1. How do biometrics work?
Biometric technology works by comparing a specific part of the human body with data on file for purposes of authentication, identification or health monitoring. Every biometric system is different, but they all operate under the same basic three steps: enrollment, storage and comparison. In the case of authentication, the first time you use a biometric system, it records basic information about you, like your name or an identification number. It then captures an image or recording of your specific biometric trait. Contrary to what you may see in movies, most systems don’t store the complete image or recording, but instead analyze your trait and translate it into a code or graph called a template. The next time you use the system, it compares the trait you present to the information on file. Then, based on that comparison, it either accepts or rejects your authentication request.
2. Why is biometric technology becoming so popular on mobile devices?
To put it simply, biometric technology offers stronger and more convenient security than previous authentication methods. Passwords and PINs can both be compromised or forgotten, and must be changed on a regular basis. Since users are using their smartphones to access their many accounts, having a single strong authentication factor presents an attractive level of convenience while improving security. Because a biometric system is based around who a user is and not what she knows or has, it is more intuitive to use than a password – especially considering that the username/password system in place was developed for devices with a QWERTY keyboard – and much more difficult to compromise. Thanks to recent innovations, biometric solutions are becoming increasingly accessible and recent high profile security breaches have underlined a need for better-than-password technology.
3. What is the difference between visible and invisible biometrics?
The term “invisible biometrics” refers to the unique traits that a person displays resulting from a large number of smaller physical traits and tendencies. In Mobile ID, these include voiceprint recognition, vital biometrics, walking gait and physical or logical behavior analysis. Visible biometrics on the other hand rely on physical traits like hand and fingerprint patterns, vein images, patterns on a user’s eye and facial recognition.
4. How does identification differ from verification?
Biometric identification, frequently used in law enforcement and border control, is the process of comparing a user’s live biometric sample with many templates stored in a database in order to see if said subject is listed within the data set. Biometric based verification is the process of confirming the asserted identity of a user by comparing her live biometric sample with a particular record in the database to the ends of granting access.
5. How does Mobile ID fit into the Internet of Things?
The Internet of Things is on the verge of entering the consumer and residential markets, and is a key component in the connected car industry. As IoT grows and proliferates into all areas of society Mobile ID solutions offer two major benefits:
1. Mobile ID solutions can help end user interface with smart objects, either from an experience standpoint (the Thing senses your unique ID and reacts accordingly) or and administrative perspective (using voiceprint and speech recognition to change the settings on a connected Thing).
2. Mobile ID solutions can offer much needed, network-wide security. As IoT solutions begin to flood into the market, experts are scrambling to find strong security solutions that can protect the machine-to-machine network from sophisticated cyber threats.
6. What is the difference between on-device and in-the-cloud biometric matching?
On-device biometric matching is common in mobile wallet applications and smartphone biometrics solutions being used for personal account access. In these scenarios, the biometric templates are stored in a secure place on the mobile device that can only be accessed by the authentication technology. On-device matching is therefore touted as an answer to the privacy concerns that inevitably spring up around biometrics.
In-the-cloud matching has the biometric templates stored on the servers of service providers and institutions requiring a specific, uniform level of security. The biometric is scanned by an end user with her device, sent to the servers of the authentication provider, and authenticated behind a secure firewall. Many believe this approach to be ideal for mobile banking transactions and it has clear benefits in enterprises that allow for BYOD (Bring Your Own Device).
7. Can a biometric be stolen?
A biometric cannot be stolen in the same sense as a password or key. That is not to say that they are an infallibly secure technology. Some biometric systems can be fooled into recognizing fake replicas of fingerprints, pictures of faces or voice recordings. This fraudulent practice, called ‘spoofing,’ is objectively more difficult and less scalable than password theft. Anti-spoofing technology, otherwise known as liveness detection, is constantly being developed to allow biometric solutions to detect fake features.
If a company storing biometric templates in a database suffers a security breach, however, and a hacker obtains the authentication information, it poses significantly less risk than if passwords are compromised. A template is a derived code, not a biometric feature. Where a stolen password can be used by anyone, a stolen template is functionally useless.
8. How do second factors work in comparison to biometrics?
While a biometric is something you are, a second factor is something you have used in conjunction with something you know (a password or PIN). Biometric authentication often forgoes the “something you know” step completely, but a second factor relies on it. A user authenticating in this manner enters a password or PIN and then must prove that she also has the authorized device in order to be fully authenticated. Common second factors include tokens that generate a One Time Password (OTP), a mobile device with GPS (location based factors), or smart cards (which are also used in conjunction with biometrics).
9. Do fingerprints and other biometrics change when you get older?
Once a person stops growing, their fingerprints and other biometrics are largely constant. Mutilation and general wear and tear can change a person’s physical appearance and therefore their biometrics. Ongoing studies dedicated to the effects of age on a human’s biometric traits exist. At the moment of this writing, it is believed that irises and fingerprints do not change with age. If a change in a user’s biometric s does occur, that user can be re-enrolled into a system.
10. What needs to be considered when you enroll your biometric?
Enrolling in a biometric system is slightly stigmatized thanks to a lack of public education on the topic. There are very few privacy concerns when it comes to enrolling in a system for authentication purposes. That said, as with all processes that require your personal information, be sure to understand how it is being used, where it is being stored, and why you are being asked to submit your biometrics.
A recent ruling by a Circuit Court Judge in the United States has seen criminal defendants being compelled by police to give up fingerprints for access to smartphones – something that cannot be done with passcodes or knowledge-based authenticators. This ruling has underlined the importance of dialogue in the role that biometrics play in everyday security, and why policies and rules should be at the forefront of the industry’s conversation.