Mobile ID World President Peter O’Neill recently interviewed Richard Lobovsky, VP of Financial Services Solutions, and Shankar Saibabu, Director of Financial Services Solutions Architecture, Samsung SDS America, Inc. The conversation is an in depth examination of Samsung SDS America’s approach to biometrics. It begins with a discussion of the company’s recently launched FIDO Certified biometric authentication solution. It goes on to cover the important role multimodality plays in marrying user experience to adequate security, the prominent mobile biometrics use cases Samsung SDSA has observed, the future of password-based authentication, and much more.
The interview ends with the announcement of an upcoming webinar on November 2, 2016, presented by Mobile ID World and Samsung SDS America: FinServ in the New Age of Identity: Addressing Your Biometrics Concerns.
Peter O’Neill, President, Mobile ID World: Please tell us about Samsung SDS’s approach to biometrics and some of the prevalent use cases you see emerging among financial institutions.
Richard Lobovsky, VP of Financial Services Solutions, Samsung SDS America, Inc.: Samsung SDS has been working in biometrics for a few years and has recently launched our FIDO-certified biometric authentication solution. Although our solution is relatively new to the U.S., in several other countries it has been in use over the past few years. We chose to become FIDO-compliant because we felt the FIDO standard was a compelling approach to biometric authentication, since the standard was created by the FIDO Alliance (Samsung was an early member of this alliance, which now has over 250 companies among its membership). Our Samsung offering is a PKI-based solution, a very widely known standard, using public and private keys to enable an authentication transaction for secure access into an application.
From an ecosystem perspective, we consider ourselves to be an authentication administrator. We developed a platform that works across operating systems. It is both Android and iOS compliant and includes a number of different modalities including fingerprint, facial, and voice recognition. We are also looking into other modalities that involve the eye for authentication. We have the ability to continually add modalities to our platform, whether they are developed at Samsung or are FIDO-certified engines and provided by third parties. We have the ability to quickly expand our offering to the marketplace because we take a holistic platform approach versus a different company that may only offer eye vein verification.
Peter O’Neill: I like your multimodal approach because, especially in the financial services area, it seems like multimodal is the way to go for both security and convenience. If somebody wants to use voice they can use voice, if somebody wants to use face they can use face. What was the main driver in your case to go multimodal?
Richard Lobovsky: Customer choice. When we think about biometrics we think enhanced security and improved UX. Many times they work against each other. When you improve the UX the security lapses or when you enhance security it degrades UX. We looked at it as a balance between security and UX and decided multimodal was important for enterprises to provide a variety of authentication methods for their end users based on their business model and the way they approach their clients.
Peter O’Neill: It is really the best of both worlds, isn’t it?
Richard Lobovsky: Yes, we think so. It is providing choice and flexibility and then it is up to the enterprise to decide what they think is most appropriate for their customer or employee.
Peter O’Neill: As with all emerging technologies, a lot of misconceptions exist in the marketplace around all sorts of things: There has been one around spoofing biometrics – Facebook photos used on facial recognition solutions, that kind of thing. What are some of the misconceptions, especially around storage and the transmission of data?
Richard Lobovsky: When you read the press, particularly consumer concerns around biometrics, it has a lot to do with the idea that consumers are not necessarily comfortable with banks storing their biometric information. This is a very rational concern and along with it there is also a misconception of how certain biometric solutions operate. In the FIDO (Fast IDentity Online) world, the standard mandates that no biometric data is sent to the bank or financial institution. All credentials are stored on the device itself. Even when registering your biometric information, you are not creating a copy of your fingerprint or voice, you are creating a numerical representation (template) of that biometric. And the template stores the numerical representation of the registered biometric. That information is never sent over a network, it is not sent to the bank for storage, it resides within your device.
So, the big misconceptions here are a) it is a replica of my fingerprint, which cannot happen within a FIDO-certified solution or device, b) your information is transmitted to the bank, and c) your information is stored by the bank. It is important to know that there are certain protocols for biometric authentication which are not FIDO-compliant that actually do store biometric information with a bank. Consumers need to understand what type of approach is being used and where your information is being stored. Unfortunately though, most consumers lack the depth of knowledge to understand that banks don’t necessarily share that information. If a consumer is curious about how their information is being stored, we encourage them to ask. But again, with our solution no information is ever transmitted and nothing gets stored on any banking system.
Peter O’Neill: And what about the spoofing aspect?
Shankar Saibabu, Director of Financial Services Solutions Architecture, Samsung SDS America, Inc.: There are ways to spoof anything and everything today. When you talk about technology, nothing is truly “foolproof.” In reference to the Facebook article you were talking about earlier, these scenarios help us to solidify our solution and make sure people can’t spoof it. It is only a matter of time before companies can prove it is not easy to fool these technologies. For example, in our solution we check for liveliness for both face and voice, so simply taking a Facebook photo is not going to get through our system. I am sure there are hackers out there who will try to find a way to break the system, but a new fix will come along. It is naive to believe these technologies do not have flaws when they are introduced; the key is how quickly vendors fix these issues.
Peter O’Neill: This is very interesting, Shankar, and I couldn’t agree more. I was chairing a cyber-security panel at the Mobile World Congress in Shanghai two months ago and I asked the same question about spoofing and attacks. Basically what came back was that these are not going to go away, they are going to increase.
And really, what is the ROI for a bad guy? Considering the amount of effort and work it takes to try and spoof something, there is no benefit there. I also think the multimodal aspect that you have allows you to layer in additional security, so if it is a high-end purchase then maybe there are either two or three biometric modalities in use, which makes it incredibly difficult to spoof.
Shankar Saibabu: In the end, the success factor of all these modalities depends on the end user, things like a) how easy does the vendor make it so the end user doesn’t have to go through hoops to register their biometric information, b) users who rely on simple passwords like 12345, or c) users who use flip phones that can’t support a biometric authentication solution.
Peter O’Neill: Biometrics are going to be much better than our current passwords. End users hate them and they are just not at all functional anymore. Plus, I hear from numerous large organizations that the IT costs of supporting passwords are just getting out of control. When do you think we’ll be rid of the traditional password completely?
Shankar Saibabu: I don’t think we can ever get rid of them completely; it is a question of when do the passwords really come into play. I think more and more what you are going to find is that these systems out there, whether it be financial, healthcare, or any other system, are going to rely less and less on passwords. But then there will still be cases where, let’s say you lose your biometric data or you lose your phone and you need to set up registration again, you still have to go through the same security questions before you can register your biometric information again.
So can we completely eliminate passwords? Probably not, but can we reduce the number of instances where you need to use passwords? I think that is going to happen sooner rather than later.
Peter O’Neill: How do you see FIDO moving forward in the future? What do you see them doing next?
Shankar Saibabu: The FIDO Alliance has played a crucial role in bringing biometric authentication regulation to everyone’s attention. You can now see organizations such as W3C and NIST recognizing FIDO and have even jumped on the bandwagon by incorporating some of the FIDO recommendations into their regulations. FIDO has brought the recommendations, they have done their job. And NIST has taken over, or is incorporating these recommendations, and W3C is doing the same thing for the web.
Peter O’Neill: We spoke a little earlier about some of the vertical markets. Rich, you were mentioning enterprise, which is obviously very important and I think you mentioned financial. Are there other vertical markets where you see your solution being utilized—healthcare, for example?
Richard Lobovsky: Financial Services is probably the lead industry we are focused on for biometrics, but healthcare insurance is another one worth mentioning. Government is an area that is being explored, as we do have another dedicated team within SDSA for the government industry. They are looking at how biometrics can be leveraged. I know one of our government contractor clients is currently initiating a trial to look at the relevance of biometrics for their organization as well as for their customers within the government. Those are the three that are top of mind. Shankar, do you have any other thoughts on industries?
Shankar Saibabu: I also think healthcare is very relevant for this. Doctors and nurses have a number of devices, smart cards, and computers they use daily. A lot of their time is spent simply authenticating themselves to access the system. All of that can be minimized with biometrics, whether it’s a facial or iris scan, maybe not a fingerprint, but healthcare is definitely one of the next verticals that should lead the biometric revolution.
Peter O’Neill: We are certainly seeing it on our end. The healthcare industry has always been watching biometrics, but deployments are becoming much more widespread and I think they are following the financial industry’s lead.
What are some of the prevalent use cases that you see emerging, especially around financial institutions?
Richard Lobovsky: Mobile banking is probably the most prevalent use case that we have seen in terms of interest from a variety of different types of banks, be it tier 1 all the way down to some of the smaller banks. We are also having discussions where biometrics could be used for online banking applications as well as core banking use cases.
Then we see use cases for ATMs around the idea of a cardless transaction for consumers. We mentioned mobile banking and mobile trading, which would be another use case similar to that. Then there is also authentication into company systems, for employees who are currently using a variety of online and mobile applications for work. Within the enterprise we see some opportunities to relieve employee password management where the employee can access a variety of intranet-based applications with their biometric information instead of a password. We are also working on some use cases around Active Director and Office 365 for company systems.
Peter O’Neill: Please tell us about some of your upcoming events. Where and how can people learn more?
Richard Lobovsky: We are participating in Money 20/20 in Las Vegas and we have a suite reserved at the Venetian, so we will be setting up some specific meetings with prospective and current customers. There will be some other Samsung venues at Money 20/20 talking about biometrics.
And as you know, we are also hosting a webinar with Mobile ID World on Nov. 2, and we are still putting that panel together, but Shankar and I will be on that panel along with the executive director from the FIDO Alliance. Then we are also looking at one or two other people to join us for that event. So those are the two major things that are happening.
We also issued an IDG co-sponsored biometrics white paper based on primary research you can find on our website that we are sharing with a variety of different companies. Those are some of the activities that are planned here for the next couple of months.
Peter O’Neill: Well I’m looking forward to moderating the webinar with you and the FIDO Alliance. [Registration for the webinar is available here.] I also look forward to seeing you at Money 20/20 and thank you very much for taking the time to speak with us today.
Richard Lobovsky: Thank you, Peter. We appreciate it.