric technologies, the Biometrics Institute has developed its Ethical Principles for Biometrics. This kind of guidance is vital to ensure the technologies in development are applied safely and without discrimination.
Using passwords and passcodes is still mainstream, but the rapid expansion of AI is driving the development of advanced biometric systems. Consumers and businesses alike can see the benefit yet, remain concerned about the collection of yet more data points to further personalise their digital profiles. Convenience is likely to win out, as we move into a post-COVID-19 environment where contactless payments and access to digital service can be achieved with our phones using fingerprint, voice and face biometrics.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Security best practices for PostgreSQL
Securing data with PostgreSQLDownload now
Transform your MSP business into a money-making machine
Benefits and challenges of a recurring revenue modelDownload now
The care and feeding of cloud
How to support cloud infrastructure post-migrationWatch now