Knowing who your users are today is more important than ever. This explains, in part, why integrating biometric usage into identity and access management (IAM) appears appealing. Throw in some artificial intelligence (AI) to help manage all these data points, and the future of biometrics looks pretty wild.
The appeal of using biometrics for identity and access management is high. They are hyper accurate, and as of now, difficult to edit or crack. But that’s not to say this situation can’t change, nor does it say anything about the data liabilities you are incurring if you employ biometrics in your enterprise in the meantime. And, the industry is moving beyond focusing solely on facial recognition tools.
So, what should security professionals know about the state of biometrics and how to manage biometric data?
Basic Biometrics: Wearables
Most of us have probably carried some type of key card at some point in our life, but now, even wearables are becoming commonplace. Instead of using a radio frequency identification (RFID) key card in your wallet or purse, low energy Bluetooth devices may be able to perform the same tasks. You can still use your same token-type access, but once you start merging technologies, you get an entirely new set of possibilities.
For example, does your wearable have some sort of health monitoring capability? Don’t be surprised if your heartbeat or electrocardiogram record turns into your next “key” to the door.
Lasers
On the topic of heartbeats, how about instead of a wearable you have a laser measuring your heart’s output? Now imagine you could detect that heartbeat from hundreds of yards away. It exists, and it even works through light clothes by detecting the surface movement on an individual’s body caused by the heartbeat. With an increased ability to identify and authenticate using cardiac measurement, facial recognition — which requires certain lines of sight and can still be manipulated — may soon become a thing of the past.
Eyes Don’t Lie
You may think you have the perfect poker face, but can you beat the AI? Biometric technologies can go far beyond simply recognizing you; they can detect your mood even when you wear a mask by focusing on your eyes. Iris-scanning biometrics capture a photo of the patterns in the circle of your eye to verify and authenticate your identity.
Iris recognition is contactless and renowned for its accuracy. It also can be used at long distances, with some solutions requiring only a glance from a user.
Say That Again?
Believe it or not, speech recognition has been around for some time, dating back to the 1950s. The Shoebox Machine, developed by IBM in the early 1960s, was able to recognize 16 spoken words, the ten digits zero through nine, and a series of commands, such as “plus,” “minus” and “total.” But we have come a long way.
Today, there are two types of ways to authenticate speech: text independent, where authentication occurs using any type of speech, and text dependent, where a specific passphrase is required. How does all this happen? Just like many individual features, our voices are unique, differentiated in the intensity, dynamic and pitch.
Physiological and Behavioral Nuances
From just these three examples, the future may appear less wild and, instead, feel creepier. We haven’t even discussed the abilities to detect your walking patterns (already being used by some police agencies), monitor scents, track microbial cells or identify you from your body shape. More and more organizations are looking for contactless methods to authenticate, especially relevant today.
What all these biometrics technologies have in common is that they are using some combination of physiological and behavioral methods to make sure you are you. There are certain things people just can’t fake. You can’t fake a heartbeat, which is as unique as a retinal scan or fingerprint. You can’t easily fake how you walk. Even your typing and writing styles give off a distinct and unique signature.
The Good News About Biometrics
If these technologies perform as advertised, we may be heading towards an authentication revolution. Toss away those credit card-sized RFID badges and ID cards, because those lasers are going to be doing the work now as you’re walking down the street.
It’s pretty easy to see the value of such hyper-unique authentication possibilities, especially when you integrate them into your physical security posture, as well. Threat actors will have a pretty hard time getting your heartbeat out of you. Or, will they?
The Risks Always Come from Data
Some of the best innovators are threat actors. They may not be able to replicate your heartbeat today, but what about tomorrow? The not-too-distant future could include a “Mission: Impossible“ scenario with 3D printers that generate a ‘body suit’ (think wetsuit) that can have a simulated heartbeat uploaded into it.
This all may sound like science fiction right now, but not too long ago, would it have not been silly to think that your heartbeat could be identified through clothes using a laser from over 200 yards away? After all, legitimate researchers are demonstrating they can use AI to beat even facial recognition software. And don’t be fooled, the technologies can be beaten. Iris recognition can be beaten by a high quality picture, and a talented user with some basic audio editing software can trick voice recognition.
We can’t be short-sighted about biometrics for three main risk reasons.
Risk No. 1: Jurisdiction of Biometrics
Your enterprise should be making efforts to make yourself more cyber resilient — and somewhere along that roadmap, authentication will be an issue. You always need to balance the risks of biometrics, along with any associated costs. For example, data handling practices are changing fast. In July, the European Court of Justice made a landmark ruling that completely alters how data outside of the bloc is handled. The pressure on organizations is high as they figure out how to manage data. Offshoring data, once done for cost saving purposes, may no longer be an option.
Risk No. 2: Big Data
Another big data issue is daunting for more reasons than one. First of all, if you decide to integrate biometric authentication tactics into your enterprise, you’re going to be collecting a lot of personal identifiable information (PII) on your staff. You’re also going to be collecting something else: personal health information (PHI). Do not be surprised if the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which currently applies to health care providers, health plans and health care clearinghouses, takes on some new form and applies to anybody holding biometric information.
Biometrics and big data also have a management issue. Plenty of this data may have some mobile element to it. Consider that your sensors are endpoints. Will somebody be able to install a sniffer or skimmer on these devices and scoop up all this biometric data? Do you want to hold all this PII and PHI as a liability on your data balance sheet? In the long run, that’s what all this data becomes as you collect it.
Risk No. 3: Biometrics and Privacy
Finally, surveillance overreach creates legitimate privacy concerns. The same biometrics technology used to ensure you are the legitimate user that is authenticating into a system can also be used to detect your every movement. Once you overlay powerful artificial intelligence technologies, any deviation from what are deemed your “normal patterns” may get you some third degree scrutiny. For now, your thoughts may be safe, but your brain waves can already ID you with 100% accuracy.
Before getting sucked into the lure of authentication, make sure biometrics are right for you, and be ready to manage a whole new set of risks and cybersecurity concerns. If you’re not ready, willing and able to thoroughly manage and secure this data, hold off. The cost to you may be high.
Senior Director, Educator and Author