The use of biometric technology has taken off in recent years which could largely be down to loopholes in password security becoming more apparent. Benoit Jouffrey, Thales Digital Identity & Security CTO, offers expert insight into the ways biometrics is being utilised across the technology landscape – whether it be in airports, banks or simply on an iPhone – and why it’s key to achieving world-class cybersecurity protection.
Cyberattacks are on the rise. It seems we can’t go a month without news of yet another network security breach, critical infrastructure attack or ransomware incident impacting an organisation.
Cybercriminals and bad actors are getting smarter and in a world where people are working from anywhere, organisations need to find ways to improve their network and data security. This partly comes by implementing stronger and smarter authentication systems. Passwords, while familiar, have widely known flaws – which makes biometrics more and more appealing.
The benefits of biometric security
Biometrics are a type of security that verifies a user’s behavioural and physical characteristics to identify them. It is widely thought of as the most accurate and strongest physical security technique for identity verification.
Most of us use biometric authentication every day – the use of fingerprint scanners or facial ID is commonplace on most smartphones now. Biometric security systems are like this, but on a much wider scale.
Biometrics can increase efficiency by removing the need for manual checks, providing both convenience and security, as there are no security tokens to carry or passwords to remember. They’re difficult to duplicate and remain the same throughout the user’s lifetime.
The prevalence and acceptance of biometrics as a form of identification is also on the rise. Aside from the smartphone example, biometrics are commonly used in a number of industries, including financial services, where they often take the form of biometric bank cards. By integrating a fingerprint scanner into the card, banks can afford consumers unparalleled security when making payments, in a convenient way, to protect their financial information from fraudsters.
They’re also taking off in the travel industry. Solutions such as Fly to Gate are designed specifically to improve and streamline the passenger experience – while satisfying robust security protocols. Digital ID and facial biometrics can be harnessed to do just that – removing the need for passengers to show a ticket or ID at every checkpoint. Through automated biometric and document verification technologies, the process is simplified for both passengers, airports and airlines, increasing efficiency and providing integrated security too.
Securing biometric technology
The need for this unambiguous and secure identification and authentication method has encouraged a massive deployment of biometric systems worldwide. Increased public acceptance and familiarity, improvements in sensitivity and accuracy and reduced costs for the sensors, cameras and software required have accelerated this adoption.
Here are some examples:
- Today, over 1.2B electronic passports are in circulation. They included a standardised International Civil Aviation Organisation-compliant holder’s picture and fingerprints in many countries.
- The Indian biometric identification scheme consolidates the biometric and demographic data of over 1.26B residents.
- Many ID schemes around the world already integrate an electronic chip which securely stores biometric data – such as a picture and fingerprints – in addition to the biographical (name, date and place of birth) data.
It’s a windfall for access, travel (self-service kiosks and automatic gates) but also civil identification, Electronic Know Your Customer/Client (eKYC) procedures, online customer registration and authentication and more. Needless to say that biometric systems are also crucial for critical infrastructures such as border control, law enforcement, health and subsidies and population and voter registration.
It’s in these examples where we tend to see not a combination of modalities used to reinforce authentication, such as iris and fingerprint in conjunction, but biometrics paired with another form of authentication. Passports, for example, use facial biometrics (‘something you are’) as the first and primary form of identification, with the booklet itself (‘something you have’) as the second factor. These marry up to create a strong identification token that is widely regarded as sufficient to protect people’s unique identification data.
Biometrics represents the most convenient and easy form of Multi-Factor Authentication and is therefore very well placed to increase security. It’s easy to combine biometric patterns, fingerprint combined with facial, for example, and to complete it with other authentication method – as per FIDO Alliance standards for instance. However, even biometric technology does not ensure absolute cybersecurity – and can be subject to spoofing attacks, involving imagery or fake biometric data in order to try and gain access.
Like many other cybersecurity topics, it’s a constant game of cat and mouse. Coupling biometrics with AI and Machine Learning is one way to combat these kinds of spoofing attempts. With AI you can reinforce the ‘liveness detection’ of the system, making it possible to determine whether it is a real person applying and not a photo, video, or a masked person trying to use someone else’s identity.
Liveness detection – a colloquial term for the rather technical expression ‘Presentation Attack Detection’ – in biometrics is the ability of a system to detect if a fingerprint, iris scan or facial ID is real and live. It uses algorithms that analyse data – after they are collected from biometric scanners and readers – to verify whether the source is coming from a fake representation.
The need for this is emphasised when you consider these other examples:
- IDENT, the Automated Biometric Identification System, is a cornerstone of the United States’ border management and immigration. The central Department of Homeland Security system stores and processes over 200 million identities, including biometric (10 fingers and a portrait) and associated biographic information.
- The FBI automated fingerprint recognition system – named initially IAFIS (now NGI) – is the world’s largest criminal history collection (more than 154 million individuals) at the end of October 2020.
- The European Council also adopted in 2017 the ‘Entry Exit System’ (EES) – this biometric system improves the quality and efficiency of systematic checks and controls in the Schengen area, the EES’s common database should help reinforce homeland security and the fight against terrorism and serious crime.
The importance of spoof detection was highlighted as early as 2013 by the European Commission’s TABULA RASA (Trusted Biometrics Under Spoofing Attacks) project. Perhaps unsurprisingly, it has also been a topic of research in the US since the launch of ‘Odin’ in October 2017.
The Odin programme was initiated by the Intelligence Advanced Research Projects Activity (IARPA), an organisation of the US Office of the Director of National Intelligence. Its goal is ‘to develop biometric presentation attack detection technologies to ensure biometric security systems can detect when someone attempts to disguise their biometric identity’.
Organisations and governments alike are turning to biometrics to solve authentication challenges in a wide variety of contexts. As we continue to move beyond just passwords, biometric technologies will need to be accompanied by suitable attack detection to be as trustworthy and effective as possible. Biometric data is unique, highly sensitive and should not end up in the wrong hands – meaning it should be used in the most responsible and ethical way possible. Only world-class cybersecurity protection is good enough.Click below to share this article