Biometric-based user authentication hit the mainstream in 2015 with forecasts from my company, Goode Intelligence, predicting that over 120 million used biometrics on their mobile devices to access financial services. This figure is set to rapidly increase as we enter 2016, with organizations across a variety of vertical industries deploying biometric technology to provide convenient methods for people to securely access a wide range of digital services.
The Device-Centric Model
2015 was certainly the year that biometric technology for user authentication went mainstream, thanks to smart mobile devices providing a convenient biometric authenticator. Most major smartphone manufacturers are shipping devices that support biometric authentication and providing access to third-parties via APIs. These advances are enabling organizations to swiftly roll-out mobile-based biometric authentication services. This device-centric model is being adopted by organizations, including banks and payment service providers (PSPs), as a quick way of solving the ”password” problem.
However, the manufacturer-led, device-centric model only solves part of the problem with providing secure and convenient access. Organizations are using this method to test the waters for mobile-based biometric authentication, but they are also looking at alternatives to ensure that an authentication solution is available to a large percentage of their user base. This strategy only offers biometric authentication to those equipped with the latest mobile devices with integrated biometric sensors and secure hardware to store sensitive biometric data.
There are genuine concerns that organizations operating in highly regulated sectors, such as finance and healthcare, can trust a “one-size fits all” model. With this model the capture and storage of biometric identity data is managed by a hardware OEM using algorithms tuned to be more convenient than secure.
The Centralized Architecture Model
One alternative is to adopt a centralized architecture where biometric identity data is captured by trusted means and then stored centrally in a database. This server-centric biometric authentication architecture is managed by the service provider. This ensures that the service provider can control the end-to-end process of biometric authentication, including capture and enrollment. This also supports an omni-channel service where the user can access digital services via a wide range of endpoints –computers, mobile devices, smart TVs, and physical locations (bank branch, enterprise access control and in-store retail scenarios).
The major problem with this model is security. A server-based biometric database becomes a “honeypot” target for criminals, hostile governments and hacking groups. As the 2015 OPM hack, which led to the theft of millions of United States government personnel fingerprint data, demonstrated, storing people’s biometric data in network accessible databases can lead to the wide scale theft of incredibly personal data.
A Better Way
The choice of either a device- or server-centric biometric authentication method provides organizations with both positive and negative consequences. There is, however, a better way. One that supports the privacy-centric model of users managing their own biometric data, when stored on their own mobile devices. This method also provides service providers with a mechanism of managing their customers/employees identities without relying on the ecosystem provided by the device manufacturer. This model is the Biometrics Open Protocol Standard, or BOPS, which was adopted as IEEE standard 2410-2015.
The second version of BOPS supports a model where the user’s biometric template is split into two separate vectors and shared between the user’s mobile device and the service provider. Both parts of the biometric vector are encrypted, and in order for the authentication process to be successful, both parts are required.
This biometric authentication method combines convenience, personal privacy, and enhanced security to create a model that makes it harder for criminals and hackers to compromise a system. If the central biometric database is hacked then they still need to have the user device’s half of the biometric vector to break the system. Conversely, if a user has their mobile device compromised then an attacker needs to break into the central database.
This simple and ingenious model solves many of the current problems with biometric authentication systems and I believe it to be a game-changer that will lead to the deployment of flexible, more secure biometric authentication solutions.