Fingerprint biometrics has become one of the most widely used authentication modalities because of its long history, ease of use, performance, interoperability, ability to thwart imposters and low cost.
To improve security, chips on cards can securely hold biometric templates that can be matched at the point of verification, and smartphones or other mobile devices could also contain secure digital credentials – writes Phil Scarfo, VP Worldwide Marketing, Biometrics with HID Global.
A person can match his or her fingerprint data with the information carried on the card, phone, wearable or other digital personal device — there is no local database or network connection required. As mobile banking rises, applications could allow users to store their biometric data on their own devices for privacy, portability and convenience.
Best practices should be observed for the most successful implementation, including:
Biometric Sensor Reliability
Sensor technology must work reliably under the broadest range of real world conditions. Multispectral imaging technology ensures that unique fingerprint characteristics can be extracted from both the surface and subsurface of the skin. More data and better images yield superior and reliable matching performance. Additionally, the use of field-updatable liveness detection capabilities ensures proof of presence by preventing the use of fake fingerprints or “spoofs.”
Optimized Data Security
Properly architected system designs will always consider and protect against both internal and external threats and attacks. Beyond the encryption of the data itself, there are now many good alternatives available for building highly secure and well protected systems. For instance, for strong and reliable user authentication, organizations should consider, where practical, multi-factor and even multi-modal authentication to maintain security even if some identifying data is compromised. Today’s authentication technologies enhance security while replacing passwords and improving convenience in a seamless way that is non-intrusive to the legitimate user.
Tamper Protection and Trusted Connections
The biometric used to authenticate the user for each transaction must interoperate with trusted devices at each point of verification. This is done by creating a device-independent, trusted physical identity verification process. Additionally, the physical devices themselves must be tamper resistant to ensure that all transaction integrity is preserved. The device can be encryption-enabled with various tamper resistance and detection capabilities that protect the integrity of the communication between the client and the sensor, and the chain of trust must be preserved end-to-end if the goal is, for example, to simplify financial transactions for users while eliminating fraud for financial institutions.
Scenario testing is always recommended in order to evaluate biometric technologies in specific environments and applications. Any well-designed system must provide a very positive user experience while maintaining required levels of security and reliability. Systems that make access difficult are frustrating for legitimate users, who then take their business elsewhere. Usability can be ascertained through scenario testing.
Linking Mobile Credentials to a Biometric Identity
Because digital credentials are simply aliases for one’s true identity, it is critical to authenticate credentials stored on a user’s personal device and link those credentials back to a true identity with biometrics. When credentials and digital aliases are bound to a unique individual’s true identity, a rich set of new trusted applications and services are enabled. Unless and until all systems are designed to support biometric authentication, both the user and vendor are exposed.
More Robust Biometric Templates
It may be desirable in some application-dependent situations to construct and enforce the use of enhanced biometric templates. The use of a “super template” that uniquely combines biometric data with other information — perhaps even an OTP or other out-of-band data — enables the system to recognize and reject a biometric template that was created from a stolen fingerprint image. Templates can reside on a card or on a chip or in a smartphone or personal wearable. As some do today, banks could enable multi-factor authentication and require that both the biometric and some other data be provided. Alternatively, they could enroll biometric data and then “sign and encrypt” the template with unique or closed-system data.
The ability to store biometric data on a personal device eliminates the need for a local database or network connection and is one way to ensure privacy. Encryption and tamper-resistant devices prevent the interception of private biometric, biographic, and transactional data. Finally, while biometric characteristics are not themselves inherently private, well-designed biometric solutions prevent fraudulent access and allow individuals to control their true identity.
Look to the future, using biometrics to authenticate mobile payments and other bank transactions will likely become a very big market driver. With new technology adoption, though, comes new risks: as biometric applications become increasingly widespread, and are relied upon for securing personal transactions, deployed solutions are likely to be targeted for attack. Consequently, it will be increasingly important for those deploying biometric authentication to understand that not all biometric devices and solutions are created equal.