There is no question that better methods of authentication are needed

Page 2 of 3

Achieve Assured Authentication

Biometrics has a central role to play in today’s authentication solutions, so it is important to revisit and review the many myths and misperceptions associated with this technology. Biometrics has a central role to play in today’s authentication solutions, so it is important to revisit and review the many myths and misperceptions associated with this technology. Much vulnerability has been addressed, and technologies will continue to improve as biometrics move from only being a forensic tool to becoming a compelling, mainstream solution, while service providers begin to appreciate and fully understand that both user convenience and security really matter.

Questioning assured authentication and biometrics

  • Is assured authentication even possible?
  • Is security the main driver for authentication?
  • Must security be at the expense of user convenience?
  • Are we finally at a tipping point for biometrics adoption?
  • Is biometrics the most effective means of assured authentication?

There is no question that better methods of authentication are needed today; however, it is not necessary to trade off security for convenience. There is definitely a role for biometrics, the one authentication factor that can reliably answer the question, “who?”

Why biometrics?

The general concept of biometric technology is not new, but the automated matching of identities as modern biometrics technology has progressed from a forensics focus to one of validating user identities in the digital world is a recent notion. Over the past few decades, many attempts have been made to make biometric authentication mainstream, but, until recently, these have been met with numerous complications, such as less-than-perfect performance and poor reliability.

Over time, many issues have been worked through with better system design and modern sensor technology. Multispectral fingerprint sensors, for example, have raised the bar for biometric performance, demonstrating reliability in everyday conditions that previously challenged conventional technologies.

Mainstream markets remain skittish about legacy issues, preferring instead to extend familiar, yet outdated, authentication methods, such as user IDs and passwords, to the breaking point. They do so at their own peril, because with the rapid increase in cybercrimes and identity theft, there is a pressing need for a better form of authentication than a password/user ID pair.

Even those who are skeptical about a wholesale switch to biometrics, however, acknowledge that adding an automated biometric identity check to another factor being used will greatly enhance security. Their skepticism isn’t entirely misplaced; no single factor will ever provide perfect authentication. But, biometrics is the one factor that can transform a multi-factor solution into assured authentication.

Biometrics is the only form of personal identification that, by definition, focuses on the individual and answers the question of “who” with a high degree of certainty. As such, it is an essential factor in modernday authentication solutions.

Assured authentication

So, how does one assure authentication in this digital age? It begins by accepting the reality that no single form of authentication alone provides 100 percent accuracy. Even a biometric like DNA matching is not perfect, but statistical error rates are substantially reduced when multiple forms of authentication are employed.

The use of biometrics as an additional tool, or second factor, greatly enhances the ability to get closer to 100 percent in the continuum to assured authentication. The reason for selecting biometrics as one of the two factors is clear. Knowing “who” is the goal of assured authentication, and biometrics is the only form of authentication that is solely focused on the identification of the individual.

Multi-factor authentication with a biometric enables new applications, or self-service offerings, that otherwise would not be practical, as the provider could be exposed to unacceptable risks. For example, combining a biometric match with a barcode on an ID card or on a smart device enables self-service authentication at an ATM by bringing transactions to an acceptable risk level. Combining the ability to read two authentication factors on the same device, such as with multispectral imaging technology, enables a whole new set of applications by simplifying multifactor transactions even further.

Another aspect of assured authentication can be seen in applications that do, in fact, require a true 100 percent level of service, sometimes for reasons that are less about security risk and more about customer expectations. Take for example, automotive applications, where anything less than 100 percent authentication is literally a non-starter. Sole reliance on the use of an automotive biometric is unacceptable, even as the industry explores biometrics for personalization and telematics applications in vehicles. To make these applications viable, there must be an alternative means of authentication available as a backup to guarantee user acceptance. This is how assured authentication is brought to a true 100 percent.

It is important not to lose sight of the fact that digital biometrics represents an exciting new tool for a new age. Much like the abandoned typewriter and White-Out for document production and editing, there is no longer a need to continue to rely on passwords for online accounts. Digital biometrics are no longer in the realm of science fiction; they are now poised for more widespread adoption. Today’s biometrics greatly enhance security and convenience as part of authentication solutions that address complex, modern risks and requirements.

What about user privacy?

One of the concerns often raised about biometrics is user privacy. People have the right to privacy, so it’s a bit ironic that the information so freely and routinely volunteered about our self through social media is a much greater threat to personal privacy than any biometric.

Because the right to privacy is very important, biometric best practices do allow for a number of protections that can, and should, safeguard our identities. These best practices are easily implemented and represent an important consideration when choosing a biometric technology and vendor who understand the risks and the means to protect people.

For those inclined to dismiss technologies on the basis of them being either intrusive or exclusive, biometrics are the most democratic and inclusive of all other means of identification. There is no language, literacy, gender, race, ethnicity or other human factor barriers. Little knowledge of how biometrics work is required for users to enjoy the full benefits. The technology is simple to use and, arguably, the most inclusive form of personal identification.

The security/convenience paradox

Security at the expense of convenience is a non-starter for markets where the user has a choice. Passwords, PINs, tokens and ID cards are not particularly secure nor are they convenient, but biometrics is uniquely positioned to provide both security and convenience. Most systems employing methods, such as PINs or ID cards, in response to growing threats, have become overly complex, are difficult to understand and generally block users from doing their jobs. Biometrics, though, supports workflow by providing security while non-intrusively enabling people to do their jobs.

Multispectral imaging is an example of a high-performing biometric that authenticates on the first try, shaving time and hassle off transactions, and allowing “security” to recede from the user’s perspective. In addition, knowing “who,” with some high degree of certainty, not only protects but enables services or information to be personalized, or customized, to users’ specific needs, role(s) or access privileges.

With the Internet, authentication needs are decidedly more complex, and yet technologies that are outof- date, inconvenient and ineffective are still relied upon. So, what would it take to change this?

Users have demonstrated that they will migrate to, and even pay a premium for, things they want versus things they need. Convenience is what people want, and security is arguably only what they need.

Knowing “who” matters

In a digital world, authentication and identification must be assured and reliable, so the role of biometrics is significant and should not be overlooked. It really does matter who we are, both to ourselves and to the people with whom we have personal and transactional relationships.

We have long since reached a point where conventional technologies like passwords, PINs, ID cards or tokens alone are not sufficient to protect us. Life is complicated enough already, and having to remember multiple passwords, complex passphrases and answers to questions easily found on our Facebook accounts are simply not convenient.

Biometrics is the only authentication factor that can answer “who,” and assured authentication, enabled by a combination of biometrics as a second factor, is the best way to design and develop solutions that meet today’s security needs. Education and good policy will ensure that security, privacy and convenience will always be preserved, even as technology advances. Consumer acceptance and appreciation of this technology, as users begin to realize the full benefits, will likely enable the widespread adoption of biometrics.

The threats to our identities are steadily rising. The cost and sophistication of a viable solution is now very close to the point where the question is not why use or deploy biometrics, but rather, why are we not deploying biometrics?

And, why on earth has it taken so long for us to get there?

This article originally appeared in the November 2013 issue of Security Today.

Featured

  • Survey: Less Than Half of IT Leaders are Confident in their IoT Security Plans

    Viakoo recently released findings from its 2024 IoT Security Crisis: By the Numbers. The survey uncovers insights from IT and security executives, exposes a dramatic surge in enterprise IoT security risks, and highlights a critical missing piece in the IoT security technology stack. The clarion call is clear: IT leaders urgently need to secure their IoT infrastructure one application at a time in an automated and expeditious fashion. Read Now

  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

Featured Cybersecurity

Whitepapers

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3