The promise and peril of biometrics
The idea of authentication based on a person’s physical appearance or behaviour was once the stuff of science fiction. Fingerprint-approved digital payments appeared in Back to the Future II in 1989. And Admiral Kirk accessed high-security files via a retina scan in Star Trek II in 1982. Today, biometric identification, from facial recognition to gait scanning, is becoming normalised in daily life thanks to rapid improvements in the accuracy and affordability of the technology and growing frustration with passwords.
“Possession-based biometrics prevent scalable remote attacks,” says Andrew Shikiar, executive director of the FIDO Alliance, a US-based grouping of businesses and government organisations set up to reduce reliance on passwords. He is referring to authentication based on what someone ‘has’, such as their face or voice, rather than on something they know, like a password. The idea is that the hack of even a major company’s password trove can be mitigated if the apps and services that rely on the stolen passwords also have a biometric access layer.
Add in smartphone penetration, which has effectively put an Internet-connected voice scanner in the hands of most of the world’s population, and it is easy to see why biometrics are spreading rapidly.
Data from Statista suggests the global biometric market will grow from USD36.6 billion in 2020 to USD68.6 billion by 2025, while Goode Intelligence predicts that one in five payment cards will come equipped with biometric technology by 2026.
Finance was an early adopter, with fingerprint recognition built into payment solutions and the apps of online banks. The travel and tourism industry is adopting biometrics to allow access to hotel rooms, for example, and schools are exploring the use of facial recognition to pay for lunches.
Covid-19 and the subsequent increase in working from has also been a catalyst for growth. Andrea Carmignani, chief executive of Keyless, a UK-based biometrics start-up, says corporate clients have turned to the company to beef up security on the devices of remote workers: “We are seeing more and more interest in implementing our solutions in workforce settings.”
As a result, the number of digital identity verification checks conducted globally on an annual basis will more than triple from 1.1 billion in 2021 to 3.8 billion in 2026 according to Goode Intelligence, bringing in USD17.2 billion in revenue for identity verification vendors and service providers.
The trouble with the lightning spread of biometrics, which key players in the industry are the first to recognise, is the potential for it to outpace our ability to impose quality controls. One concern is the concentration of risk in smartphones, which come with varying technology standards.
“The level of security that is behind the camera, or the very small fingerprint sensors, that we have on some phones, is not high at all, but we put all our credit cards behind that,” says Peter Heuman, CEO of NEXT Biometrics, which manufactures standalone fingerprint sensors.
While the limitations of passwords are well known, because biometric access seems more secure, it can unlock access to transactions or processes without additional checks. Yet most common biometrics are not fool proof. Twins can have matching voices, fingerprints can be cloned in putty, and iris and retina recognition can be spoofed using high-resolution images.
There are other challenges too. Fingerprint scanners can allow the spread of pathogens like the Covid-19 virus and facial recognition systems cannot perform optimally where users wear masks.
Once compromised, biometric breaches are harder to recover: “If I steal your password, you can reset the password, but you cannot reset your biometrics,” notes Carmignani.
There are also ethical concerns. Facial recognition data, for example, can be collected without user consent, sparking concerns about data privacy. These systems are also more likely to fail on black faces compared to white faces: commercially available facial analysis software shows an error rate of 0.8 per cent for light-skinned men, compared to 34.7 per cent for dark-skinned women.1
Facebook recently announced it would shutter and delete the data of its facial recognition service in response to such problems, but others are extending its use. The Indian government, for example, has accelerated its rollout of facial recognition cameras to major commuter hubs.
Finally, there are simple usability issues. Voice recognition does not work well in loud environments. Fingerprint sensors fail in the rain or work less well for those who work in manual labour, as has been the case in India’s Aadhar benefit payments scheme.
All this may seem little more than frustrating if we are talking about access to a single app, but in countries from India to Estonia, biometric verification increasingly governs access to bedrock state services, which can have disastrous consequences if things go wrong. In India, for example, citizens have died after losing access to state subsidised food because fingerprint readers in remote towns did not work properly.
Institutional best practice
Best practices are beginning to emerge to ensure security standards are commensurate with the power that biometric verification yields. One key practice is layering, so that a simple biometric verification does not govern access alone, but is instead part of multi-factor authentication.
New technologies are also being developed which, rather than relying on a one-off ‘static’ fingerprint or face checks, dynamically observe human behaviour to confirm the identity of a user on an ongoing basis.
This can involve using data from accelerometers and gyroscopic sensors to understand how people hold their phones, how they carry them, or the way they walk. Typing on a smartphone can also be observed to flag any sudden changes that might indicate a phone has been remotely hijacked.
Carmignani’s Keyless, meanwhile, does not store biometric data, but instead encrypts it and distributes the data to different servers in the Keyless network, limiting the risk of data being compromised in a hack. Other companies are working to expand biometrics beyond verification to onboarding, and also account recovery so that users are not locked out of applications if they are compromised.
Most of this work is being done within companies, or in industry-led associations like the FIDO Alliance, on a voluntary basis. And that has led to voices within the business community calling for state guidelines.
Biometrics offer a step change from passwords in terms of security. More agreement around how to use them can turn that potential into reality.