Biometrics: A New Wrinkle Changes the Authentication Landscape is a primer on the fundamentals of biometrics for authentication of consumers’ identity. The report explains the need for multimodal biometric authentication and describes many types of biometrics available from various technology providers. The report shows how biometrics technology has shifted from a primarily hardware-based solution to a software-and cloud-based solution enabled by smartphones that have become much more secure. With voice and face recognition, and now the addition of behavioral biometrics, this shift will drive rapid new innovation and will tip the market in favor of the mobile architecture.
"Behavioral dynamics will play an increasingly important factor in establishing trust factors for the authenticating consumers’ identity across every channel and for establishing persistent identity," said Tim Sloane, Vice President, Payments Innovation and author of report. "With the introduction of new authentication factors, new secure mobile platforms, and software- and cloud-based authentication mechanisms; it will be extremely risky for banks to make an investment decision that includes hardware and requires five-plus years to achieve a positive return on investment."
Increasingly smartphones are shipping with trusted execution environments that can displace traditional hardware security fobs. These new smartphones are critical to this fundamental shift in biometrics.
Criminal theft of passwords has made passwords obsolete, and so a new factor is required for authentication. Biometrics will be that new factor. It increases security and will prove more convenient for the consumer than passwords as it transitions into a persistent identity over the next 5 to 8 years.
For persistent identity, authentication no longer entails just a single challenge event such as a fingerprint scan but evolves into a passive trust value uniquely associated with an individual, as is being pursued by Google. The trust value will be constantly updated based on multiple factors including location and passive sound (voice and ambiance) as well as facial recognition and a range of behavioral inputs.
With the mobile device formulating this trust factor, it is highly likely that Apple and Google will be critical partners in consumer authentication for the majority of access control scenarios, including call centers and physical access.
This reliance on the smartphone will help establish the FIDO (the Fast Identity Online) Standard as the appropriate architectural approach for managing authentication credentials. Keeping the credentials in the handset eliminates the honeypots that attract criminals, increases consumer trust, and converts the authentication infrastructure into a shared resource that will greatly lower deployment costs currently associated with all authentication solutions.
Highlights of the report:
- Given the effectiveness of cybercriminals, security will continue to be at risk until passwords are eliminated entirely.
- Consumers are wary of biometrics today but will come to accept it just as they did mobile banking.
- Apple and Google will continue to upgrade and extend the security and biometrics implemented in hardware and operating systems and, due to the broad visibility that these operating systems have into the life of the mobile device user, will have more data than all others for authenticating the individual.
- Authentication will move from a single challenge event, as done today with fingerprint readers, and evolve into a passive persistent identity trust value. The trust value will be based on multimodal biometrics to include geolocation, known commute and work patterns, passive voice and face recognition, and a range of behavioral inputs. As these improve in verifying authenticity, the challenge event will become relatively rare and specific only to high-risk situations.
- Smartphone technology is rapidly becoming more secure and broadly available in the U.S. population, which means that broad deployment of biometric hardware by financial institutions is likely to be obsolete in less than 5 years.
- It is probable that Apple and Google solutions will become critical hardware and software authentication suppliers for the majority of access control scenarios, including devices, call centers, cloud and application authentication needs.
- Biometric tags and trust decisions should be held and calculated in the device to mitigate risk associated with central storage of credentials and is critical for increased consumer trust. Centralized repositories, no matter how secure, represent a liability from the consumer’s perspective.
- The FIDO authentication architecture will establish an authentication framework that moves much of the hardware and software into a shared asset resident on the mobile phone, which will greatly lower the cost of deploying authentication solutions.
- Financial institutions should plan for the biometric world described above. This suggests utilizing the mobile device for authentication wherever possible and to avoid the collection of biometric data centrally as much as possible, as that data represents yet another target for criminals.
1. Executive Summary
2. Introduction: Biometrics Today and Tomorrow
3. The Basics of Identity and Authentication
4. A Brief History of Authentication
- Passwords and Passive Device Fingerprinting
- Hardware Tokens
- Active Device Fingerprinting
- The European Brouhaha
- The Problem with Standards
- Risk-Based Authentication, and Risk Versus Cost
- Biometrics and Mobile Opens New Opportunities
- Outsourced Identity (IDentity as a Service)
- For Consumers, Convenience Is Critical
5. Basic Biometric Capture Technology
- Palms, Hands, and Fingers
- Face and Eyes
6. Behavioral Biometrics, Multimodal Biometrics, and the Future
- Can Ambiance Become an Authentication Factor?
- Multimodal Authentication
- TEE Time
7. OS Suppliers Are Shaping Authentication Technology
8. Persistent ID
9. The FIDO Infrastructure
10. Biometric Deployment Challenges
11. Federated Authentication
12. Self-Sovereign Identity
- History and Definition
- Zero-Knowledge Proofs
List of Figures
Figure 1: Each Organization Has a Perspective on Identity That Is Linked to Its Own Credential
Figure 2: Comparing Cost of Traditional Authentication Methods to Mobile Biometrics
Figure 3: Common Steps to Increase Accuracy of Authentication
Figure 4: Multimodal Persistent Identity
Figure 5: Samsung Galaxy Note 7 Iris Detection
Figure 6: BehavioSec Implements Behavioral Biometrics for Nordic Countries
Figure 7: Centrally Managed Authentication Can Reduce Cost and Risk
Figure 8: The Mobile Device Will Enable Layered Authentication and a Persistent Biometric Identity
- Bank of America
- Bank of Tokyo
- CO-OP Financial Services
- Desert Schools Federal Credit Union
- E8 Security
- Early Warning
- Eli Lilly
- Entrust Datacard
- FIDO Alliance
- Google (Alphabet)
- HID Global
- IDScan Biometrics
- National Westminster Bank
- Sovrin Foundation
- The Hiroshima Bank
- US Defense Department
- Wells Fargo