Securing Our Biometrics-Based Future
The last few years have seen an uptick in efforts to use biometrics more widely in authentication, most notably driven by the consumerization effect of Apple introducing Touch ID and Face ID. But this could be the (strong) nudge that was needed to push it over the edge. Mastercard just announced that all issuers of Mastercard-branded cards would be required to offer biometric authentication for remote transactions and contactless transactions made at terminals using mobile devices by April 2019. Many retailers are already offering contactless as a payment method, some via KIOSK systems, others by chip and pin devices. In explaining the motive behind their move, they cited:
- The EU’s new regulatory requirements for strong authentication
- 92% of banking professionals want to introduce biometric ID
- 93% of consumers would prefer biometric security to passwords
- The abandonment rates in purchase processes can drop by up to 70% when biometrics are used compared to other 2FA based mechanisms like SMS-based OTP.
Can’t argue with that data. The decision for anyone to start the move towards biometrics is pretty much a no-brainer. Once companies have decided to make the leap to different biometric authentication, the possibilities will only start to increase, they could start looking into using their biometric data for other applications such as using Behavioral Biometrics to further secure biometric authentication by learning how users unlock and lock their devices and technology, requiring the same steps of verification for future sign-ins and unlocks. The real question is whether there is a trade-off being made here.
The Dark Side of Biometrics
A while back, I was engaged in a debate over whether or not biometrics really is an authentication factor. After all, biometrics (fingerprints, voice, face) are inherently public, unlike a password which is meant to be a secret. And as the use of biometrics gets pushed more widely, an interesting dilemma crops up. This was discussed quite a bit when Touch ID showed up, but became a raging debate when Face ID first hit the market – the notion of how accurate it is. There was a whole lot of discussion that Apple was downgrading the accuracy of the facial recognition to avoid higher than acceptable failure rates. Making a person retry a few times was ok when the biometric was being used one or two times a day as part of high security scenarios (entering a secure facility, for instance). But when a person is using it tens or even hundreds of times a day, the expectation is that it will work flawlessly each time. The key here, as it always was, is recognizing that convenience is king. The process must be easy and smooth, or else it will not be accepted by consumers.
In parallel, the arms race between biometric security vendors and the bad actors developing better tools to defeat those biometric protections is escalating. Voice print theft is becoming commonplace, geared at defeating voice recognition using increasingly sophisticated speech synthesizers. Liveness detection for facial recognition is going to have to overcome attacks that leverage improving photo and video manipulation. We’re well beyond the days of gummy bear attacks.
And all this before I even bring up the privacy implications of biometrics.
No wonder when we talk to organizations, a big concern they have with biometrics is how to use it as part of their security model. A lot of banks jumped on the Touch ID bandwagon because of overwhelming demand from their customers. But because of the security concerns, they stopped short of allowing meaningful transactions (like wire transfers or stock trades) in apps that just had Touch ID authentication. Some wouldn’t allow it, others combined Touch ID with a second factor like OTPs or PINs, while still others added some form of step-up authentication into the flow. Now add in the myriad of Android handsets out there that the security team doesn’t want to support biometrics on because they don’t feel assured of their accuracy or reliability. This isn’t exactly what consumers were asking for. Biometric services should be subject to extreme Biometrics Testing and assurance tests if they’re to be targetted at consumers for everyday use, to ensure accuracy, but also the necessary security one needs for their private data and information.
So, while the Mastercard announcement is good news for the adoption of biometrics, there is still much to do. I also view it as an opportunity for us in the identity and security industry to do the work that not only kills off passwords, but gets rid of the term “strong authentication” as well. Because all authentication should be strong. And that means looking at how biometrics are incorporated into a broader authentication paradigm.
Making Biometric Authentication Better With REL-ID
At Uniken, our mission has been to create a security platform that helps organizations avoid having to choose between security and usability. That puts us squarely in position to help organizations tackle the challenge coming from requirements such as this Mastercard directive. Our REL-ID platform combines biometric authentication (of any type) with cryptographic elements bound to the app and device. The result is what we call Invisible Multifactor Authentication – an authentication flow that combines multiple authentication factors while completely hiding that complexity from the person using the system. All the security of MFA with none of the inconvenience.
And the result is also an upgrading of the security of the biometric. That’s because even if a bad actor is able to fake someone’s biometrics, they’d have to use it on the exact mobile device that the biometric is linked to. And they won’t be able to break in even if they somehow manage to fake the device fingerprint, because they would need the REL-ID half-key that was silently deployed to that device during the initialization process – a factor that cannot be phished, extracted or replicated. Those combination of factors significantly reduces the attack surface, dramatically improving security without impacting the convenience people are demanding.
In other words, the experience your customer sees is a simple presentation of their biometric (fingerprint, selfie, etc). But the security they, and your organization, get is the equivalent of Biometric + Certificate + Hardware Token. It’s everything you’re looking for and more. Plus, it helps your system become fully compliant with directives like GDPR and the strong authentication requirements of the EU and the NYDFS (among others).
There are other solutions in the market that could help bolster your biometrics story. But REL-IDs addition of endpoint threat detection and secure channel that are inextricably tied to our invisible multi factor authentication creates a blanket of security for your customers that is simply unmatched. Contact us if you’d like to hear more about how we could help you bolster your security efforts and meet the needs of your customers.