Biometrics – boosting security now and in the future

(CU Photo by Steve Jacobs)

Dr. Stephanie Schuckers is the Paynter-Krigman Endowed Professor in Engineering Science in the Department of Electrical and Computer Engineering at Clarkson University, U.S.A. and serves as the Director of the Center for Identification Technology Research (CITeR), a National Science Foundation Industry/University Cooperative Research Center. We interviewed Dr. Schuckers to hear about the developments and latest research in biometric technology…

 

The Covid-19 pandemic has accelerated many trends surrounding digital transformation; how do you feel this has impacted biometrics and created opportunities for the industry?

The pandemic has forced people to do most of the functions they might normally do in person – such as going to work or visiting their bank branch – at home. Unfortunately, this brings an associated risk of fraud as criminals take advantage of the situation. Biometrics not only brings another tool in the toolbelt for fighting fraud but also provides a connection with our physical selves along with the ability to measure things like liveness. So, an individual can be recognized through means such as images or voice signatures. Then together with liveness detection it is possible to have a good notion of whether or not a person is physically present – and not some digital bot. While this technology doesn’t necessarily mean that we should stop doing some of the other anti-fraud measures we use, we are finding that some of them are not as secure as we would like them to be.  Biometrics gives organizations another factor to work with, one that can be layered alongside existing solutions to provide strong security.

As more organizations and companies start to adopt biometrics, what would you advise them to consider when implementing biometric technologies?

You really want the technology to complement your current processes. For example if you have processes that relate to Know Your Customer (KYC), a biometric can be conveniently integrated and used alongside them. Depending on the situation and its associated risk level, you may have a number of ways to confirm the identity of a person, either on a first-time basis or a later confirmation. In a layered approach you have the ability to request a stronger confirmation. Perhaps you are not happy with the answer to a knowledge question so you use biometrics to obtain the appropriate level of confirmation. Of course when you implement biometrics it is important not to think in terms of, ‘I’m going to throw everything else out and I’m putting this in instead,’ but rather, ‘How do I put these things together to create a good experience for my customer as well as minimizing the risk for my organization?’ Finally, it is also important when choosing a technology to consider how it can be implemented together with your organization’s existing policies.

How can organizations protect themselves against challenges such as deepfakes and other spoofing attacks?

Until a few years ago, spoofing attacks were really about creating physical artifacts such as a fake finger or holding up a photo of a person’s face. To protect against these types of attacks we use liveness detection or presentation attack detection (PAD). What’s new today is deepfake technology. We can protect against deepfakes in two ways. The first way is still that same technology – PAD technology – because somehow a deepfake has to be entered into your system – and one entry point is through your capture device.  If your capture device is integrated with liveness detection, then it is going to recognise the attempt as a deepfake.  The second entry point where a deepfake can attack the system is actually after the sensor. If your biometric recognition system doesn’t actually control the capture process for example where an individual takes a selfie, stores it on their device and then uploads it through a web page. The problem here is that is that you are not checking liveness at the time of capture and you are creating a hole through which a deepfake could be submitted at that point.  This can be addressed by checking liveness as close to the point of capture as possible and so removing the vulnerability that can exist between the sensor and the processing.

As the use of biometrics becomes more pervasive, what are your thoughts regarding privacy concerns?

I think that we have clearly come a long way in terms of understanding privacy particularly with European legislation around GDPR, some USA states and other countries around the world.  As a result we’ve started to look closely at biometric technologies.  What we want is a landscape with controls – there are good models for how to work with biometrics and for a large variety of applications; this can include consent.  The kind of applications that may not include consent are typically those used for forensic applications or for intelligence.  By and large, consent is part of what we expect and it includes stating clearly what you plan to use the information for and then sticking to that promise – not changing and using the information for a different purpose.  Through that process I think that privacy concerns are decreasing significantly especially as people are much more used to using biometric technologies through their phone.

How can biometrics support the increased use of digital identity and the importance of protecting it?

There are two scenarios for digital identity. Firstly, where we don’t know the person to begin with and we are trying to find a way to establish their identity. We typically do this today through processes to give information, for example names, addresses and ID numbers which can be checked against government resources. Now biometric technologies can capture a photo of your document, a photo of yourself and ensure a match – even matching against a government or private database.  Secondly, once you’ve completed onboarding then you can also use biometric technology to alleviate the pressure of re-confirming a customer’s identity throughout authentication.

What do you see as the most exciting innovations at the moment in biometrics and what do you think the trends for the future will be?

For future trends, behavioral biometrics certainly has an important role to play as do alternative methods for capturing biometric information. Template security and carrying out matching in the encrypted space is very interesting as it means you would never have to decrypt – think of it as a one-way transformation where you can avoid creating a weak point in the process. You have a biometric, you transform it into some kind of code or key. Then the key is uploaded and stored on the server. You don’t need to put the biometric on the server – that keeps it protected – and later if you want to match against it, you just take your biometric, transform it again and then confirm with the key on the server. You don’t have to decrypt in order to do the matching. This technology has been researched for a long time and we’re starting to see people looking at it for potential adoption.