I just scanned the biometric news feeds on the web. They’re exploding with biometrics that most people outside the industry might think of as, well, futuristic. But being more of an insider and knowing what’s here now and what’s in the pipeline, these biometrics are already deployed across the globe. Gesture recognition, iris recognition, retinal scanning, face, voice, signature recognition, hand geometry, fingerprint, palmprint, behavioral metrics, geolocation are all today’s news.
Despite the occasional naysayer article about the weaknesses of biometrics, improved methods for implementing biometrics are coming almost daily. Everyone already knows about the iPhone X and Face ID. I was blown away by that demo last fall. Now Samsung is making a new bid with a dual-camera phone (the Samsung Galaxy S9) that can handle 3D imagery. That is likely going to enable huge strides in liveness detection – techniques applied to thwart presentation attacks where imposters try to fool biometric systems with pictures of people or their fingerprints.
The thing about phones is everyone has one. And outfitted with cameras, microphone, speakers, gyroscope, touchscreen, and more, they are the ideal ubiquitous platform for most, if not all, the biometrics noted previously.
But Phones Alone are Not Enough
Authenticating to your phone lets you access your phone securely to use the device and its features like apps and internet services over 4G and wifi. But phones alone are not enough. You need something else to integrate your phone’s authentication capabilities with organizational assets like network services and applications where authorization and access control are of paramount importance.
You need a secure app on your phone that is cryptographically tied to back-end services that integrate seamlessly with your network authorization systems. Each biometric must securely map to an identity maintained in the back-end. This means you must enroll your biometric with back-end services, presenting evidence at enrollment proving that you are who you say you are.
Some enrollment scenarios accept your network password as initial proof of identity. Other enrollment scenarios require you to present physical evidence of your identity like a state-issued driver’s license to an actual human or compare fingerprints taken at enrollment to fingerprints stored in a national database.
Enrollment is the first step to get you in the door. Now you must authenticate to access devices like your laptop or services or applications on your network. Protected devices and services need a little bit of software to signal the back-end when you want to authenticate. The back-end services notify your phone to authenticate you. The biometric app on your phone opens and asks for your fingerprints, face, or whichever biometric you enrolled. On successful authentication, the back-end services signal a confirmed identity and access is granted.
You might think that last sentence should be re-written as “a miracle happens and access is granted.” But let’s dig a little deeper to see how that “miracle” happens.
Seamless Integration is the Glue
Authentication scenarios differ across systems, requiring authentication at specific points in a systems’ sequence of operations. In some situations, users initiate authentication by scanning a session QR code or near-field session ID. At other times, users provide their username to a protected device to initiate an authentication sequence. Here are some examples:
Some systems, like kiosks, may only require that a user is a member of an organization without asking for a user’s specific identity. These systems let users scan a QR code to initiate an authentication session. When the QR code is scanned, the user’s app requests authentication and sends authentication results, with the QR code and identifying information, to the back-end server. The server confirms the authentication and that the user is a member of the organization and signals the server to grant access for that session.
In a different scenario, desktops and laptops in an Active Directory environment ask for a user’s identity. The back-end server uses the identity to determine which mobile phone to send a request to authenticate. On success, the back-end signals the desktop to grant access.
Seamless integration with the environment’s protected nodes and services is the glue that holds all of this together.
The Role of Privacy Regulations and Standards
Stepping back from these low-level implementation details, other factors come into play especially regarding user privacy and regulatory requirements. Here are some examples:
- The General Data Protection Regulation (GDPR) Right to be Forgotten, is a requirement in the UK and other EU nations and is now being adopted by other countries around the world. In this case, removing a user account from the system also removes the user’s biometric templates and other sensitive data from the system.
- Another GDPR requirement in financial services is legal non-repudiation of transactions by digitally signing all transactions. Each signature includes a text message describing the signed transaction and is bound to the biometric identity of the individual who signed the transaction. The back-end stores auditable records of all signed transactions so users cannot deny they performed a signed transaction.
Adherence to standards also plays an important role by allowing interoperability and flexibility. Two important standards that apply to mobile authentication are the IEEE Standard 2410 Biometric Open Protocol Standard (BOPS) and the FIDO Alliance UAF Passwordless User Experience framework.
IEEE Specification 2410 specifies these capabilities:
- Use of visual cryptography for biometric data distribution and encrypted storage – This technique prevents a breach of one data store from exposing a user’s complete enrolled biometric data.
- A searchable encrypted store of biometrics – All data is encrypted in its passive (at rest or in storage) state to preserve user privacy. P2410-2016 specifies mechanisms ensuring a fast real-time search result even for stores that include millions of biometrics.
- Open standard and vendor-neutral – It’s not tied to any specific biometric method or algorithm. Anyone can write a biometric algorithm and plug it into the backplane.
FIDO Alliance provides these capabilities:
- UAF (Universal Authentication Framework) provides strong authentication without passwords.
- UAF requires authentication (vector and template matching) to transpire on the mobile device.
- UAF supports combining multiple authentication mechanisms such as fingerprint + PIN
Note: U2F (Universal 2nd Factor) is another FIDO protocol focusing device capabilities that support two-factor authentication. However, this protocol does not directly relate to biometric authentication.
Biometric authentication is much more than what you see on your phone. To make biometric authentication work it needs a back-end that is tightly integrated with systems and applications in your network environment. It must be flexible enough to adapt to many different authentication scenarios. It’s got to have a vendor-neutral architecture to allow the use of new and improved biometric algorithms from any vendor. Lastly, it needs to satisfy regulatory and privacy needs.