What If User Authentication Was Easy?

Traditionally, if you implemented a technology to authenticate a user, you did it for reasons of security. This included passwords, PINs, tokens, and biometric recognition. If you’re in the business of creating or implementing these technologies or related systems, you’d generally be considered to be operating in the IT security or physical security industry. Why is that?

It may seem like an odd question to pose since we often implicitly assume that these technologies have the singular purpose of keeping the “bad guys” out while letting the “good guys” in. This is most certainly a security problem. But is user authentication only useful to address this type of security problem? Most definitely not.

User Authentication is a Pain for Everyone

But before we get ahead of ourselves, back to the original question: why are are we stuck with this “security” tunnel vision? The only answer I can come up with is that, traditionally, it was hard to perform reliable user authentication. Either it was hard for the user, or it was hard to create the technology, or both. Passwords are a pain to remember and to enter (especially in this day and age with mobile devices). Short PINs are a sort of compromise, but not a great one since they’re still a pain to enter and remember, and are not usually very secure. Tokens are annoying to carry around and not lose. Biometrics like fingerprints have traditionally been hard to make reliable while being quick and easy for the user. I could go on…

The point is, it’s a pain for everyone, and so you’d only require user authentication if you really had to. And you generally only really have to if it was an issue of security.

But What If it Was Easy?

So, what if it was easy for a system or device to recognize the user? Or, more specifically, what if it was easy for the user? This is what Bionym’s HeartID is all about: user authentication with a simple touch. If it’s easy, then why limit it to be for security purposes only? This leads me to the question I’d like to throw out there to all app and video game developers, hardware manufacturers, and systems designers:

What function or feature would you implement if you always knew who was using your system without requiring the user to do anything?

Think: automatic personalization. What does that mean for the user experience? What does that mean for the next generation of applications and services?

The Face Recognition Example

I don’t know where all of this is heading, but it’s going to be interesting! We do have an early parallel example to look at: face recognition. Now, face recognition is usually used for identification rather than authentication (Bionym’s FaceID is an exception), but, regardless, it was traditionally a security technology (border screening, etc.). Now we see it being used for face tagging in photos, video searching, etc. It’s still early, but we see developers getting creative and seeing the technology in a much broader scope.

So, let’s think outside the box. What would you do if user authentication was easy?

Biometrics and the Privacy Problem

Biometric recognition technologies, from fingerprint and face, to iris, and even cardiac, are becoming more mainstream, showing up at border control points, enterprise environments, and now in consumer electronics. When discussing these technologies from a user perspective, privacy issues are often raised and there can be a general “ick” factor associated with the technologies. But, what are the specific risks? Is there a real problem or just a perceived problem?

All biometric systems, whether used to verify a person’s identity (1-to-1 matching) or used to identify a person (1-to-many matching), have an enrollment process that looks like the diagram below:

While the details of the different processing steps can vary greatly (this is the secret sauce that each vendor guards carefully) the output is, in principle, fundamentally the same: a biometric template that is used to differentiate one individual from another. In privacy and data security lingo, this is called Personally Identifiable Information (PII), like your passport number, license plate number, name, etc. In fact, if you think about it, biometric templates are the most personally identifiable information. Biometric templates are created for the sole purpose of being able to uniquely identify you and are bound to your identity like no other forms of PII.

Okay, so biometric templates are PII, but why should we care? To answer this, we have to look at the big picture. A biometric template doesn’t exist in isolation – it’s stored as part of a system that has some specific purpose (e.g., your laptop, your government record, the security system at your work, etc.). If there’s ever a data breach where your biometric data is included in the payload, the bad guys now have very valuable data that can link you to other databases that may also have your biometric data (or using other data fields). Or, it doesn’t even have to be “bad guys,” it could be the police – but did you give your biometric data to be used as part of a police investigation? Or, it could just be the entity that you originally provided your biometric data to that wants to commoditize it along with all your other personal information that it has gathered (think Google or loyalty cards, and how they make money).

Some people think that this is fear-mongering since there are only so many places where our biometric data currently is being stored, making the risks rather low. But it’s important to be forward thinking – as biometric recognition technologies pervade the digital world (it’s happening as we speak), the risks will increase. Furthermore, our biometric data isn’t changing. Whatever we put out there now will just increase in value over time.

Another way to think about, in the context of using biometrics for access control: your biometric data is like a password you can never change. If it’s ever compromised, it’s compromised forever. There’s no going back. Imagine if your online banking password was compromised and then you were told that you couldn’t change it? Pretty much all authentication credentials other than biometrics can be revoked if compromised. Biometrics? Good luck getting your fingerprints or face replaced.

In some of my talks I like to say that if I were part of a forward thinking, criminal organization that currently spends effort skimming credit cards, I would start to think about collecting biometric data from the general public. The value will just go up over time.

So, how do we mitigate the risks? What can the average person do when they are expected to provide a biometric sample as a citizen, or employee, or consumer? That will be the topic of future posts. I will also cover some of the myths associated with biometrics and privacy. For further reading, the Privacy Comissioners of Ontario and Canada have some great reference material.

Photo: Fish Kiss.

Welcome to the Bionym Blog

Welcome. We’re starting this blog as a way to share our thoughts and discuss various topics related to biometrics, privacy, and data security (the three themes that define and inspire Bionym). I’m Karl Martin, President & CEO of Bionym Inc., and I expect to do most of the posting here, but other members of the Bionym team will contribute occasionally as well.

This is just an introductory post, but a lot of the future posts will be derived from the various talks I give, with topics including:

  • the privacy risks associated with biometrics
  • new research in biometrics, including face recognition, medical biometrics (including ECG), and biometrics on mobile devices
  • biometrics and data security
  • the challenges with making biometrics a truly useful security tool and not just a toy

This blog will not be used to pitch Bionym’s products! We at Bionym have a keen interest in developing disruptive technologies and a genuine curiosity of the changing technology landscape. I hope that others will share their thoughts in the comments.

I also happen to be an avid photographer, so each post will include a random photo of mine to give you something more than a block of text to look at.

Photo: Toronto skyline.