Now that biometrics is starting to take hold in more venues, companies need to be especially aware of the process of initial enrollment. A biometric system is only as good as its measurement of the person in question. Additionally, how this information is stored and used is critical to the overall architecture of any biometric deployment. Take this example: Imagine your bank uses a face recognition system to authenticate you for access. Now imagine that the enrollment images they took of you don’t capture you in an ideal way. The result is that the system might have trouble identifying you in different situations, such as adverse lighting. The process of enrollment is a combination of the science – which is particular to the modality being used – and a business process to determine how to gather this information. This leads me to the next point, securing biometric enrollment.
Make Biometric Enrollment Secure for Optimal Results
As I stated previously, biometric systems are only as good as their enrollment information. Organizations today are looking for ways to optimize security and prevent fraud, and there is a feeling that biometrics can help make this happen. However, used improperly, biometrics can and will make the problem worse.
Imagine that a hacker wants to access your bank account and siphon off your money. They know that most banks require a photo ID, and some now register your biometrics to open an account. That hacker gains remote access to your computer and smartphone and steals photos of you and captures your voice when talking to your bank. They now have a lot of useful biometric data which can be fed to the bank. However, instead of trying to access existing accounts, the hacker uses this information to open NEW bank accounts at another bank. This bank allows you to enroll on its shiny new mobile app, simply by taking some face images and talking to you over the phone in the comfort of your home.
The hacker successfully opens the account using the recording of your voice, files for credit cards, all under your identity, with your face and voice. Months go by, and you apply for a car loan, only to find out that you owe $100,000 and are late on the payments. On examination, you argue that you have no bank account at this other bank and never filed for that credit. The bank argues that they have your face and voice on file. It will take months, or even years, of investigation to determine that this is, in fact, a case of fraud.
Eliminate the Risk Factors
So what can we learn from this? Biometric deployments require a well thought out and executed enrollment process, based on the type of business and the use case involved. Here are some guidelines to think about:
- Are you securing private critical data for your customers?
- Are you dealing with financial information?
- Is this for a government or other official ID?
- Is the person’s healthcare involved?
If any of the above are true, you may want to require the customer to physically come to a branch or office and enroll in the presence of a real person, while presenting two other forms of valid ID, such as a passport or Social Security card. Alternatively, you could request additional qualifying information, such as knowledge-based authentication, during enrollment and third-party confirmation of identity.
In an ideal world, a user would install an app on their smartphone and use that to enroll. There are other, less secure or time-consuming ways to ensure valid enrollment. However, given that you want high-quality biometric data and securely validated information, having the person enroll in the presence of a trained employee is currently the best option. It relies on enterprises wanting to use biometrics to deploy them in a safe and secure way. A combination of multiple data points and verification steps will help ensure that the most critical step in biometric authentication, initial enrollment, is secure.