Digital ID: Biometrics are the Key to Marrying Security and Convenience

Isabelle Moeller

Isabelle Moeller

Only biometrics can unify the age-old opposing forces of user experience and digital security, believes Isabelle Moeller, and when it happens the effect will be remarkable. 

Thanks, in no small part, to the whims of Hollywood, biometrics have now become something of a go-to metaphor for bleeding edge, bullet-proof security and it’s easy to see why: iris scanners make for great TV.

The reality of the situation can often be different to that which is portrayed on ‘The Big Screen’, of course, but it’s fair to say that the last five years or so have lifted biometrics out of Tom Cruise’s ‘Mission Impossible’ cinematic world and dropped them into the lives of everyday consumers, whereby they’re fast assuming a central role in digital identity management.

Popular engagement with voice recognition in telephone banking and smart phone fingerprint scans, are, thankfully, sobering perceptions. Security breaches, while unfortunate, have underlined the fact that biometrics are far from infallible and most certainly are not an ‘overnight solution’ to the world’s digital ID problems.

Neither are they toothless, though. On the contrary, in the right hands biometrics – much like chilli peppers – can be powerful ingredients that give real punch to the security mix. What’s more, in the world of digital identity, and particularly so in the sphere of user authentication, there’s an urgent need to spice things up. The industry faces serious challenges.

Proliferation of digital services

The recent proliferation of digital services and cloud-based platforms, each requiring independent user verification, is making mincemeat of the username and password (UNP) model. Ubiquity compels even the diligent to re-use at least some of their UNP credentials, dramatically increasing the security implications of a hack. Indeed, many of the most popular cloud-based services already automate this practice, enabling users to apply their ‘unique’ UNP to a variety of other accounts (a process known as single sign-in, or social login).

The risk posed by this kind of identity federation is obvious: a hacker needs only to crack one UNP to gain access to all the user’s associated accounts. Various services exist to help mitigate UNP vulnerability (password ‘vaults’ and management applications among them), but few would disagree that these are at best sticking plaster solutions. The days of UNP models are numbered.

Two-factor or multi-factor authentication solutions are far more impenetrable but, compared to UNPs, adoption rates remain comparatively low, largely because the multi-factor approach fails to deliver a smooth and convenient user experience. Physical authentication tokens, often used in e-banking, are easily lost or stolen, but more importantly the authentication process itself is laborious. Typically, receipt or generation of a random key or number sequence occurs on one device (a smart phone), which must be combined in some way with another unique piece of information known only to the user, before being inputted into a second device (laptop, tablet or PC, etc).

Replacing all UNPs with this multi-step model is no solution at all. Today, we login to so many different platforms that interruption and end user frustration would dominate the digital experience.

Future of digital identity

Enter biometrics. There’s little doubt that the future of digital identity lies in using multiple factors to verify a user’s authenticity. The key difference will be that one or more of those factors will be delivered biometrically, enabling the authentication process to be vastly simplified and greatly accelerated.

Apple’s Touch ID is an excellent example of how a biometric can make an authentication process both fast and convenient as well as secure. Indeed, with biometrics ‘in play’, a digital world in which the authentication process disappears entirely from the user’s experience could be right around the corner.

When appropriately deployed, behavioural biometrics such as typing styles, app navigation habits or the pressure applied to touchscreens leave a data trail almost as distinctive as a fingerprint or face. The identifying power of these behavioural factors can be harnessed by multi-factor authentication solutions and, when combined with conventional biometric data, used to continually and automatically confirm and reconfirm the user’s identity without interrupting their user experience with off-putting ID challenges.

Adaptive and risk-based authentication solutions are also gathering momentum. These solutions monitor the user’s daily journey through their apps, platforms and devices and use this data to ensure an authentication challenge is only issued when the system deems it absolutely necessary according to pre-determined policies set by the issuer.

When these fields are mastered, biometric-powered multi-factor authentication will unify the age-old opposing forces of convenience and security, and a brilliant and incredibly secure end user experience will be established.

More work to be done

Imagine almost never having to be challenged again when logging into a cloud service, a mobile app, a social media platform, a collaborative workspace, an e-mail inbox or a remote VPN… We are not there yet, though. More work needs to be done to identify and increase the reliability of behavioural biometrics.

Capture technologies are still developing and their integration into intelligent solutions must be handled with care if we’re to remain ahead of the hackers. Privacy issues also remain a key concern, as does the storage and sharing of biometric data once it has been captured. This is the space inhabited by The Biometrics Institute’s Digital Services Working Group, which is one of the few places globally where the boundaries of these solutions are being explored in an open, collaborative and commercially neutral forum. Crucially, it encompasses the full spectrum of stakeholders, including academics, vendors, end users and privacy advocates.

The importance of this work cannot be overstated. Collaborative efforts are essential to ensure the true enabling power of biometrics can be realised in the digital space without putting the individual’s biometric data at risk. Cross-industry collaboration at the Institute also accelerates the evolution of these technologies, shortening the lead time before full deployments are possible and end users benefit.

In this instance, this cannot come soon enough. The world of digital services is evolving at a tremendous pace and the threats to personal data security are increasing as a result. Only when biometrics have been successfully integrated will multi-factor authentication solutions be able to deliver the user experience demanded by today’s digital consumer. Mass adoption will then follow and all those who inhabit digital world will be much safer for it.

Isabelle Moeller MA is Chief Executive of The Biometrics Institute

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts