Derek Northrope, Fujitsu’s Global Biometrics Community Lead, outlines how innovation, culture and consumer attitudes are shaping the future of biometric security.
Once the stuff of sci-fi novels, biometric technology is now a daily part of people’s lives. Forget about case-sensitive passwords. These days speaker identification systems, iris scanners, fingerprint pads and facial recognition tools are accepted interfaces for signing into bank accounts, unlocking smartphones, validating passports and gaining access to restricted areas.
But while biometrics promises to enhance security and reduce fraud, controversy continues to swirl around its impact on personal privacy and data security.
In our interview Derek Northrope, Global Biometrics Community Lead for Fujitsu, shares his insight into the trends, evolving consumer attitudes and technological advancements as well as the business challenges that are shaping the demand for biometric solutions, and discusses what the future holds for this pivotal technology.
Consumerization of biometrics
I-CIO: Government agencies have long relied on biometrics to secure facilities and validate workers’ identities. However, as consumers become increasingly tech-savvy, how is the demand for biometric systems evolving?
Derek Northrope (DN): There’s been a large shift in biometrics from the government arena to the commercial space over the past few years. As a result, we’re going to see a much larger integration of various biometrics into consumer devices.
“We’re going to see a much larger integration of various biometrics into consumer devices.”
For example, we’re already seeing iris recognition and fingerprint scanners in the consumer market. [In March, Fujitsu announced it had developed an iris authentication system for smartphones that can be used to unlock the device or authenticate mobile payments.] In additional to physical biometrics, we may also see a larger uptake of behavioral biometrics — like keystroke dynamics and browsing behavior – for certain transactions. For example, imagine if you normally read the sports section of a website but then, on one particular day, you start off by reading the finance section. A web-based behavioral biometrics system can detect that this is different behavior and respond accordingly, for example displaying a different set of adverts.
New value propositions
I-CIO: Despite the huge potential for biometrics in consumer applications, there has been some reticence. What has held back consumer adoption and how are attitudes changing?
DN: There’s a lot of misinformation about biometrics out there – messages like, “Don’t use iris scanners because they’ll damage your eyes,” or other mistruths from movies. One of the greatest misconceptions is that with commercial fingerprint devices fingerprints can be stolen or used by the government to track people. But on devices like a smartphone or tablet the fingerprint image isn’t stored so it can’t be shared with anyone or stolen. Yet the perception is still there so educating the public about biometrics is really critical.
I-CIO: There are clearly different levels of sophistication, even within a single biometric system. How do CIOs go about deciding which features might add value to their operations?
DN: There are very large variances among biometric types and there are very large variances within biometric types. For instance, if we’re talking about fingerprint scanners, there are a number of different technologies – swipe fingerprint scanners on laptops, touch fingerprint scanners on smartphones, optical fingerprint scanners for higher-security devices, even multispectral fingerprint scanners. Each of these has a different level of accuracy and different associated costs. For instance, you wouldn’t use a swipe fingerprint scanner in a national security environment, just as you wouldn’t want to buy a full-size optical fingerprint scanner for a gym. Another example of a different biometric type is Fujitsu’s PalmSecure, which relies on palm vein pattern recognition technology.
“[Palm vein] technology has always been very prevalent in financial services and healthcare because it’s non-contact and has an extremely good match rate.”
This technology has always been very prevalent in financial services and healthcare because it’s non-contact and has an extremely good match rate. [Banks using PalmSecure as part of their authentication at ATMs include Banco Bradesco in Brazil, La Caixa in Spain, and Suruga Bank, The Bank of Tokyo-Mitsubishi, The Hiroshima Bank and The Bank of IKEDA in Japan.]
Costs and convenience
I-CIO: There are error rates associated with some biometric systems — with systems either unable to identify a genuine user or, conversely, authenticating an imposter. When, why and how does that happen?
DN: Biometric systems are probabilistic, not deterministic. Sometimes they’re wrong and you have a false match rate or a false non-match rate. Depending on the application of the biometric system, you’re either more concerned with one or the other. For example, if you’re in a financial services environment, it’s likely you’re going to be much more concerned about someone accidentally matching in the system who really shouldn’t. If someone accidentally doesn’t match and they have to go to the security desk and sort everything out, that’s less of a concern. However, if you’re running an m-commerce site and a user keeps failing to register, they’ll stop using the service altogether. So depending on the risk-profile of the application, organizations tend to be more concerned with one or the other and should always have a remediation mechanism in place.
I-CIO: Biometric systems can be costly. What is a reasonable amount of time for an organization to wait before seeing a return on its investment in biometrics?
DN: It depends on the industry. From a bank’s point of view, depending on the biometric type, it can be much cheaper to manage a biometric system than a token-based system. In the retail space, biometrics has been proven to have a return on investment in under a year purely from fraud reduction in time and attendance. In the call center space, costs associated with activities such as automatic password reset might go from $5 a reset on a help desk to 20¢, so they’re definitely seeing a massive return on investment.
However, it’s important to remember that if you’re purchasing a system that requires a large rollout of biometric scanners, then obviously there’s a much higher capital investment to start. On the other hand, if you’re moving to a technology where all you have to do is develop a web app for everyone’s phone, then there’s much less investment to start with. It also comes down to your risk profile: if you’re only slightly concerned that an unauthorized user might get access to a system, then you can go with a lower-cost, lower-security solution.
Biometrics: 2015 and beyond
I-CIO: Online crime rates are rising exponentially, tracking the explosive growth of ecommerce. What role can biometrics play in better authenticating online transactions?
DN: Take, for example, our biometric service solution GoVerifyID, which uses out-of-band authentication. A consumer can be conducting a transaction online. However, as soon as they attempt to make a transaction that’s more than $500, the system can be configured to automatically send a message to their smartphone, asking them to verify their identity as the person attempting to make that $500 purchase. Once they authenticate their identity via phone, the transaction continues as planned. In fact, out-of-band verification has the advantage in that it can be used across all kinds of channels, including m-commerce, ecommerce and staff time-and-attendance systems.
“We’re definitely seeing a move towards multi-modal solutions, when you implement more than one biometric at a time.”
I-CIO: What are some of the key trends shaping the future of biometric technology?
DN: We’re definitely seeing a move towards multi-modal solutions. That’s when you implement more than one biometric at a time — depending on the application, an organization’s risk profile and environmental factors. Consider this: if you try to access a voice biometric system, say a telephone banking service, and you’re at a noisy train station then you’re going to fail to authenticate. Whereas if you have voice, facial and finger recognition systems in place, then if it’s too loud, you can instead decide to use a photo of yourself to authenticate. Multi-modal biometric solutions also future-proof the system. If you only have a fingerprint recorded on a single device, it’ll only ever work on that device whereas with a multimodal solution, you can quite often change devices and keep the chain of trust when it comes to identity.
I-CIO: What new developments in biometric systems can IT leaders expect to see in the next few years?
DN: With the growth of biometrics in the consumer space, we are going to see some very silly rollouts. There are some types of biometrics that are not suited for certain functions. For example, we are already starting to see things like unattended ATMs with facial recognition. What if you have an identical twin? What about someone who looks just like you? In Japan, a number of years ago companies developed beer-vending machines that would determine the age of the person standing in front of the device. However, kids quickly learned that they could authenticate just by holding a photo of someone older in front of the machine. So by all means biometrics, like vascular, should be used in ATMs but not necessarily that type of biometric. Over the next few years, there will be much greater adoption of biometrics but it needs to be well-considered adoption.