Jay Meier is thinking about biometrics in the long term, and that’s because he’s excited about the future of the technology. He’s not satisfied with basic personal security. Put a sensor on a smartphone so that it turns on when you touch it? “If that’s as good as it gets we’re done,” he tells me. “We haven’t even started to secure the important stuff yet.”
Our conversation started with a very basic question, one about the current state of mobile biometric commerce. After breaking the issue in two and outlining the obstacles, Meier had painted the picture of a landscape filled with payment solutions but not quite ready for mobile banking. It had me feeling impatient, as I’m sure much of the industry is getting. The future of convenient, mobile and secure personal finance is so close, but it’s still evolving.
“While it takes a long time for this stuff to develop and evolve,” says Meier, “the size of the market opportunity is so much bigger than anybody realizes. This isn’t about putting sensors on phones, this is about guarding privileges. It’s about a better credentialing solution to guard all those privileges.”
Again, this is big picture, long term thinking. In order to guard privileges, said permissions must be attached to your identity. Who is responsible for that, and what that involves leads to an interesting concept that Meier calls “The Trusted Source.”
“I recently blogged about “The Trusted Source.” I described the root identity source that anchors identity,” he says.
He uses the process of enrolling a biometric on a current generation smartphone as an example. You buy a phone and you sign up with a service provider. That service provider then has your biographic data, like name, address and phone number, confirming that the rightful owner of the phone is you. You get your top secret four digit PIN and you enroll.
“And from that point on,” says Meier, “that phone is presumed to be absolutely secure. That phone is assumed to be the root identity.”
“It’s presumed that whatever that phone instructs out there for mobile payments is safe,” he continues. “After all, only the user of that phone can authorize that payment because we’ve enrolled that person and we know who that is. Well do we? Do we really know who’s using that phone?”
Meier raises two conundrums to illustrate his point. The first is the situation of a sensor being spoofed, which can be addressed with adequate liveness detection or a robust algorithm. The second issue is that there may be no guarantee of a user’s identity when she registers a phone. In both cases, according to these examples, the only sure thing is that a positive signal is coming from the device.
“There needs to be another level of backstop,” Meier explains. “There needs to be a trusted source of identity information. Maybe a credit reporting bureau, maybe the department of motor vehicles. I don’t know what it is. We haven’t really figured this one out yet. When we do, that will go a long way.”
He inserts me into the example: “Because if we know with a much higher degree of assurance that it’s actually Peter when he enrolls on the phone, then we can at least have that much higher degree of assurance that it’s actually Peter who’s trying to use the phone later on.”
The trusted source is becoming more and more essential as biometrics become more ubiquitous on a consumer level. Meier says that, though a trusted source doesn’t exist yet, it is only a matter of time. And it’s a good thing too, because, according to Meier, the industry is being held back by its absence.
“We’re directly involved in some of that,” he says, referring to BIO-key. “You’re gonna hear more and more and more about that kind of stuff over the coming years because it has to evolve. The system has to change but it’s going to evolve at the pace of the underlying hardware.”