What is the State of Biometrics?
“Security” used to mean “Difficult”. Thanks to the impact of biometrics over the past few years, that is no longer the case. Every day millions of people interact with a sliver of glass in their pocket that will tell them everything from the current age of the universe to when their shampoo will be delivered to their doorstep to how much money they have in their retirement account.
Each of these interactions, thanks to biometrics, can be accomplished seamlessly and without friction. Switching from a casual inquiry, to a personal, non-sensitive account, to a private, highly-secured account is accomplished with a swipe of a fingertip or by blinking into a camera. The advent and mass adoption of consumer-grade biometrics has drastically changed the expectations of the consumer. No longer are they required to create and remember a highly entropic code to use as a shared-secret, now they can simply look at a that sliver of glass and blink.
And this is only the first wave. As consumers are seeing multiple different modes of biometrics crop up on their iPhones and Samsung devices, older platforms are embracing the innovation as well - the W3C is working with the FIDO Alliance to integrate strong authentication - incorporating biometrics - into the standard web browser requirements, Microsoft’s Modern Keyboard will have a fingerprint sensor hidden in a normal looking key. The way in which we interact with our smartphones is becoming the way in which we interact with all computing devices.
This allows us to explore a new way of thinking about consumer-grade security. Rather than one large, all access door - we can introduce a multi-gate system where access to information or functionality at a lower level can be a simple fingerprint swipe, but higher levels of access require additional levels of proof of identity. Historically, a single password was the only thing necessary to access and approve all levels of a transaction--from seeing a balance, to paying a regular bill, to transferring vast amounts funds. Now, a fingerprint can be used to view an account balance, but a consumer would need a fingerprint plus a facial recognition scan to pay a bill or a fingerprint, face and voice authentication to transfer funds. Even in combination - the friction to the user will still be less than typing in a complicated password on a tiny touch-screen.
It is not just those engaged in the biometric field that feel that way. There are significant indicators from both the public and private market that show biometric adoption is increasing. Government organizations are issuing statements like the recent cybersecurity Executive Order in the US, PSD2 in Europe which focuses on financial organizations, the National Cyber Security Strategy out of the United Kingdom - all make specific mention of how to handle biometrics and what biometrics are good for. In the private market, we are seeing adoption from almost every vertical - from Mobile Network Operators, to Payment Providers, to Financial Institutions, even companies focused on the Internet of Things are looking for ways to include biometrics.
But there is still work to be done. While we have policy makers in the government like the National Institute of Standards and Technology issuing guidelines to embrace biometrics and deprecate other less secure methods of authentication - department heads, like those at the Social Security Administration, still cling to their outdated models of passwords, one-time-passwords, email resets and SMS messaging. There are still advocates for server-side biometric storage that refuse to learn the lessons of the Office of Personnel Management breach in 2015. Financial Institutions - while claiming to be centers of innovation - seem to be in a never ending cycle of evaluating and piloting without ever deploying. During all this time of debate and delay, the malicious actors out there are becoming more savvy, more experienced and are developing more sophisticated means of breaching newly deployed technology.
At the end of the day, the State of Biometrics is mixed - it is both the best of times and the worst of times.