News

2016-01-01

FACING THE FACTS-Passwords give way to biometric technology

Passwords in the field of identification are on borrowed time, according to experts and latest statistics, and it’s all due to biometric technology.

In 2013 the facial recognition market was valued at $1.17 billion and it is expected to grow at a continual annual growth rate of 9.5% from 2014 to 2020, to $2.19 billion by 2019. This increased investment clearly demonstrates the security industry’s growing confidence in biometric solutions, as do moves to replace passwords to access everything from smartphones to bank accounts with fingerprints, facial recognition and iris scanning.

Speaking recently to media in Singapore, Nick Savvides, Symantec ANZ business manager of information protection went on to say that having passwords - no matter how complicated they are - is not the ideal way for companies to protect themselves against online threats, as cybercriminals are getting better at what they do.

He said in particular with the rise of the Internet of Things, Cloud, and mobility, businesses need to implement new security factors such as biometrics, whether it’s voice, facial, or fingerprint, as well as key dynamics and geolocation to ensure they are protected. Savvides said that over the next 12 months, Symantec will be releasing capabilities that utilise these new factors.

As a preview, Savvides revealed that Symantec will be enhancing its Symantec Validation and ID Protection (VIP) service with the introduction of VIP Everywhere. Due for release in the second half of 2016, VIP Everywhere will be designed, according to Savvides, to provide end-to-end authentication that will see “for the first time in a long time security and usability [become] friends”. It will also be embedded into Norton, so that computers will have a unique Symantec identifier that can identify a user of a specific computer.

PASSWORDS COMPLICATED

Here’s the fundamental problem with passwords: They are most effective in protecting a company when they are long, complicated and changed frequently. In other words, when employees are least likely to remember them.

As a result, technology companies are rushing to provide solutions that are both more secure and more convenient. Many laptops now come with built-in fingerprint readers. Smartphones and other devices, too, are opening up biometric options such as facial and voice recognition.

Apple last year acquired AuthenTec, a developer of fingerprint-sensor technology, and it said its new iPhone will come with a fingerprint sensor. Microsoft says its Windows 8.1 operating system is “optimized for fingerprint-based biometrics.” Biometric authentication will be usable more extensively within the system, the company says.

Google, PayPal, Lenovo Group and others, meanwhile, have come together in an organization known as the FIDO (Fast Identity Online) Alliance, which is aimed at creating industry standards for biometric and other forms of so-called strong authentication.

Another new option, from RSA, the security division of EMC Corp. and creator of the widely used SecurID hardware tokens, is risk-based authentication.

This technology sifts through masses of user data from various groups at a company to establish “normal” behavior, then assigns risk scores to each user. If an employee does something unusual, like log in from a new location, use a different computer, or try to access a system other than his or her usual, the risk score will increase, and the employee may be asked to provide additional authentication, for example by verifying his or her identity over the phone.

RAPID CHANGE

Many people expect the security landscape to change rapidly as more and more employees bring their own smartphones and other devices to work. Other developers of groundbreaking security tools include Agnitio SL of Madrid, which makes voice-recognition software used in law enforcement. The company has developed a system that allows workers to log in by speaking a simple phrase.

London-based PixelPin Ltd., meanwhile, wants to replace passwords with pictures. Choose a picture of your spouse, for example, and log in by clicking on four parts of her face in a sequence you’ve memorized. A photo is easier for people to remember than a text password, and harder for others to replicate, says company co-founder Geoff Anderson.

Gary James, Head of Sales & Customer Relations, Aurora, explained what he believes is driving investment in technology like facial recognition, saying, “After years of being the subject of far-fetched sequences in movies, where subjects are recognised in crowded streets from satellites, the key to growth has been a combination of improved technology but also the realisation that there are a range of verification tasks (matching one to one, or one to a few) for which facial recognition is perfectly suited. As a biometric method, facial recognition is hard to beat because its hygienic (being totally non-contact), very fast and most of us remember to take our face with us wherever we go.”

INCONVENIENT, INSECURE

Simon Gordon, Chairman of Facewatch, added, “I think that within three years we will expect our mobiles/cars/houses and even our favourite shops to recognise us, whether that is purely by face recognition or more likely by a combination of at least two measures where the data is important. We all rely on passwords and keys at the moment but this is inconvenient and insecure as can be seen by the constant ID theft and the fact that you can now apparently buy a device to unlock pretty much any modern high end car for £25!”

However, despite predicting that passwords will be replaced by biometrics, Gordon doesn’t think the existing technology we’re seeing in action on tools like smartphones is up to the job – not quite yet anyway.

“Within the next year or so I am sure it will be though,” he said, “I for one cannot wait to get rid of my passwords, but I do think where the authorisation is for high value transactions it will be necessary to have dual verification rather than rely on one biometric measure.”

James believes that the success of these kinds of deployments depends on a combination of the robustness of the technology and the compliance of the user.

“Last year we processed over 14 million facial recognition events at Heathrow for self boarding,” he said. “The experience would seem to indicate that as long as the application is well judged, the technology is more than up to the task and will only get better.”

The biggest objection within the industry to biometrics taking the place of our passwords is the question of what happens if your biometric data is stolen. Changing your fingerprints is slightly trickier than changing a password. Gordon is realistic about the threat this poses, but he also raises a valid point that although a fingerprint can be forged, a facial recognition algorithm cannot be utilised to recreate someone’s face.

ONLY ONE FACE

“There will always be clever people trying to break whatever security measures are built unfortunately,” he said, “however, a facial recognition algorithm cannot be used to recreate a picture of a face so no matter how good the algorithm (and each system will be different) there is only one face. If the detection is smart enough to recognise that the face is not a picture and combines it with, say, voice recognition, I think it will be pretty hard to fool. As least your face goes with you so no one can steal it without you knowing about it!”

Another question critics of mass use of biometrics solutions have raised is managing insider threat and protecting databases that store biometric information. Aurora has worked security for the information it stores into its systems, James said.

“Once individuals are enrolled into a biometric system, their identity exists as a ‘template’ rather than an actual picture or image of their fingerprint for another type of system,” James said. “This can only be interpreted by the biometric system which created it, making it useless to a third party.”

Gordon agrees that the threat to stored biometrics data is not all that different to the threat to any other sort of personal information, saying “Data will always be valuable if it can be used to gain value or advantage. If you could steal the biometric data used to authorise payments and somehow reverse engineer a product that would enable you to hack into bank accounts (say) then of course there is a threat. But this is no different to the threat of breaking in and finding passwords – the biometric data is like the lock but the real live face of an individual is the key so it’s no use stealing the lock, you want the key.”

Facewatch is an online digital crime and incident reporting system, linking businesses and police as well as the CPS seamlessly. It also in terms of crime prevention acts as a secure central database that stores watch lists for groups in a data protection compliant manner. Gordon explained that Facewatch is being linked to facial recognition and automatic number plate recognition (ANPR) systems to enable business users to receive alerts when a match occurs.

Aurora offers a product called FaceSentinel, which James told us, is the first application of Deep Learning (DL) in the security industry. DL is a form of artificial intelligence in which a computer ‘brain’ can be trained to recognise characteristics patterns by processing large amounts of data.

PERSONAL DATA PROTECTED

Governments need to guarantee the security of the systems used to produce, issue and control identity documents. And border control and security services must correctly identify passengers in order to minimize and anticipate risks.

Drawing on the latest innovations in smartcards, biometrics, encryption, secure biometric QR codes and Big data analysis, Thales meets all the security requirements of identity systems today. Thales’ high-performance solutions ensure personal data is protected and include identity documents, travel documents and all related electronic services.

The company also offers a unique set of skills to help airports manage flows of people as they move through the different security checks inside the airport, from boarding gate to passport control.

Access control is becoming a major concern for operators of sensitive sites in the same way as physical site protection. Today they need to know the exact whereabouts of every member of staff at all times, and clearly defined rules are needed to control movements of people between the different areas of a site.

Thales solutions help organizations define their access procedures in detail, with different levels of control for employees, subcontractors, visitors and vehicles. Their solutions include systems for managing ID cards, contactless smart ID badges, vehicle identification systems and multimodal biometric accreditation and identity systems for installations requiring high-grade security.

MORPHO’S SOLUTION

Morpho’s authentication solution enables you to adopt the most suitable authentication method for every situation (level of risk, use case, population) and all of an organization’s applications, regardless of the channel (online, mobile, POS).

It supports all authentication factors and combinations (e.g. biometrics, mobile, smartcard, SMS OTP, OATH OTP). If needed, Morpho can also provide a wide range of authentication factors (biometrics, mobile-based, smartcards).

Morpho’s authentication platform supports an extensive range of use cases for all types of users and levels of risk.

By offering a global and adaptable platform that addresses all authentication needs, Morpho saves the trouble of siloed approaches and countless isolated authentication strategies. This gives independence from authentication factor suppliers.

BEST BALANCE

Further, centralized management of authentication strategy lets you optimize risk management by adapting the level of security for each operation. It also helps cut costs.

Morpho also offers a wide range of authentication factors, to strike the best balance between various considerations such as target population, user-friendliness, cost, deployability, changes in technology and regulations.

Morpho is one of the world’s leaders in ID Documents integrating biometrics and number one in the world for ABIS (Automated Biometrics Identification System) in fingerprints, iris and face recognition solutions.

As connected mobile terminals become ubiquitous (they now outnumber PCs) Morpho offers Morpho Cloudcard, an electronic identity (e-ID) system, based on mobile device. It can be used for trust operations like strong authentication and digital signature.

Morpho’s wide range of Secure Elements encompass all form factors, from classical SIM cards to MFF2, eUICC, eSE and TEE, EMV CAP Payment cards and span the full breadth of technologies and capabilities, and tailor to specific customer needs.

Reference Text/Photos:

www.intersecuae.com

www.symantec.com

www.wsj.com

www.biometricupdate.com

www.thalesgroup.com

www.safran-group.com

Comments () Views (3822 ) Print

Send To Friend