Lumidigm, part of HID Global, sees connected devices and the Internet of Things (IoT) as an opportunity for those of us involved with identity and authentication, rather than a challenge or threat. Why? Because we know there may never be a single, completely foolproof or “perfect” form of personal authentication. As a result, the only solution to assured authentication is – and always will be — to combine and use multiple factors or modalities. IoT provides the first environment that is truly ideal for enabling this approach.
It is widely known that even the use of biometrics authentication does not, by itself, guarantee assured identity. There have been widely publicized cases, for instance, of popular consumer biometrics solutions being compromised, and there are data privacy concerns that put additional pressure on ensuring that solutions are secure and have adequate liveness detection as part of a multi-factor approach.
In fact, we know that, statistically, the threat of problems diminishes in direct proportion with how many factors and modalities are used to authenticate someone. There must always be at least one biometric factor in any scenario, however, and the use of two or three additional factors allows authentication error rates to actually approach zero. By relying on multiple factors, not only does the assurance level increase, but, there is no longer the chance that compromise of any single factor, alone, will represent an irrecoverable or permanent failure.
As interconnected devices become more prevalent, we envision that there will be significantly more opportunities to implement a multi-factor authentication model in an IoT environment than there are today. In other words, as more and more intelligent devices become personal items capable of carrying personal data and communicating digital identities, we will have that many more ways to implement the requisite three factors of authentication.
Consider a smart watch or other wearable, or a smart phone capable of supporting multiple forms of biometrics — a fingerprint plus iris and/or facial recognition combined. Or, consider a personalized digital identity that might be carried in smart glasses, or intelligent ID cards. Looking out even further, it is not beyond the realm of imagination to contemplate other unique biometric signatures like a heart rate and other real-time health measurements taken by a wearable device.
All of these interconnected digital devices would likely have the ability to communicate with each other, and share GPS geo-location information and time stamps. When multiple personalized user devices can be seen as “present,” and coupled with the biometric identification of the user, we create a convenient and secure means of validating that users are who they say they are.
In practice, then, an IoT environment should enable us to simultaneously authenticate multiple devices, all co-located within the proximity of an individual who can then be biometrically authenticated using multiple modes resulting in a new level of assured authentication. Moreover, these modes could all be validated to have occurred at the same time, and in the same place, to authenticate in real time. With this layered approach, the chances of making a positive identification are extremely high, and there is no longer the risk that that loss, theft or compromise of any single item in this chain of authentication devices and factors will cause a security or privacy threat.
The extent to which we can leverage IoT in this way will enable us to broaden our thinking about the continuum of security certainty and risks. On the one hand, we could continue to rely on a four-digit PIN with a one in 10,000 error rate that might be perfectly acceptable for many applications. And on the other end of this continuum, one could envision the combination of multiple personal digital devices with biometrics in a solution offering far more convenience and security because it would be capable of delivering an error rate small enough to authenticate virtually all 6 billion inhabitants worldwide.
So are connected devices and the IoT an opportunity or a threat? The answer: Technology is almost always both. But unless we’re ready to limit all future transactions to face-to-face encounters, there is considerable value in exploring this opportunity to leverage the proliferation of smart devices and biometrics, and combine them into solutions with the potential to significantly reduce, if not eliminate, the threat of personal authentication errors and compromised privacy.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December, January and February these panelist’s predictions are published at SecureIDNews.