Achieve Assured Authentication
There is no question that better methods of authentication are needed
- By Phil Scarfo
- Nov 01, 2013
Biometrics has a central role to play in today’s authentication solutions,
so it is important to revisit and review the many myths and
misperceptions associated with this technology. Much vulnerability
has been addressed, and technologies will continue to improve
as biometrics move from only being a forensic tool to becoming a
compelling, mainstream solution, while service providers begin to appreciate and
fully understand that both user convenience and security really matter.
Questioning assured authentication and biometrics
- Is assured authentication even possible?
- Is security the main driver for authentication?
- Must security be at the expense of user convenience?
- Are we finally at a tipping point for biometrics adoption?
- Is biometrics the most effective means of assured authentication?
There is no question that better methods of authentication are needed today;
however, it is not necessary to trade off security for convenience. There is definitely
a role for biometrics, the one authentication factor that can reliably answer the
question, “who?”
Why biometrics?
The general concept of biometric technology is not new, but the automated matching
of identities as modern biometrics technology has progressed from a forensics
focus to one of validating user identities in the digital world is a recent notion.
Over the past few decades, many attempts have been made to make biometric authentication
mainstream, but, until recently, these have been met with numerous
complications, such as less-than-perfect performance and poor reliability.
Over time, many issues have been worked through with better system design
and modern sensor technology. Multispectral fingerprint sensors, for example,
have raised the bar for biometric performance, demonstrating reliability in everyday
conditions that previously challenged conventional technologies.
Mainstream markets remain skittish about legacy issues, preferring instead to
extend familiar, yet outdated, authentication methods, such as user IDs and passwords,
to the breaking point. They do so at their own peril, because with the rapid
increase in cybercrimes and identity theft, there is a pressing need for a better form
of authentication than a password/user ID pair.
Even those who are skeptical about a wholesale switch to biometrics, however,
acknowledge that adding an automated biometric identity check to another factor being used will greatly enhance security. Their skepticism
isn’t entirely misplaced; no single factor will ever
provide perfect authentication. But, biometrics is the
one factor that can transform a multi-factor solution
into assured authentication.
Biometrics is the only form of personal identification
that, by definition, focuses on the individual and
answers the question of “who” with a high degree of
certainty. As such, it is an essential factor in modernday
authentication solutions.
Assured authentication
So, how does one assure authentication in this digital
age? It begins by accepting the reality that no single
form of authentication alone provides 100 percent accuracy.
Even a biometric like DNA matching is not
perfect, but statistical error rates are substantially
reduced when multiple forms of authentication are
employed.
The use of biometrics as an additional tool, or second
factor, greatly enhances the ability to get closer
to 100 percent in the continuum to assured authentication.
The reason for selecting biometrics as one of
the two factors is clear. Knowing “who” is the goal
of assured authentication, and biometrics is the only
form of authentication that is solely focused on the
identification of the individual.
Multi-factor authentication with a biometric enables
new applications, or self-service offerings, that
otherwise would not be practical, as the provider
could be exposed to unacceptable risks. For example,
combining a biometric match with a barcode on an
ID card or on a smart device enables self-service authentication
at an ATM by bringing transactions to
an acceptable risk level. Combining the ability to read
two authentication factors on the same device, such
as with multispectral imaging technology, enables a
whole new set of applications by simplifying multifactor
transactions even further.
Another aspect of assured authentication can be
seen in applications that do, in fact, require a true 100
percent level of service, sometimes for reasons that
are less about security risk and more about customer
expectations. Take for example, automotive applications,
where anything less than 100 percent authentication
is literally a non-starter. Sole reliance on the
use of an automotive biometric is unacceptable, even
as the industry explores biometrics for personalization
and telematics applications in vehicles. To make
these applications viable, there must be an alternative
means of authentication available as a backup to
guarantee user acceptance. This is how assured authentication
is brought to a true 100 percent.
It is important not to lose sight of the fact that
digital biometrics represents an exciting new tool for
a new age. Much like the abandoned typewriter and
White-Out for document production and editing,
there is no longer a need to continue to rely on passwords
for online accounts. Digital biometrics are no
longer in the realm of science fiction; they are now
poised for more widespread adoption. Today’s biometrics
greatly enhance security and convenience as
part of authentication solutions that address complex,
modern risks and requirements.
What about user privacy?
One of the concerns often raised about biometrics is
user privacy. People have the right to privacy, so it’s a
bit ironic that the information so freely and routinely
volunteered about our self through social media is a
much greater threat to personal privacy than any biometric.
Because the right to privacy is very important, biometric
best practices do allow for a number of protections
that can, and should, safeguard our identities.
These best practices are easily implemented and represent
an important consideration when choosing a
biometric technology and vendor who understand the
risks and the means to protect people.
For those inclined to dismiss technologies on the
basis of them being either intrusive or exclusive, biometrics
are the most democratic and inclusive of all
other means of identification. There is no language,
literacy, gender, race, ethnicity or other human factor
barriers. Little knowledge of how biometrics work is
required for users to enjoy the full benefits. The technology
is simple to use and, arguably, the most inclusive
form of personal identification.
The security/convenience paradox
Security at the expense of convenience is a non-starter
for markets where the user has a choice. Passwords,
PINs, tokens and ID cards are not particularly secure
nor are they convenient, but biometrics is uniquely
positioned to provide both security and convenience.
Most systems employing methods, such as PINs
or ID cards, in response to growing threats, have become overly complex, are difficult to understand and
generally block users from doing their jobs. Biometrics,
though, supports workflow by providing security
while non-intrusively enabling people to do their jobs.
Multispectral imaging is an example of a high-performing
biometric that authenticates on the first try,
shaving time and hassle off transactions, and allowing
“security” to recede from the user’s perspective.
In addition, knowing “who,” with some high degree
of certainty, not only protects but enables services or
information to be personalized, or customized, to users’
specific needs, role(s) or access privileges.
With the Internet, authentication needs are decidedly
more complex, and yet technologies that are outof-
date, inconvenient and ineffective are still relied
upon. So, what would it take to change this?
Users have demonstrated that they will migrate to,
and even pay a premium for, things they want versus
things they need. Convenience is what people want,
and security is arguably only what they need.
Knowing “who” matters
In a digital world, authentication and identification
must be assured and reliable, so the role of biometrics
is significant and should not be overlooked. It really
does matter who we are, both to ourselves and to the
people with whom we have personal and transactional
relationships.
We have long since reached a point where conventional
technologies like passwords, PINs, ID cards or
tokens alone are not sufficient to protect us. Life is
complicated enough already, and having to remember
multiple passwords, complex passphrases and answers
to questions easily found on our Facebook accounts
are simply not convenient.
Biometrics is the only authentication factor that
can answer “who,” and assured authentication, enabled
by a combination of biometrics as a second factor,
is the best way to design and develop solutions
that meet today’s security needs. Education and good
policy will ensure that security, privacy and convenience
will always be preserved, even as technology
advances. Consumer acceptance and appreciation
of this technology, as users begin to realize the full
benefits, will likely enable the widespread adoption of
biometrics.
The threats to our identities are steadily rising. The
cost and sophistication of a viable solution is now
very close to the point where the question is not why
use or deploy biometrics, but rather,
why are we not deploying biometrics?
And, why on earth has it taken so
long for us to get there?
This article originally appeared in the November 2013 issue of Security Today.