Is biometric authentication a security silver bullet? Can iris scans burn your eyes? Derek Northrope, head of Biometrics for Fujitsu Americas, debunks the myths running through many consumers’, and even enterprise executives’, minds.
We are seeing a biometrics boom across many industries, from banks deploying selfie biometrics to laptops requiring fingerprint authentication. As we jump at speed towards a mobile-first world, biometrics will take an increasingly important role with new deployments and capabilities. However, fighting against this innovation are concerns about the security of biometrics and myths designed to create fear – iris scans burn your eyes!
Busting biometric fallacies and providing insight on the biometric landscape, Derek Northrope, head of Biometrics for Fujitsu Americas, separates biometric fact from fiction with CBR’s Ellie Burns.
EB: In your experience, what is the most common myths associated with biometrics?
DN: I suppose the biggest myth, that actually encapsulates a large number of other myths, is that Biometrics behave in real life the same way they do in the movies. This manifests in a number of, strangely divergent, ways. Some people have an un-realistic expectation of how magically accurate a system is or inversely that they are so inaccurate that they are easily beaten. Others believe that a single biometric scan can reveal their entire life history inc
luding what they ate for breakfast and who their first crush was. The reality is much more middle ground.
The second biggest myth is that all biometrics are created equal. Various biometrics have different strengths and weaknesses, including things like: Accuracy, Usability, Cost, Speed, Identification v’s Authentication and Ability to be forged.
Any organisation looking at using biometrics needs to understand these factors, linked to their risk profile to determine the best Biometric, or Biometrics, for them. A good solution can tie all of these biometrics together into a single cohesive identity framework.
The third is that Biometrics, in and of themselves, are a magic bullet for identity and security. For low risk, or low cost, activities this may well be the case, however for higher risk transactions Biometrics should form part of a layered security approach including other factors such as the traditional, something you know, something you have.
EB: Is there any truth at all in some of the dangers associated with biometrics – or is it all hokum?
DN: Like all good myths there is some truth to the dangers, however, a good understanding of the issues above will mitigate them. For example, can someone copy your fingerprints and beat the TouchID? The short answer is Yes. The longer answer is that there is a cost and effort associated with beating the TouchID and that cost and effort needs to be replicated for each new person you are trying to ‘spoof’.
The simple fact that it needs to be replicated for each person means that risk profile shifts from stealing a small amount from lots of people, to stealing a large amount from a few people. This is where a better understanding of the myths mentioned above comes in. Knowing that TouchID can be beaten, at a cost, means that it is fine for transactions with a value less than that cost, however for higher value transactions it should be combined with additional factors, or indeed replaced with a more secure biometric like PalmSecure.
EB: What is the most common biometric myth perpetuated by enterprise execs?
DN: That biometric solutions cost too much to implement. This is where a good understanding of myth number two combined with a deep understanding of the various risk profiles either within their organisation, or for their customers can help. One example is that in various industries implementing biometric time clocks can have a return on investment, from a reduction in buddy punching, of less than 6 months. Another example is the implementation of voice biometrics into a help desk to automate things like password resets can, with the use of Biometrics as a Service (BIOaaS) offerings, have an immediate ROI. Once this biometric framework is in place, and paying for itself, it can be expanded to include other biometrics, in other use cases, to increase security and reduce risk.
EB: How do you see biometrics being received/adopted by business today?
DN: For staff we are seeing a greater adoption of Biometrics to secure information and to automate tasks such as password resets or remote access authorisation. For customers we are seeing biometrics being used as a means to have a greater level of trust that person we are dealing with, who isn’t physically present, is who they claim to be.
What will biometric authentication look like in 50 years time? Continue reading to find out