I was invited recently to moderate a panel on Biometrics at the Atlanta Fed with MasterCard, Morpho, Daon, Pindrop Security and NIST, kicking off a One day summit to discuss the current technology environment in US around authentication. There will be a follow-on conference summary made available to the public by the Fed Retail Payments Risk Forum – so this serves as opinion – shaped by my own research and writing on the topic, as well as ongoing debates with organizations who are looking to broaden their use of biometrics.
The most recognizable implementation, TouchID has improved demonstrably for the consumer and the developer – the former in how quick it has become, making the lock screen pretty useless, the latter in how it allows apps to drive rule based access where it was once rather rudimentary. When it comes to broader biometrics adoption and awareness, Apple has arguably helped in driving focus and investment for the enterprise, traction for both providers and modalities to enable remote authentication, payment, access control among other use-cases.
But beyond TouchID, I can’t shake the feeling that with blind adoption among enterprises, bad security practices shall inevitably follow – including the thinking its acceptable in the context of biometrics to consider identity and authentication as interchangeable. I want to focus on the following four areas for the context of this post:
1) Which biometric modality will prevail?
2) Impact on consumer when things go wrong: Or the end of plausible deniability.
3) On-device or cloud storage, and changing attack vectors
4) Future proofing: What happens when device identities eclipse user identity?
Considering the number of choices – fingerprint, voice, facial recognition, vein, iris – long has been the debate as to which modality offers the most capacity for adoption, experience and accuracy. With Apple TouchID, this may have largely been settled, but the needs for authentication in remote channels(e.g. call center) do offer legitimacy to other types such as voice. The question then becomes will these remain isolated in their utility, or whether they will lose out to the accessibility of a smartphone as well as the immutability of its identity(I further talk about this in (4)).
In the above example of a call center environment, a customer calling in using a smartphone can be silently authenticated using a combination of his fingerprint along with continuous user authentication measures – represented by temporal and behavioral attributes that can be native to the device, or to the customer.
Consumer willingness to be enrolled in to entirely new biometric frameworks – Voice, Iris et al will continue to decline – either driven by concerns of security, privacy or purely out of laziness and consumer perception of value. Another factor driving consumer willingness to adopt or suffer new frameworks are dependent on trust – entirely shaped by the brand’s capacity to withstand malicious access and safeguard data. This puts the role of an identity arbiter out of reach for most.
Irrevocability and the end of plausible deniability:
The nature of Irrevocability attributed to Biometrics comes from the truth that passwords can be forgotten. But we are inextricably tethered to our fingerprint, voice and iris – attributes that cannot be conveniently misplaced nor forgotten. And thus – a customer who has had his payment authorized by a fingerprint may find it hard to explain its illegitimacy vs one that was qualified by a password or a physical card – both of which have a far less emphasis on trust and uniqueness.
With Apple Pay, banks are already taking this step to discourage consumers from allowing shared access to devices – notifying consumers they have liability in all cases where the device was used to authorize a purchase regardless of whether the transaction was authorized by the customer qualified to use the payment token. What is worrisome is that banks are becoming increasingly comfortable in trusting device integrity over the consumer – even though banks themselves have little role in certifying device security or safeguarding access. This approach of shifting liability to the consumer while the bank itself has little access in to – or – requisite understanding of Apple’s iOS and device security stack is disturbing.
In contrast, TouchID does not translate to identity in the context of an Apple Pay transaction – it merely acts as an identifier, one of the two factors authorizing the transaction – the other being the provisioned payment token stored within a tamper proof secure element on the device. That is not to say Apple hasn’t improved TouchID. Apple now allows keychain items to be invalidated when a new fingerprint is added or removed – thus allowing banks to be more nuanced in authorizing access.
On-device or cloud storage, and correspondingly changing attack vectors
Apple opted for a decentralized and encrypted approach to storing TouchID data – specifically within the Secure Enclave, and dead-bolted to anyone other than the main processor. Though it hasn’t shared a lot about the approach to storing biometric data, it is clear that they have put considerable thought in to security around capture, transit and storage. Apple’s choice of a decentralized approach in storing TouchID data, the attack surface is minimized. In stark contrast – both the OPM and HTC were content with storing biometric data as is, unencrypted and at easily accessible locations.
Though modality hardly dictates where biometric data is captured and stored – unless you are Apple, Samsung or a handful of others – you aren’t likely to use on-device storage. Being able to access, certify, carve out and maintain a tamper proof local storage that can withstand unwanted intrusions isn’t trivial to solve for new players. The rest of the field who lacks both the deep investment required as well as access, are shying away from on-device storage to opt for the public cloud and encryption to secure data at rest. And yet, a centralized storage on the public cloud offers a single-point of attack with a large attack surface – since the data can be offloaded and then subjected to brute force attacks till the encryption inevitably loses to increasingly more effective and cheaper computing power. That said – public cloud platforms like AWS has excellent telemetry on attacks.
Where biometric or representative data is stored (and how) should rank high in enterprise considerations as they pursue modalities and vendors because – as the gap between biometrics and identity narrows, any such repository shall have a large target on its back. Being a provider to reliably capture and match biometric data should not automatically translate in to the role of an identity arbiter. This shepherds the debate towards obvious players like Apple – a framework closed to both oversight and standards, and that should be worrisome to all.
Is user identity being eclipsed by device identities?
The most important trend in authentication isn’t biometrics, rather it is the impact on authentication from the continuous proliferation and miniaturization of devices in our lives. As an ever increasing number of radios and sensors are packed in to a smaller form factor, in to connected devices that each requires an establishment of trust with others it share data or control with, such trust isn’t derived from something so arbitrary as a password or irrevocable and static as a fingerprint.
In contrast, as device counts and assortments grow, they each have their own residual identity as a combination of things and behaviors that are either deterministic or probabilistic. The biggest shift we will see is that the collective device identities can be a far better and complete representation of customer identity that the latter will be replaced by the former. Name-centric identities will give away to algorithmically arrived ones.
What would be interesting is when these class of devices that I own and carry, can together or separately vouch for my identity. We may forget usernames and passwords, fingerprints may be irrevocable and rigid, but we will always be surrounded by a fog of devices that each carry a cryptographically verifiable signature that together represents a mesh of identities. And instead of the user, the smartphone will be the center of that universe, and though we may unlock it using our fingerprint – it is up to the smartphone, its ecosystem and the devices that operate in its periphery to individually negotiate and establish trust among each other. We simply are in the way.