Shortcomings of traditional forms of identity verification, such as passwords, have generated a need for alternative identification methods, opening the door for biometric authentication tools. In a recent report, Frost & Sullivan pointed at the "exponential demand" for biometric security, highlighting the impact biometrics are having on the digital identity landscape.
With identity as the new perimeter of online services, businesses are implementing better digital identity solutions to improve the security of their B2C and B2B apps and safeguard valuable customer and employee data. In fact, it was recently reported that the market for digital identity solutions will leap to $30.5 billion by 2024, up from $13.7 billion in 2019. While the optimal solution is to replace passwords with more effective solutions, the reality is that the password is not going away any time soon. Therefore, surrounding them with additional authentication options is key – which is why more organisations are moving towards 2-factor authentication (2FA), multi-factor authentication (MFA) and, with this, biometric solutions.
While identity had long been verified by 'something you know' (such as a password) and increasingly 'something you have' (for example, a FIDO authenticator), biometrics enable security with 'something you are' (such as a fingerprint or facial recognition). On the face of it, authentication using 'something you are' is extremely secure, as it's unique to every user and present with the owner of the fingerprint/face at all times.
However, over the past year, concerns around the security of biometrics have hit the headlines, with fears being raised over hackers gaining access to sensitive data and regulators admitting they need more time to work out how to prevent the technology being abused. While these are not altogether unjustified, by focusing on improving the technology and ensuring transparency, compliance and security, trust will inevitably follow.
The current challenges
Recently, biometric authentication methods have been brought under scrutiny for three main reasons: the risk of theft and imitation, the accuracy of biometric data and a general societal feeling of distrust.
- Biometric theft and imitation
For these reasons, it's incredibly important to make sure your service has well considered and modern security and digital identity management measures in place. How you ensure this will depend on your service and supply chain, but aspects such as MFA and delegation workflows will be key.
There is a naturally a heightened concern over the potential theft of biometric data. Fortunately, most biometric solutions never touch actual biometric data, instead they rely on a combination of local (device) processing and hashing to authenticate the user without needing to store or transmit sensitive data. That said, fears that biometric stolen data could be replayed to aid identity theft is a well-discussed topic in the security community, and occasionally we do see bad implementations. One example last year was from the firm Suprema, whose Biostar 2 tool was found to have exposed over a million fingerprints and 'other sensitive data'.
- Accuracy of biometric data
There has been controversy surrounding the accuracy of facial recognition technology. This was highlighted in a study by Joy Buolamwini, of MIT Media Lab, and Timnit Gebru, of Google's Ethical Artificial Intelligence Team. The duo looked at bias in such systems and found that all tested technology was less accurate at recognising women and non-white subjects – showing the most accurate results for white males. To quote the study's website, "all companies perform better on lighter subjects as a whole than on darker subjects as a whole with an 11.8 per cent - 19.2 per cent difference in error rates."
- Societal distrust
A recent case that received widespread attention in the UK was the use of facial recognition at site near King's Cross station in London. The crux of the problem in this case was that Argent, the site developer, had not made visitors aware that facial recognition was being conducted in the area. Of course, such open space involuntary biometrics raise different concerns to voluntary use of biometrics with businesses – but this is a good example of the importance of honesty and transparency from the outset.
Essentially, by clearly providing details about why, how and where a company is collecting and storing facial recognition data, businesses can build trust and assure people that their data is being used in secure way. If organisations are upfront about data collection and storage, users will feel more comfortable opting for biometric authentication across business and consumer applications.
Continual improvement and technological advances
Continuous improvement in the biometrics sector will be key to ensuring optimal security and reliability – and recently there has been some considerable biometrics advancements.
For example, Hitachi recently developed a new finger vein recognition technology, using the unique vein patterns in fingers as a biometric authenticator. With a simple hand gesture to a laptop webcam or (coming soon) a mobile phone camera, the technology enables fast and secure user identification without the requirement of additional hardware. In addition, finger veins are non-replicable and cannot be lost or stolen.
The uptake in vein biometrics is set to boom in the coming years. For instance, it was predicted that the market for vein recognition biometrics is expected to generate $1bn by 2029. This market growth is currently being led by the banking, financial services and insurance industries, spurred on by the willingness of banking customers to use biometrics services. Healthcare deployments are also contributing greatly, with biometrics increasing efficiency across the sector.
By expanding the possibilities of biometrics technologies, service providers are paving the way for an innovative and transparent biometrics sphere.
From a user experience perspective, biometrics have the potential to provide a great user experience when compared to managing endless passwords. And who doesn't want to feel like James Bond opening a door just by looking into a camera? Most modern mobile phones already have facial or fingerprint recognition technology, meaning that app providers can take advantage of this customer experience feature relatively easily.
Challenges will remain as biometrics become increasingly mainstream, but that’s the inevitable case with innovative technologies. With trust, transparency and continual improvement, there is no doubt that biometrics have a bright future in the identity space.
Simon Wood, CEO, Ubisecure