Biometrics will play an important role managing identities
While the best approach for identity and authentication is always a risk-based, multi-layered defense, there is also the need to look at what to do to minimize the impact of a breach.
Repeated incidents of large-scale identity data theft have proven that, unfortunately, even the best multi-layered defense is imperfect. The problem will become more difficult in the increasingly interconnected world of the IoT. For this reason, there must be greater focus on ensuring that stolen identities are made unusable by anyone but their legitimate owners.
Biometrics is playing a growing role in this area. As an authentication technology that binds a myriad of digital and physical credentials to a person, biometrics helps to mitigate digital identity theft in today’s complex and vulnerable digital environment. At the same time, though, it is important to understand that biometric characteristics are not secrets. As an example, our facial characteristics are quite public — not only observable, but also generally associated with our names and other personal information. When biometric data is stolen and gets “into the wild,” as happened in the widely publicized 2015 U.S. Office of Personnel Management breach, it can never be taken back. Perpetrators can conceivably use this data to hijack a user’s identity and gain fraudulent access to security systems.
The key question: what can or should be done to render this information useless to any would-be impostor? Given the premise that databases are inherently vulnerable to attack, the focus and challenge is one of minimizing negative impacts of a breach on individuals and organizations. In this complex and interconnected digital world, systems must be thoughtfully designed and deployed in order to protect user identities and ensure appropriate levels of security within the context of the application. Numerous tactics and best practices should be considered and tailored to the specific use cases in order to render identities useless to anyone but the legitimate owner.
Of critical importance is the ability to detect fraudulent attempts to use biometric data. Liveness detection — the real-time determination that the biometric characteristics presented are genuine and not fake — is a highly-effective design feature in solutions where users physically interact with authentication systems. Augmenting biometric liveness detection with other security layers for multi-factor authentication enhances our digital security and renders the theft of any one personal data element inconsequential. There are also a number of concepts that could intelligently combine biometric data and other data elements to create an even more robust digital credential that will ensure that stolen biometric data is insufficient and therefore useless in enabling the fraudulent use of legitimate identities.
Following are the key elements in a strategy that extends beyond breach defense to include tactics for neutralizing the effects of an identity breach after it has happened.
Improving liveness detection
The most effective liveness detection approach for fingerprint biometrics today uses multispectral imaging technology, which virtually eliminates the possibility of counterfeit fingerprints being used for authentication. The technology is used to compare the complex optical characteristics of the material being presented against known characteristics of living skin. This capability, in addition to the collection of fingerprint characteristics from both the surface and subsurface of the finger, results in superior and reliable matching performance paired with the exceptional, field-proven ability to detect whether the finger is alive or not.
Multi-factor and multi-modal authentication
For strong and reliable user authentication, organizations should always consider, where practical, multi-factor and even multi-modal authentication. Today’s authentication technologies enable solutions that can enhance security while replacing passwords and improving convenience in a seamless way that is non-intrusive to the legitimate user. Reliance on a single factor or complex password alone is not more secure and it is certainly not convenient.
Robust biometric templates with enhancements
It may be desirable in some application-dependent situations to construct and enforce the use of enhanced biometric templates. The use of a “super template” that uniquely combines biometric data with other information — perhaps even an OTP or other out-of-band data — enables the system to recognize and reject a biometric template that was created from a stolen fingerprint image. Templates can reside on a card or chip or in a smartphone or personal wearable. This provides a level of protection against someone who may wish to create a template from stolen fingerprint images.
Lastly, it’s important to remember that the chain of trust is only as strong as the weakest link. The biometric solution used in identity-proofing must interoperate with trusted devices at each verification point.
Biometrics solutions offer the ideal balance of convenience and security because they are simple to use and increasingly more robust and reliable. Biometrics is also the only authentication method that “binds” a user’s digital credentials to a person. As such, biometrics is playing an important role in eliminating digital identity theft in today’s increasingly complex and vulnerable environment.
Making security more robust and reliable without adding complexity is difficult, but as our environment becomes more complex and open to attacks, we can combine the universality and sophistication of biometrics with things we have — like personal devices, phones, wearables, — and things we know — like PINs or passwords. But in addition to better methods and technology we must also seek out advanced vendor solutions that can effectively guarantee a high level of trust without raising the complexity for the user.
When all is said and done we need to accept the fact that biometrics, like all other personal data, cannot be completely protected from a breach. All we can do is design systems that preserve the integrity of user’s true identities, even in situations like the OPM data breach. And perhaps the best way to discourage any future breaches is to simply render the stolen data useless to anyone except the legitimate owner.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the month and January, these panelist’s predictions are published at SecureIDNews.