Biometrics and digital identity – is that really you?
What's the future role of multi-factor, intelligent biometric identity and authentication?
There is an iconic moment in the Steven Spielberg film Minority Report, where Tom Cruise heads into the shopping mall of the future, and as he passes the stores they scan his iris, and the billboards start making all sorts of personalised sales offers to him. We might guess the next logical step would be to buy an item, wink, and payment sent?
Today’s rapidly developing biometric technologies suggest we are heading to a future that may not be so far off from Spielberg’s epic. Indeed, to paraphrase author William Gibson, ‘the future is already here, it’s just not evenly distributed’. Smile-to-pay facial recognition systems are being tested currently, with KFC pioneering the system in China, allowing customers to pay simply smiling after placing their order. Amazon’s supermarket, Amazon Go, dispenses with checkouts altogether, combining mobile device and object recognition to fully automate the check-out and payment process.
More widely used biometrics authenticators such as Microsoft’s ‘Windows Hello’ or Apple’s ‘FaceID’ are emerging as everyday authentication methods, as they have solved some of the initial hacks by using infra-red scanning and live video detection to confirm the person is real, alive, and present.
If we look at the high-profile data breaches appearing in the news on a regular basis, we realise that even with the impressive advancements in biometric authentication, no single technology in isolation is entirely infallible.
Multi-factor, intelligent biometric authentication
Authentication will forever be an evolving beast. Usernames and passwords were only just the beginning (or, arguably the past). Additional forms of authentication, such as email and SMS verification are widely used as well. Geolocation and user patterns help identify anomalies, providing insights on when to apply step-up authentication, with retail banks typically blocking transactions if there is an outlier in the customer’s purchasing pattern.
Biometric authentication adds a whole new realm of opportunity to ensure you are uniquely you, but it becomes fallible if reliant on single forms of identification. Fingerprints can be copied, siblings can trick facial scans, and more. Using multiple sources helps to prevent fraud and build trust.
At Signicat, we explore a number of advanced biometric identification methods. Facial scanning, fingerprints, iris, and voice are currently well-known methods. But what about gait analysis? Are you walking like you normally walk? What about movement? Are you handling your mobile device normally, or are there any anomalies in your behaviour? There are subtle but telling queues that can be tracked to help identify if it seems to be you. If there is any uncertainty, additional, step-up authentication methods can be employed.
Biometrics and the Digital Identity Challenge
The primary purpose on any authentication endeavour is to ensure that the digital identity is verified. The Nordic countries set the bar for trusted digital identity years ago by introducing a shared digital identification infrastructure that vendors can use to engage more seamlessly with their customers.
These electronic ID schemes (eID), such as BankID and NemID, are tied to national ID numbers, passports, a valid address, and have access to credit ratings. Users must typically log in using a multifactor authentication and generally speaking, there is a comprehensive risk analysis as part of the interaction.
The introduction of biometrics and mobile devices have further simplified and improved the authentication process. For example, Norway’s BankID previously required a “code brick” to authenticate. Now, mobile phones are used as an additional authentication method, requiring fingerprint and pin code, in addition to a unique ID and password.
Trusted digital identity
Ultimately, the use of biometrics helps build trust in the digital identity, and with that trust, the business goes unimpeded.
Today, the bank-driven ID schemes of the Nordics have set the standard for digital identity and authentication with billions of uses of digital identity per year in a population of less than 30 million people. For the average Norwegian business, new customer onboarding and authentication involve customers entering their eID credentials, the system checks the eID and access is granted rapidly to new and existing accounts. The success of these schemes lies in the trust built around digital identities. Financial service providers, online retailers, and other commercial enterprises are able to digitally build a trusted relationship with their customers. Furthermore, these relationships are fully compliant with KYC and AML regulations.
These eID schemes are really popular with the Scandinavian public as they can dispose of their 50 or more passwords and log in to almost all digital services with their single set of credentials. And the frequent use of a single eID allows the establishment of behavioural patterns that ensure the algorithms pick up identity theft quickly and block fraud.
Linking the eID to the mobile device and the deployment of biometric factors considerably enhance security and enable a frictionless digital customer authentication process. Layering on biometric technology to existing identities allows customers to prove they-are-who-they-say-they-are via their mobile devices.
This linking of our physical ID to an eID to our mobile device with transactional and behavioural monitoring goes beyond two or three factor biometric based authentications. This combination not only provides extremely robust security and validation, but it also tackles perhaps a pressing issue of the digital economy – that of assuredly validating digital identities for on-boarding and authentication of customers.