Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Are Biometrics Having a Moment, or Are We Waking Up to Their Value?

One of the big announcements Apple made this week along with it's latest iPhone release and its new smart watch was a mobile payments platform which combines existing Apple features, support from major banks and retailers, and Apple's fingerprint authentication. Is this an indicator that biometrics are finally reaching a place of widespread acceptance?

One of the major roadblocks when it comes to universal acceptance and widespread adoption of biometric technologies has traditionally been the costs associated with distributing, maintaining, and collecting the technology and data required to perform biometric identification. With built in software and hardware, the Apple has met this challenge head on by integrating biometric authentication into an extremely popular device and baking it into software that performs a critical function. This is a huge step forward for biometric technology on the path to ubiquity.

iPhones aside, where are we, really? "...there is no blanket acceptance of all biometrics – users have a preference for which types are used and how they are used. One study found the most acceptable application of biometrics was for passports (75%) or ID verification (53%) in official contexts, with credit card verification around 56%. Users were most accepting of fingerprint, hand, voice and keystroke/signature recognition (over 90%), with one third considering iris and retina recognition as potentially risky to their health" says this article discussing the rise of biometrics. Increasing awareness of biometric technologies, combined with an increasing collective acknowledgement of the danger of fraud in our everyday lives will push adoption forward.

The key could well be identifying the best use cases possible, where biometric authentication enhances, instead of detracts, from user experience. Apple realizes that mobile is one such use case, and that payments is an area where authentication is both required, and in need of an overhaul. Biometrics as an elegant solution to a real problem is a significant step forward for the industry and the space. It won't be long before adoption becomes more widespread, with Gartner predicting that 30% or more of users with devices connected to enterprise networks will be using biometric authentication by 2016.

 

Will Increased Security Make a Difference for Mobile Payments?

"Those with a history in the mobile payments industry know that it has been a slow (and mostly disappointing) journey. But now, reflecting on the current ecosystem forces at play, I believe we find ourselves surrounded by a set of market trends that can finally give mobile payments a viable path to scale" says Alberto Jimenez for TechCrunch. "...Security in payments used to be a hygiene factor, something that you expect but that didn’t create differentiated value. However, after multiple, widely covered sensitive data breaches, security has become a value proposition in itself."

Perhaps users are remaining cautious in the light of well documented, heavily reported-on breaches of retail environments. Credit card numbers, or sensitive data, are captured by bad actors in a number of ways, including phishing, hacking into back end environments/servers, breaching the network or skimming (actually copying credit card information from an ATM or the like). With so much in the news, so frequently, security is becoming something users are turned into - and something that could potentially drive adoption of new technologies...like mobile payments.

Says Jimenez: "Industry-wide initiatives, such as tokenization, have the potential to significantly increase the level of security and subsequently the general public perception about payments - specifically the kind initiated on mobile devices."

 

Are Biometrics the Answer to the Password Problem?

The Huffington Post ran this article this week describing various methods of biometric authentication which could be used to offset the risk associated with the username/password paradigm. Each of the methods described has becoming a technological reality, if not a widely available feature, on the devices users rely on to access secure accounts and communications/content.

Far from theoretical or deeply technical, this article speaks to the notion that users are finally beginning to understand the scope of the risk associated with username/password, and looking to understand alternatives that may exist, which goes beyond the simple need to comply with corporate requirements which are the traditional drivers of adoption of strong(er) passwords and/or second factor authentication.

With biometrics, end user education will be a key ingredient of success since by definition the user is required to leverage something about themselves to achieve the level of security biometric authentication can provide. The widening scope of the discussion around biometrics is a strong indicator that this is occurring.

 

Google's View of the Future

Last week Google I/O showed us Google's vision for our future.

"Google essentially wants to unify the user experience across all connected devices. That means allowing you to respond to text messages via your watch, order pizza from your TV, control your home from your car, and accomplish it all via a common voice-command interface that remembers your appointments and preferences" says James O'Toole for CNN's Innovation Nation.

Android's ever expanding platform is offering the kind of connectivity that means a user's identity will not just be their device, but a group of devices, all integrated and working with each other to deliver a seamlessly integrated experience. "It's a shrewd strategy" O'Toole continues, "As Internet-enabled products become more commonplace, we're not going to want to manage a huge variety of accounts. It's more convenient to have a common digital identity that moves with you across devices. The company that provides that single software identify is poised to reap massive rewards."

The notion of a single identity, free of the nuisance of maintaining multiple accounts, is seductive for users even as vulnerabilities continue to be exposed. To protect this broader concept of identity for users, across all of their devices, innovative identity security solutions will need to become part of the vision. These solutions will need to transcend hardware based delivery methods and take a hard look at what a user "is", and what makes them who they are. Biometrics are an obvious choice, as they are driven by the notion of using "something you are" to identify users. Because of this, we will likely see biometrics increase in usage, as they align with the emerging needs related to identity in this vision of the future.

 

Another Take On Passwords That Are Uniquely "You"

Authentication continues to evolve to toward leveraging information about the user, instead of information possessed by the user. "Face Lock" technology is discussed here, and is particularly compelling because successful authentication by the end user requires the end user to recognize a face (not a famous person - someone not everyone would recognize) from a group of faces. This is an interesting take on "facial recognition" that is being done by a human (the user) as opposed to a machine (your computer, using facial recognition software). In this model, the faces could change and as long as the user could still pick out a face that is familiar to them, the rate of success will still be high.

Bypassing something like this as a fraudster would be a question of pure luck (as long as the selections made by the end user were not obvious enough to be easily socially engineered), and the technology wouldn't require any special hardware. This is compelling because it relies on the human ability to recognize, instead of the ability of the human to be recognized by technology. Innovative methods, like this one, are continuing to broaden the discussion around next-gen authentication.

 

Are Biometrics the Key to Preventing Fraud in the Call Center?

"The best security is always layered security, and this principle holds true when securing the telephony channel" says Gartner's Aviva Litan on Forbes.com. While Ms. Litan's article focuses on the strength of a combination of voice biometrics and device printing to fight fraud in the call center, this article highlights the importance of both a layered strategy and one where the methods are designed for the transaction.

Call center fraud can be especially tough, when, as the article cited above states, the perpetrator of the fraud may well have the answer to security questions (through social engineering), account details, and fail to raise any red flags in their interaction with the call center representative, who are trained to help customers when they call in with a request. In this case, the presence of a voice biometric allows for the perpetrator of fraud to be "flagged" and possibly to be identified if/when they next attempt to commit fraud. This is done passively, an area where the most cutting edge biometric technologies excel - there is no need to inconvenience the customer in order to pull, measure, or flag this potentially extremely valuable information.

In this way, biometric technology races ahead of other authentication methods, which often require the user to "do something" - even if that something is as simple as receiving a text message. By layering security measures that passively collect and measure information, and aligning those methods with specific use cases, organizations can reduce fraud and protect their customers.

 

Apple Opens Up TouchID for Use With Apps

This week at WWDC, Apple announced that it will open up TouchID for use with apps, allowing app developers to extend Apple's biometric fingerprint authentication feature to their users. For a demo, click here.

This announcement not only extends a user friendly, more-secure-than-a-plain-password authentication solution to app developers, highlighting a collective recognition that the there is a real need to enhance security for mobile users on both their devices and their apps, but it is also testimony to the growing interest in biometric technologies for authentication. They address some of the critical challenges associated with passwords and PINs, which are often extremely easy to bypass by guessing.

Apple is now leading the way in distributing biometric technology to it's many users. From the article cited above: "For all Apple’s posturing, this is actually one of its minute design details that does have the potential to change everything.

 

Second Factor Now Required?

CNET reported this week that Google will be requiring second factor authentication for Google apps, even for users who have not specifically enrolled in the second factor feature Google currently offers.

"...Google is showing the growing necessity of owning a mobile phone -- and having it charged, connected to the network, topped up with access privileges, and working even when traveling. In effect, a person's phone number is becoming a sort of personal identifier.

Google plans 'to slowly roll out this feature for all domains over the coming weeks,' Google said in an update on Tuesday. For people who haven't told Google their phone numbers, Google will prompt them to share it if a suspicious login is detected."

"Dual-factor authentication requires two steps, typically a password and a code generated by a smartphone app or text message. It involves extra work to log on, but because it increases security significantly, it's arriving at sites including Google, Yahoo, Microsoft, Twitter, Dropbox, and LastPass as a way to better protect accounts." Google's recognition that mobile users require strong authentication is indicative of a growing realization that second and multi factor authentication are needed to secure the way we work, which includes a mobile-specific security strategy.

 

2FactorAuth.org Tells Us Who Is Missing Their Second Factor

TwoFactorAuth.org provides a useful list of widely used sites who have enabled 2 factor authentication (2FA) for their users. In an article on Wired, Josh Davis, the founder of TwoFactorAuth.org describes the site as "a single place to go when determining alternative services based on the care and engineering they have in place for their customers."

Scrolling through the list could be very concerning for users with accounts at some of the very well known and trusted companies who are being pointed out here as still not 2FA enabled. The sites who have already enabled some form of 2FA appear in green - but take a closer look - the 2FA approach they have implemented is described here too, and the majority seem to have done this with SMS, a one time password to the user's mobile device.

When considering the importance of 2FA, it's extremely important that end users understand not only that the companies they know and trust are taking steps to increase security, but what those steps are and what exactly they are securing. A one time password via SMS essentially makes a hardware token out of the end user's device, but does not validate the identity of the individual making the request and does not serve to protect activity on that device, at a time when the increase in transactions users are doing on their mobile devices is skyrocketing. 2FA is truly meaningful when it elegantly addresses the need for security while integrating successfully with user experience, which fuels widespread adoption. Before we breathe our sighs of relief when we see our sites in "green", we need to make sure we understand what is really being protected, and under what circumstances.

 


Page 2 of 7