This is a guest article written by Stuart Winter-Tear. The author’s views are entirely his own and may not reflect the views of IT Governance.
The ‘problem with passwords’ is well documented and grows more acute as traditional network boundaries are blurred with the adoption of mobile devices. As a result, the imperative to counter user impersonation and prove authentication on endpoint devices has never been so critical.
Traditionally, biometric solutions have not been widely adopted because of complexity, interoperability, credential storage, spoofing, false failures, flawed technology and perceived intrusiveness.
Compounding this, high-profile biometric breaches such as the one that hit the OPM have naturally led the public to ask again “Quis custodiet ipsos custodes?”, and no less because if their card is compromised, they can get a new card, but they can’t get a new finger.
Regardless, biometric research and development has surged and open standardisation has been promoted through organisations such as the FIDO Alliance.
With the largest technology and e-commerce companies, banks, healthcare and governments implementing and backing biometric solutions, we will see increasingly secure development and widespread adoption.
By 2021, the biometrics market will reach an estimated $30 billion. As a result, research is moving well beyond anything the original gummy bear hackers could have envisaged back in 2002. For example:
- Hardware processor-based storage of biometric data that never leaves the device.
- Behaviour-based – mouse, keyboard, touch and swipe dynamics and so forth.
- Proof of life.
- Ear canal identification.
- “Selfie” identification.
- Wearable biosignature authentication.
- Brainprint – 100% accurate brainwave-based authentication.
- Authentication pill – interacts with human stomach acid and emits an 18-bit signal from your body.
I’ve read of many more innovations, even including nasal passage biometrics. If you think about it, our mobile devices have a great view of and up our noses.
As biometric authentication solutions are widely adopted and normalised (already starting on personal smart devices in the realm of mobile payment platforms) we will see an increasing social, regulatory (the EU GDPR recently expanded the definition of sensitive data to include biometric data) and ethical acceptance of this technology, especially as users enjoy the ‘frictionless’ authentication benefits.
CESG’s Head of Identity in Government, Dr Chris Allgrove, recently said that biometrics “are not a silver bullet”. As with all things information security, there is no such thing as a magic elixir or philosopher’s stone.
Biometrics must always be viewed within the context of multifactor authentication and, as we all know, the concept of the ‘perfect security solution’ resides only in the realm of quackery.