Few question the necessity of utilizing biometric authentication for security, but the battle still rages over the role of the cloud
It is obvious that the current methods of securing our devices are not working. Over the last year, there have been numerous thefts of passwords, credit card numbers, and other sensitive information. This is a stark reminder that the same method used for securing our computers, before smartphones and the cloud, no longer works in today’s connected society. Even the more secure method of two-step authentication, where you need a password and a pin from your phone, is both inconvenient and has its own security flaws.
The revolution is coming, and it will be in the form of biometric authentication. Apple and soon, Samsung have already added fingerprint scanning to make their devices more secure. Voice and face recognition are the next logical steps as they do not require additional hardware. However, the debate rages on over WHERE the authentication should take place.
There are two primary options being considered: 1) Storing your biometrics on your device or 2) Storing your biometrics in the cloud. The FIDO Alliance wants us to believe that the first option is the best. In order to join the FIDO Alliance, you must create biometric authentication methods that are stored locally, on the device and/or on a separate dongle that the company or user must provide. They argue that privacy is of paramount importance and that by storing sensitive information on the device, such as PINs, passwords and biometrics, they are keeping the user safe from big corporations and/or cyber thieves from gaining access to personal information.
Unfortunately, by storing PINs, passwords, and biometrics on the device, the user is taking a big risk if their device gets lost or stolen. Once a thief has their device, they not only have access to the banking and financial apps that the victim uses, but also have access to the information that will gain their entry into those applications. With a little bit of know-how, a thief could do a “hill-climbing attack” and reverse-engineer a person’s biometric template.
On top of the very real security issues, having biometrics stored on the device severely limits the scalability of the application. For every device a user owns, they must re-enroll their biometrics, which must then be checked against existing users in a company’s database. The chance for duplicates and wrong information is high with this method and a potential headache for both the user and the company.
The other option is to have the authentication occur in the cloud. By storing this information in the cloud, you provide a very scalable and secure solution. Users need only enroll their biometrics once and can then authenticate from any device with the capacity to run the verification application. Furthermore, additional security methods, such as multiple biometric features, PINs or passwords, can easily be added as desired. This method provides the best in security, performance, high availability, and cross-platform support.
The drawback to storing biometrics in the cloud, as FIDO argues, is that cloud security is not always secure against these cyber criminals. Fortunately, there is a simple solution – make any information being transmitted through the cloud anonymous. It works like this:
- A customer uses their device to make a purchase
- The bank sends the request into the cloud for authentication
- The cloud sends a message back to the customer’s device, confirming that they have requested this transaction
- The customer affirms this request by logging in with their biometrics, such as a face snapshot, voice passcode, or fingerprint
- This confirmation is sent back into the cloud and forwarded to a biometric database where it is confirmed or denied with a very precise algorithm
- The confirmation is then sent to the bank, which in turn completes the purchase.
While there are several steps involved to ensure security, the beauty of utilizing the cloud is that these steps occur extremely quickly and the customer, bank, and retailer can feel confident that their transactions are secure.
ImageWare®’s GoVerifyID™ is a simple, easy-to-use, and simple-to-install multi-modal biometric authentication application. It works with the most popular smartphones and offers a pay-as-you-go service model so there are no start-up fees or commitments. In addition to providing the best in easy-to-use biometric security, GoVerifyID runs on ImageWare’s GoCloudID™ software-as-a-service platform. GoCloudID utilizes an anonymous algorithm to ensure that a user is secure, even in the event a hacker gains access to a cloud’s vault.