What are the latest trends in biometrics? What concerns are there? How can you improve your security awareness? Janice Kephart, owner of Identity Strategy Partners, answered these questions and more when Samsung Business Insights recently connected with her in Episode 4 of our Business Disrupted podcast, Biometric Authentication: What Does It Mean for Your Business?, to get the latest on the most secure biometric technologies.
Q: We’re seeing biometrics becoming more mainstream. What are the most important things businesses should think about when integrating biometrics into their authentication and mobile security management environment?
Kephart: The top three things businesses should be thinking about are:
- What their goals are with biometrics and how biometrics can meet these goals.
- Assurance that all stakeholders will benefit from the infusion of biometrics into the authentication process. In most cases, assuring identity is critical, but articulating that clearly in written policy is essential to gain acceptance.
- The privacy and security of personally identifiable information (PII).
Q: You mentioned the importance of thinking about privacy and security of biometrics. How can organizations make sure PII is protected?
Kephart: It is up to the entity incorporating the biometric into their product offering to abide by basic international biometric standards to protect the biometric. One way is to only store that biometric locally, not on a server or in the cloud. Another is to convert that biometric into a non-reversible template, such as a series of numbers, for storage purposes and purge the picture of the biometric completely out of the system.
Q: Voice recognition is another type of biometric that we are starting to see used by banks and other businesses. How safe is voice recognition and what are the concerns?
Kephart: It depends on whether the app is using speech or voice recognition — it is easy to get them confused. Speech ID recognizes the words and converts them into spelling or to understand a command, like many automated call centers now that guide you through what you want by speaking words or providing numbers. Voice ID actually recognizes you as the speaker — via numerous vocal characteristics such as the cadence, accent, pitch, etc. Thus, voice ID is making a determination that you are you, so that if encountered again it can identify that same person again — whether it be on the phone, a video or even in person.
It is good technology that makes it pretty hard for someone to pretend to be you, but it struggles where there is a lot of background noise. The use case of a bank call center is a strong use case for voice recognition as long as there is built-in redundancy in case it is not running correctly. Look forward to, “Hello Dolly, how nice it is to hear from you today!” in your future.
Q: What are some exciting new innovations around biometrics that you are seeing currently?
Kephart: The merging of face and iris biometrics into one capture. Face will always have matching limitations due to aging and plastic surgery issues even if otherwise the matching algorithms continue to improve as they have for the past few years. While iris has none of the issues face has and is much more accurate due to the biometric itself remaining pretty much static, iris requires motionlessness, the right light, and the right distance. However, with iris biometric capture being merged into face biometric capture, you have convenience and accuracy now blended.
Q: What is “vascular” biometrics and how is it different from fingerprint technology?
Kephart: Vascular biometrics are your veins under the skin, usually in your palm. Fingerprint technology is the old-fashioned skin print of a finger. Vascular biometrics cannot be altered like a fingerprint, but they have a small footprint in the market due to limited use cases.
Q: As security awareness grows, do you think we’ll see a shift away from passwords and toward biometrics for mobile security management?
Kephart: I hope so! That shift seems as though it is past due. We are seeing it on our phones already, and from banks as well. Unfortunately, fingerprints used on phones aren’t easily compatible with desktop computers without an add-on fingerprint reader device, and thus it really has to be face or iris combined with something else for desktop.
Some of the products that are now making their way to market include a combination of keystroke and face to replace the biometric, for example. However, simply using the webcam face print should be sufficient. I would much rather be opening and closing that webcam when I sit down at my computer, especially at work, than having to change my password every 30 days.
Discover more about mobile security management and security awareness from Janice Kephart and Ashwin Krishnan, Sr. Vice President, High Trust in Samsung’s Business Disrupted podcast, Episode 4 — Biometric Authentication: What Does It Mean for Your Business?