Biometrics – the ID system of the future

June 13th, 2017, Published in Articles: EE Publishers, Articles: EngineerIT

 

It is speculated that biometrics will become the de facto identification system of the future. We invited industry experts to participate in a virtual panel discussion and share their opinions and views about aspects of various types of biometrics and the maturity of the technology.

“Biometrics has been around for some years. Do you believe that the technology is mature enough to replace access cards and pin codes in access control?

Xavier Larduinat

Xavier Larduinat, marketing: financial services, Gemalto says that commercial biometric authentication has taken a huge step forward with the launch in 2014 of fingerprint sensors on high end smartphones. In 2017, more than 500-million smartphones will ship with biometric sensors – fingerprint, facial recognition and iris scanners. Biometrics brings comfort and convenience to users for simple day-to-day actions such as unlocking a phone or logging in to mobile apps. Biometrics on smartphones also always have a password fall-back.

John Walton, product manager, Basix Group: “I believe that more companies are implementing the use of biometric systems as it’s becoming increasingly difficult to remember all the different passwords for all your accounts, and with a master password, it will lead to the domino effect once bridged. With biometrics, the security measures are a lot more convenient. But as with any ‘new’ technology, there is still room for improvement. Biometrics (fingerprint, voice or visual) as it is today should be seen as a higher level of security in the authentication process, not as a complete replacement. Biometrics therefore should be used as secondary to pin codes or a combination of the two for the simple reason that if cybercriminals steal biometric data unique to an individual, this can’t be reset in the way a password can.

Nick Perkins, divisional MD: identity management solutions, Bytes Systems Integration, has a different spin on it: “Biometrics today is a robust, familiar technology to most citizens and an acceptable replacement for cards, as well as tokens, username/password and other authentication methods. The added benefit of a biometric removes the requirement to physically carry a credential or remember one, for access into secure areas or systems, along with the benefit of not having to deal with lost/stolen credentials or re-setting passwords.”

John Walton, Basix Group

While the other panellists agreed on the above sentiments, Greg Sarrail, VP business development and sales, EMEA, biometrics, HID Global, expands on the views of fellow panellists: “For many of us, over the past four years, biometrics has replaced the pin code used to access our phones. The combination of security and convenience provided by mobile fingerprint biometric systems has changed the perception of the technology. Rather than a technology that was purely used to catch criminals, fingerprint biometrics has proven to be a useful way to prove that an individual is who he or she claims to be with a high level of confidence. Over the years, biometrics has matured and is now able to provide various levels of security based on a user’s risk profile and the required mobility of the system.”

Steven Ratsatsi, CEO: Ayonix Africa added: “Yes; the fact that the technology has been around for long, also means that cyber criminals have caught-up and perfected means to hack pin codes and confuse access control systems. In the same way the signature used to be such a big authentication standard in the past, but it was later augmented with the use of the pin code, and now finger biometrics, if you consider what banks are using these days.”

In many access control systems fingerprint technology has replaced the traditional pin or card systems. In some installations the performance is erratic, often because of environmental issues. What are the common issues and how can they be overcome?

Greg Sarrail: “Access control systems are dependent on their location and the user population attempting to use the system. The physical location of the system should take into account the position of the sun or other ambient light during various times of the day and of course, weather conditions. Some fingerprint biometric sensors are less affected by physical conditions since they are able to capture information beyond the surface of the skin. If a finger is dry, worn or dirty, as is the case of a mining environment, or if a finger is placed on a sensor in the rain, the fingerprint sensor must still be able to verify the individual’s identity.

Nick Perkins, Bytes Systems Integration

Fingerprint sensors that use multispectral imaging to capture fingerprint data will be more reliable. An office environment provides different demands. Access to networks and applications might use fingerprint biometrics to reduce internal fraud. In such a case, it is important to utilise a fingerprint sensor that couples performance with high quality liveness detection. The fingerprint sensor must be able to identify whether a real finger is on the sensor at the time of the verification, or if it is a fake.”

Steven Ratsatsi added another perspective: ”Common issues are sometimes with the equipment operation, finger placement, obstructions on the finger itself etc. In my opinion, facial recognition will bring an alternative dimension, which is the closest possible to authentication because we only have one face.”

Banks are considering introducing biometrics at ATMs. According to some reports it will be fingerprint technology. Is that enough or should it be in addition to pin numbers or any other biometrics?

Nick Perkins: “Banks are currently doing more than considering biometrics at the ATM – some banks in South Africa are already in pilot mode. Strengthening the authentication process is absolutely key considering the high incidents of card and PIN based fraud. The introduction of a biometric to assure both the bank and the customer that the account holder is physically present at the point of transaction is a step closer to account security. Biometrics can be introduced as a replacement for PIN, or even in addition to PIN, to provide multiple layers of authentication. Essentially, if the card is present then both a PIN and biometric can further strengthen the authentication process and ultimately will provide the ‘who is transacting’ piece that is currently missing with traditional card and PIN transactions.”

Niel Bester, SVP products, Entersekt entered the discussion at this point: “Fingerprint and PIN together are good. Fingerprint and voice less so. In order to fraudulently use a credential, you need to first be able to ‘lift’ or access it, and then be able reproduce it when challenged. The access part differs for the three types of authentication factors. A knowledge factor is accessed through phishing, data mining or eavesdropping. A possession factor is accessed through theft or some other physical proximity. A biometric factor can be accessed by recording it somewhere, but for that you need to physically access it. Knowledge factors are extremely easy to reproduce. Biometric factors are more difficult, but not impossible. Possession factors are generally very difficult to reproduce. So in combining two or more factors, you are firstly forcing any attacker to possess a discouraging number of skills. Secondly, you are making it as difficult as possible to reproduce credentials when challenged.”

John Walton: “There are currently over 80000 biometrics-enabled ATMs in Japan and approximately 15-million customers using them. In the UK, six of the seven major banks make use of fingerprint authentication through their mobile banking app. Arizona Federal Credit Union and Mountain America have launched an eye-print ID – a software-only solution that verifies customers by using the camera of their smartphone to capture their unique eye pattern, but user data is still protected with a high entropy encryption key. Having multiple, cascaded gatekeepers fortifies security by requiring additional checkpoints. The more different proofs of identity required through separate routes, the more difficult it is for a thief to steal a consumer’s identity. Fingerprint technology may pose problems to some clients, such as people working with chemicals that may damage the print pattern on their finger. In my opinion, these cases can be solved with a backup pin code or facial recognition.”

Steven Ratsatsi, Ayonix Africa

Steven Ratsatsi: “Indeed; banks are working hard to keep up with ‘criminal innovation’; or should I say criminal syndicates are working twice as hard to keep up with any security/authentication related innovations. Banks should on-board an additional layer of authentication, based on facial recognition to work with existing mechanisms, as opposed to replacing. Facial recognition (FR) technology will provide additional benefits such as 3D face identification and matching, picking up any flagged faces and thereby sending alerts by way of emails and/or pop-up screens to designated authorities. Which means for instance, that an individual spotted in Johannesburg whose face was flagged, can be recognised by the FR technology and his presenced detected by an ATM in Durban. So it is not only facial recognition for the sake of recognition; but the matching, big data analytics and communication behind the technology, and most importantly, the ability to alert the designated authorities.”

Xavier Larduinat believes there are security issues that need to be addressed.” One way to deliver this ATM innovative user experience is to use the user’s smartphone fingerprint sensor with the reference data stored within the device that remains in the possession of the customer.”

With cybercrime ever-increasing in sophistication, should more use be made of biometrics to access a laptop, for logging into a bank account etc? Should it be a combination of several biometric systems such as iris scan, voice recognition or one of the many other systems now available?

Greg Sarrail: “Cybercrime has removed geographic barriers; the threat of identity theft and unauthorised access to online systems will only increase until systems are used that truly validate the individual that is attempting to access the application. Only biometrics can provide a reliable proof of identity for an individual. However, not all systems need to know who an individual is, but rather, whether the person is authorised for access. In this instance, a local token or key might suffice to prevent cybercrime. In the future, I predict a combination of biometrics will be used to authenticate a user, behavioural biometrics (how a person types on a keyboard and uses a mouse), combined with facial biometrics and even a device key that was established via a mobile devices will be used continuously once an online session is established.”

Greg Sarrail, HID Global

Nick Perkins: “Biometric modalities are fast finding their place in the digital world – again challenges creep in when the ‘wrong’ biometric modality is used in an environment. Voice biometrics as an example is well positioned for telephonic authentication, while facial recognition is becoming more mainstream in mobile application use cases. Online card transactions is still proving to be an area where most exposure to fraud is happening. The reliance on the likes of Mastercard and Visa to provide biometric authentication options is therefore key. We are also seeing an increase in laptop/desktop biometric logins to secure applications and online platforms as a corporate approach to knowing who is logging into their systems.”

Niel Bester: “Biometrics is ideal for accessing personal devices, because the fingerprint or other biometric data that is used in authentication never leaves that device, and as such is fairly impervious to theft attempts. For logging into a bank account from a mobile device, however, simply increasing the number of biometric elements is not the answer. We suggest using a strong, device-based credential in combination with a strong knowledge factor, which, where risk considerations would allow, could be swapped for a device-based biometric.”

John Walton: “The ongoing cybercrime is a threat to both individuals and corporate companies and banks. In my opinion, banks currently offer good enough security for remote users to log into the accounts, as a hacker would need your cell phone as well as login details to complete the verification process. Biometric finger print verification should be done on a local terminal and not sent via the internet to be authenticated, because this creates an opportunity for cybercriminals. Companies implementing laptops and desktops with fingerprint readers should also incorporate either a backup pin code or staff access card to act as a dual security authentication process before logging onto networks. Network administrators should also check the firewalls and insist that users change their passwords on a weekly or monthly rotation basis.”

Under what circumstances would an identification system perform better than a local verification such as checking the information presented with a data base centrally situated, or even the Department of Home Affairs?

Greg Sarrail: “ID verification couples an individual’s biometric information with their name, ID number, or account information. ID verification covers many of the use cases for biometrics as it is faster to verify the identity of an individual than it is to find a match with only the biometric information. ID verification requires a willing participant that has previously enrolled in the system and is merely attempting to prove their claim of identity. ID verification is applicable when an individual needs to open an account, access a system or application or prove eligibility. For physical access control, an identification system is appropriate as the database is small enough to respond quickly. Identification systems should be used when an individual is not willing or able to provide additional information. Examples include forensic applications or medical applications where a patient is unconscious.”

Niel Bester, Entersekt

Nick Perkins: ”Leveraging a system like Home Affairs National Identification System (HANIS) has major benefits in that you can verify an identity against a secure, clean environment, whereas structuring a standalone system relies heavily on the system’s ability to detect duplicate identities associated with the same set of fingerprints. Ultimately any approach will provide the longer term assurance that duplicate identities will be blocked through biometric duplicate checks, and while HANIS is restricted in terms of access by most of the private sector, the approach to implement a solution that can detect the fraudsters through duplicate checks becomes a very viable alternative to consider.”

Steven Ratsatsi: “This is why we have an identity theft wave that hit clothing and furniture retailers where ID copies, pay-slips, ‘credit bureau’, and employers (proof of employment/HR by telephone) systems are hacked. People end up with debt for clothes and furniture they have never seen in their lives. So what we need, even at Home Affairs level, is acknowledgement that times have changed, and therefore systems need to be updated as well. The Home Affairs database, being the population register database, should be at the centre of such ‘advancement transformation’ that everyone else links to, and needs to be among the most advanced in the world; and should link face recognition with finger prints and personal identity details.”

Niel Bester: “If the local user verification method is secure and it is combined with strong device identity, we have a very good solution. The challenge is when you need to change the device identity (i.e. when a user gets a new phone), at which point a highly private, local verification system is of minimal value.”

Xavier Larduinat: “Each service provider may have a different strategy to implement strong authentication. Sensitive data such as user credentials and biometrics reference data can be either centralised in a database in the cloud, or dispersed in individually owned devices inside security frameworks. The benefit of a dispersed approach is that it minimises the risk of a global data breach attack.”

Additional comments:

Nick Perkins: “Biometrics are becoming more and more mainstream and familiar to customers and citizens, with the introduction of biometrics by the banks over the past ten plus years, along with government’s reliance on the technology for citizen verification for administering citizen services.  Outside of the identity function of these systems, there are major benefits to organisations implementing a biometric solution to speed up their processes, eliminate authentication systems that require a lot of management and interaction with customers/employees with password resets and the like, but ultimately there are more benefits to an organisation than being assured of the identity of the person they are interacting with.”

Neil Bester: “It is important to bear in mind that a biometric credential is generally very hard to replace with a new one once the old one has been compromised. After all, you only have ten fingers, two eyes and one voice.”

Xavier Larduinat: “Discussions on the way to enrol biometrics before the day-to-day use for user authentication is crucial for the adoption of biometrics solutions. Should it be performed by the user on his own on a device he/she owns? Or can it be done at the service provider’s premises on a device provided and owned by the service provider?   Biometric information is irrevocable so consumers want to know their service providers make all and best possible efforts to ensure such data breaches will not occur.”

Thank you to the panellists for sharing their views on biometrics. It is an open subject that will require more discussion going forward.

Your comments to engineerit@ee.co.za

Related Articles

  • Addressing a national climate change adaptation strategy
  • New open mining format under development
  • Digital farming’s inroads into South African agriculture
  • Redefined SI measurement standards come into effect on 20 May 2019
  • Measurement parameters for burner and boiler systems