.jpg)
The battle of biometric security coming in 2018
Friday, November 3, 2017
|
Kevin Tussy |
How biometric authentication will replace passwords and 2FA for better mobile security in today's world.
Fingerprint sensors first appeared in smart devices in 2007 and then gained momentum as a 4-digit PIN code replacement in 2013's Apple iPhone 5S. Hailed as the future of authentication by some, fingerprint's security weaknesses were quickly exposed by the children of sleepy dads, cats' paws and gummy bears. Still, the lure of convenience today and the promise of security tomorrow has analysts predicting that mobile biometrics will be a $50 billion dollar industry by 2022. Now, nearing the end of 2017, it seems that fingerprint's reign as the most tapped biometric is nearing an end as Apple adds Face ID to the iPhone X and drops fingerprint altogether. The real question is, however, can specialized biometric hardware really solve the password problem?
Apple isn't the only one heading down this path. Hardware makers Intel and Qualcomm are also hard at work on the next generation of 3D cameras for AR and, presumably, biometric security. But, just because a sensor measures depth, doesn't mean it's inherently secure for biometrics. Case in point: I recently purchased a Dell laptop with an Intel RealSense Camera test its facial recognition security feature. I was able to use a mannequin head to enroll and login easily - in fact, on my very first try. While the system does appear to require the user be three-dimensional, it doesn't require them to actually be human--a big problem.
In biometrics, the ability to measure the presence of uniquely human traits is called "liveness." Because a spoof can reproduce three-dimensionality for a sensor, biometrics must be able to determine whether the subject is truly human or risk being fooled. If used in a mobile app, this simple exploit could allow hackers to create fake user accounts without exposing their real faces to the camera. Financial institutions' anti-fraud departments are very troubled by this because new account onboarding, Know Your Customer (KYC) and anti-terrorism funding regulations are of critical concern.
Then there is the massive issue of fragmented hardware. With hundreds of smartphone models and hundreds more biometric sensors released in the last four years, how can an app developer know what biometric hardware sensors, if any, they should really trust?
Taking a global perspective, low-cost Android phones in emerging markets are where future user growth will come from, so any solution to the password problem should be sure include them. In the US, we forget that the rest of the world isn't buying $1,000 iPhones. In fact, Apple is only about 13% of the global market. Today's average worldwide smartphone price is $198, and it's going to be a long, long time before phones of that price-point have fancy 3D cameras or infrared iris scanners.
If next-gen biometric hardware looks to have major drawbacks like the lack of liveness detection, sensor fragmentation and many years of distribution before it's mainstream, what qualities would a software biometric need to have for us to start moving towards a password-free future right now? To be clear, I'm not talking about having a password and then bypassing it with a biometric like I can do with my fingerprint in my ADT home security app. I mean turning the entire security scheme upside down and never creating a password to begin with. Let's survey the landscape and break down the three boxes that must be checked for that to happen.
Passwords are the security default because everybody can use them. Nobody wants to, but everyone can. You never have to ask the user, "does your device support passwords?" They all do because it's the lowest common denominator, which is why it persists.
The only possible way for biometrics to meet this challenge is through new software that can enable apps to utilize hardware already included on most devices to collect biometric data. Lowest-common-denominator hardware is all that can be assumed to be present in the device. I'm talking about cameras, screens, buttons, etc. Every phone has them, so we can use them as universal sources of biometric data. I once saw a demo of a very creative software biometric that asked the user to move the device as if they were signing their name. The gyro and accelerometer in the device measured the movements and could authenticate the user based solely on the motion. I'm not sure it would be the preferred software biometric modality for a bank but it is very creative and more solutions like this need to be explored.
You could require two-factor authentication, then add an RSA token, and if it's still not secure enough, just keep piling on more factors. But, just like six-minute abs, none of it matters if people won't use it. Changing behavior is hard so, if the "new" login hoops are a complicated hassle and take longer to perform than the password they are trying to replace, you can bet that method will never gain traction.
The UX doesn't have to be telepathic, but it should be 10x better than passwords if it is to get quick user adoption. And, like I mentioned before, if people won't use it, it can't accomplish anything.
Biometric data must be processed and stored 100% on the device, and never in the cloud. Every app developer needs to be able to decide that a biometric is secure enough to be trusted in their app, and have control over it. After all, it's the app developers who are holding the bag when a breach occurs, not the hardware OEM. It's the app that will lose the customers and have their brand's reputation damaged. This is why banks won't allow anyone to transfer funds with just a fingerprint - they know it's not secure and it opens the door to something called "friendly fraud," discussed further down.
The biometric must use data that is either impossible to reproduce or have liveness detection that cannot be spoofed by readily available data like fingerprints, photos, or videos. As was recently shown when the Chaos Computer Club spoofed the Samsung S8 Iris scanner using a photo of the eye and a contact lens. Something like the Iris Scanner spoof may not seem like that big a deal, but the fact it can be reproduced so easily is a big problem not only for the reputation of the brands that utilize it but it again opens to the door to friendly fraud.
What is friendly fraud? If you've ever heard of someone buying an item online, receiving it, and then claiming it was lost in the mail just to get a refund of the purchase on their credit card, then you already know exactly how the "friendly fraud" process works. Companies like Amazon and eBay battle these issues everyday but, if a bank were use subpar biometric security, the consequences could be much worse than a few missing packages.
Let's say that a bank uses an iris scanner to allow funds to be transferred out of an account up to $10,000. Theoretically, a customer could scan their iris, transfer $10,000 to an international account and then claim the original account was hacked and demand the money be added back. When the bank says that his iris was authenticated, he could blame the well-known weaknesses of iris security and win in court.
For years, I've been a vocal proponent of working to solve the password problem in a way that is universal, intuitive and secure. But waiting for the next generation of biometrics sensors to proliferate into everyone's devices could take up to 10 years and be too little too late. I challenge the biometrics industry to fully acknowledge the security requirements necessary to truly replace passwords and not pretend to have secure solutions that simply aren't so. There's a lot of money at stake here, not just the $100B a year lost to identity fraud but now the multi-billion dollar mobile biometrics market. App developers and users need to demand a new era of integrity and transparency by demanding the biometrics industry stop lying by omission and start providing official third-party liveness testing results for Presentation Attack Detection (PAD).
It's my opinion that the perennial flops in facial recognition have led almost everyone to believe that a software biometric with true liveness detection couldn't be created; so all the big players have decided to try to solve the problem with hardware. However, these flops have not utilized recent advancements in AI to detect liveness. I know first-hand that software-based biometrics, especially those that utilize AI, can achieve virtually spoof-spoof security levels using algorithms/models small enough to be integrated into mobile apps.
Hardware biometrics will be relegated to opening devices forever once a software biometric proves it can replace app passwords securely because it will be universal and with no limit to its distribution. Adoption of a software biometric will reach record-breaking levels before hardware solutions have a chance. All it would take is the top seven banks in the world to add a software biometric to their mobile apps for nearly one billion people to instantly have access to the technology. However, it would take at least 5-10 years before the same number of people would likely have a device with any type of next-gen biometric hardware in it. I believe that, with hard work, resourcefulness and creativity, the industry will bring to market software-based biometric solutions like face authentication that are secure enough to replace passwords on every device, no matter how big or small the price tag is.
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.
Apple isn't the only one heading down this path. Hardware makers Intel and Qualcomm are also hard at work on the next generation of 3D cameras for AR and, presumably, biometric security. But, just because a sensor measures depth, doesn't mean it's inherently secure for biometrics. Case in point: I recently purchased a Dell laptop with an Intel RealSense Camera test its facial recognition security feature. I was able to use a mannequin head to enroll and login easily - in fact, on my very first try. While the system does appear to require the user be three-dimensional, it doesn't require them to actually be human--a big problem.
In biometrics, the ability to measure the presence of uniquely human traits is called "liveness." Because a spoof can reproduce three-dimensionality for a sensor, biometrics must be able to determine whether the subject is truly human or risk being fooled. If used in a mobile app, this simple exploit could allow hackers to create fake user accounts without exposing their real faces to the camera. Financial institutions' anti-fraud departments are very troubled by this because new account onboarding, Know Your Customer (KYC) and anti-terrorism funding regulations are of critical concern.
Then there is the massive issue of fragmented hardware. With hundreds of smartphone models and hundreds more biometric sensors released in the last four years, how can an app developer know what biometric hardware sensors, if any, they should really trust?
Taking a global perspective, low-cost Android phones in emerging markets are where future user growth will come from, so any solution to the password problem should be sure include them. In the US, we forget that the rest of the world isn't buying $1,000 iPhones. In fact, Apple is only about 13% of the global market. Today's average worldwide smartphone price is $198, and it's going to be a long, long time before phones of that price-point have fancy 3D cameras or infrared iris scanners.
If next-gen biometric hardware looks to have major drawbacks like the lack of liveness detection, sensor fragmentation and many years of distribution before it's mainstream, what qualities would a software biometric need to have for us to start moving towards a password-free future right now? To be clear, I'm not talking about having a password and then bypassing it with a biometric like I can do with my fingerprint in my ADT home security app. I mean turning the entire security scheme upside down and never creating a password to begin with. Let's survey the landscape and break down the three boxes that must be checked for that to happen.
1.) Universal Access: Can It Be Used?
Passwords are the security default because everybody can use them. Nobody wants to, but everyone can. You never have to ask the user, "does your device support passwords?" They all do because it's the lowest common denominator, which is why it persists.
The only possible way for biometrics to meet this challenge is through new software that can enable apps to utilize hardware already included on most devices to collect biometric data. Lowest-common-denominator hardware is all that can be assumed to be present in the device. I'm talking about cameras, screens, buttons, etc. Every phone has them, so we can use them as universal sources of biometric data. I once saw a demo of a very creative software biometric that asked the user to move the device as if they were signing their name. The gyro and accelerometer in the device measured the movements and could authenticate the user based solely on the motion. I'm not sure it would be the preferred software biometric modality for a bank but it is very creative and more solutions like this need to be explored.
2.) Convenience: Will It Be Used?
You could require two-factor authentication, then add an RSA token, and if it's still not secure enough, just keep piling on more factors. But, just like six-minute abs, none of it matters if people won't use it. Changing behavior is hard so, if the "new" login hoops are a complicated hassle and take longer to perform than the password they are trying to replace, you can bet that method will never gain traction.
The UX doesn't have to be telepathic, but it should be 10x better than passwords if it is to get quick user adoption. And, like I mentioned before, if people won't use it, it can't accomplish anything.
3.) Security: Can It Be Trusted?
Biometric data must be processed and stored 100% on the device, and never in the cloud. Every app developer needs to be able to decide that a biometric is secure enough to be trusted in their app, and have control over it. After all, it's the app developers who are holding the bag when a breach occurs, not the hardware OEM. It's the app that will lose the customers and have their brand's reputation damaged. This is why banks won't allow anyone to transfer funds with just a fingerprint - they know it's not secure and it opens the door to something called "friendly fraud," discussed further down.
The biometric must use data that is either impossible to reproduce or have liveness detection that cannot be spoofed by readily available data like fingerprints, photos, or videos. As was recently shown when the Chaos Computer Club spoofed the Samsung S8 Iris scanner using a photo of the eye and a contact lens. Something like the Iris Scanner spoof may not seem like that big a deal, but the fact it can be reproduced so easily is a big problem not only for the reputation of the brands that utilize it but it again opens to the door to friendly fraud.
What is friendly fraud? If you've ever heard of someone buying an item online, receiving it, and then claiming it was lost in the mail just to get a refund of the purchase on their credit card, then you already know exactly how the "friendly fraud" process works. Companies like Amazon and eBay battle these issues everyday but, if a bank were use subpar biometric security, the consequences could be much worse than a few missing packages.
Let's say that a bank uses an iris scanner to allow funds to be transferred out of an account up to $10,000. Theoretically, a customer could scan their iris, transfer $10,000 to an international account and then claim the original account was hacked and demand the money be added back. When the bank says that his iris was authenticated, he could blame the well-known weaknesses of iris security and win in court.
For years, I've been a vocal proponent of working to solve the password problem in a way that is universal, intuitive and secure. But waiting for the next generation of biometrics sensors to proliferate into everyone's devices could take up to 10 years and be too little too late. I challenge the biometrics industry to fully acknowledge the security requirements necessary to truly replace passwords and not pretend to have secure solutions that simply aren't so. There's a lot of money at stake here, not just the $100B a year lost to identity fraud but now the multi-billion dollar mobile biometrics market. App developers and users need to demand a new era of integrity and transparency by demanding the biometrics industry stop lying by omission and start providing official third-party liveness testing results for Presentation Attack Detection (PAD).
It's my opinion that the perennial flops in facial recognition have led almost everyone to believe that a software biometric with true liveness detection couldn't be created; so all the big players have decided to try to solve the problem with hardware. However, these flops have not utilized recent advancements in AI to detect liveness. I know first-hand that software-based biometrics, especially those that utilize AI, can achieve virtually spoof-spoof security levels using algorithms/models small enough to be integrated into mobile apps.
Hardware biometrics will be relegated to opening devices forever once a software biometric proves it can replace app passwords securely because it will be universal and with no limit to its distribution. Adoption of a software biometric will reach record-breaking levels before hardware solutions have a chance. All it would take is the top seven banks in the world to add a software biometric to their mobile apps for nearly one billion people to instantly have access to the technology. However, it would take at least 5-10 years before the same number of people would likely have a device with any type of next-gen biometric hardware in it. I believe that, with hard work, resourcefulness and creativity, the industry will bring to market software-based biometric solutions like face authentication that are secure enough to replace passwords on every device, no matter how big or small the price tag is.
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
