Bio-metric Best Practices

By Rob Douglas

In the identity-based world we live in, passwords seem to hold the key to our identities. But with a majority of Americans (64 percent) personally experiencing a data breach, our long-held tradition of safeguarding our wealth and personal information using a secret word or phrase is being turned on its head.

This past September, Deloitte was hit by a cyber-attack, compromising the emails of some of its blue-chip clients. Hackers had access to information including usernames, passwords, and IP addresses. It’s been reported that the hacked account only required a simple password. Hacks such as Deloitte and others underline the utmost need to ensure the safekeeping of information.

Enter biometrics. By leveraging your face, voice, eyes, and behaviors, biometrics is upending our world and is helping us reclaim our right to our rightful identity. So much so that biometrics has entered the mainstream in today’s society, being adopted by big companies such as Apple (new Face ID) and Amazon (Alexa).

In order to implement biometric systems, there are do’s and don’ts that need to be considered. In the end, the most important thing is consumers. They need to feel safe and trust biometrics to be their new form of identity and there are certain steps that can do just that.

Here are some best practices:

1. Take a platform approach: The best way to incorporate biometrics into an existing infrastructure is to take a platform approach to the consumption of biometrics into applications – meaning that you don’t just focus on one type of biometric or one piece of hardware. Whether you’re a financial institution or data center, by taking a platform approach, biometrics can continue to innovate and evolve. Many might fall into the pattern of using simple point-to-point integration which only causes a piece of code to become frozen in time and bound to a single biometric. Developers will pick a favorite biometric and stick with it, but by using a platform approach, systems can integrate one biometric and then easily add on additional methodologies.

2. Incorporate risk-based authentication: Multi-factor authentication is not enough in order to eliminate spoofing from the biometric space. Critics of biometrics will point to spoofing, which is defined as the ability to imitate or fool a physical security application. As we’ve all encountered, one study by Keeper Security found that more than 80 percent of people reuse the same password across multiple accounts showing that convenience will trump security any day. Higher risk transactions such as a bank wire transfer for $10,000 should not be given the same weight as lower risk transactions, for example sending your coworker $5 for the coffee they bought you. Instead, the focus should be on the relationship between risk and trust. For higher-risk transactions, multi-factor authentication using multiple biometrics and liveness detection can create the most platform. By requiring an individual to provide his or her identity, the platform’s algorithm can significantly lower the chances of a system being tricked into wrongly identifying a subject.

3. Use a hybrid approach to store data: When it comes to storing biometric data, there is a common debate on whether the server (i.e., the Cloud) or local storage systems should be deployed. As a best practice, BioConnect recommends that companies utilize a hybrid approach as there are positives and negatives to both. But more importantly, enterprises need to consider not only where they store their data but how. One method, asymmetric cryptography, uses public and private keys to encrypt and decrypt data, with one key that can be shared with everyone and another key that is kept secret. This practice offers increased security.

4. Education: The best practice above all is education. The challenge we face today is that people are skeptical of biometrics because they don’t fully understand what it is and how it works. Every day, efforts are made in the right direction as more and more people adopt biometrics. With the introduction of biometrics in the mobile phone industry, physical security has moved forward as Acuity Market Intelligence forecasted that all smartphones shipped will have biometrics included within its software by 2020. The responsibility of education falls on the manufacturers and providers to educate the public on how biometrics can simplify and protect one’s identity.

In the not-so-distant future, passwords will go the way of cassette tapes, CD players and other devices that have been retired from everyday use. And I for one cannot wait. I envision a world where a person is no longer tethered to a plethora of passwords that they need just to access their own information. In the next few years, we will begin to shift away from passwords to the point where an individual can simply be themselves to prove their identity. We will wipe out the need to memorize different passwords and sequences, and instead, we’ll rely on our eyes, voice, hands, face –qualities that are unique to you and you alone—to protect our rightful identity.

About the Author
Rob Douglas is the Chairman and CEO of BioConnect. Over the last fourteen years, he has been providing global market leadership in the biometric identity market. He was formerly Board Member, President, and CEO of Bioscrypt Inc from 2003 to 2009 (BYT.TO) which was successfully sold to L-1 Identity Solutions (ID:NYSE) in 2008. Prior to that Rob was instrumental in shaping high growth technology companies as a former leader at IBM, Oracle and Siebel Systems. While at Siebel Systems, Rob led a hyper-growth business unit from $1m to $110m in less than 4 years. Connect with him on Linkedin or Twitter @RobMDouglas7.