Mission Possible: Going Passwordless Through Biometric Authentication

Featured article by George Avetisov, CEO, HYPR

In our digital-first world, the need for proper securing and storage of personally identifiable information (PII) is becoming increasingly acute. The last three major data breaches of 2016 alone affected a breathtaking 611 million user accounts. Information stolen included user IDs, passwords, e-mail addresses, full users’ names, dates of birth, telephone numbers, IP information and, in some cases, security questions and answers.

As the onslaught of data breaches continues around the world, there is an urgent need to create novel, advanced security methods to prevent and deter fraudulent activities. An aspect of this new approach to security is moving beyond passwords, PINs, security questions, SMS and phone calls for verification. Why? These are units of information that are easily—and routinely—stolen from organizations’ databases. Authentication in the age of the Internet of Things, bring-your-own-device, mobile banking and cloud services introduces challenges not addressed by usernames, passwords or tokens.

With increasing adoption of the above technologies—and the resulting increase in demands for remote login and flexibility—enterprises and SMBs are struggling to source and deploy scalable authentication methods that are effective and easy to use, as well as resistant to theft and reuse. Two-factor authentication schemes fail to address the problem and remain susceptible to the same attack vectors as passwords. They also offer an outmoded experience that just won’t complement the IoT (try unlocking your toaster with a 2-factor PIN).

Why Biometric Authentication Matters

This is where biometric authentication gets its appeal. This method uses personal markers that do not change and with the proper safeguards cannot be easily spoofed. That makes biometric authentication a conclusive, logical way to prove one’s identity. No longer reserved for sci-fi films, biometric authentication is already seeing mass adoption across the consumer realm; with over 500 million fingerprint devices deployed across the globe. Apple claims that iPhone owners use fingerprint verification an average of eighty times per day

With more than two billion camera and microphone enabled devices in use, biometric modalities go beyond the fingerprint to include voice, face, eye, palm and touch recognition. There also are a number of up and coming behavioral authentication technologies. Apple’s new MacBook Pro includes the Touch Bar fingerprint authentication feature, for instance, and the company is even developing a vascular identification technology that records a user’s blood flow.

However, as biometric security becomes a viable option, it is important to ensure the biometrics are stored safe from harm. People have unique fingerprints, but if those fingerprints are stored or secured incorrectly, the biometric data can still be obtained and used by a malicious third party. You can always create a new password but you cannot create a new set of fingerprints. More than 22 million past and present federal employees and jobseekers came to this sad realization in 2015 when their fingerprints and other PII were stolen from the U.S. Office of Personnel Management.

Secure Storage is Critical

The OPM breach makes it abundantly clear that a central repository of biometric data makes an attractive target for malicious actors who are looking to cash in on a PII stockpile. One way to avoid this scenario and safely store biometric data is to implement an underlying security architecture that instead enables both decentralization and tokenization of biometric data. Using a decentralized approach, the most sensitive information — the biometric — is kept digitally with the owner of the data on a secure device such as a PIN or Touch ID protected cell phone. The actual biometric image is first transformed into a seemingly random sequence of letters and numbers called a token irreversible to its original form, then encrypted and transported to a central authority to be used at a later time for verification. The biometric image is discarded in the process, rendering it near impossible to duplicate. In this scenario, the only information that is stored on the central server is a meaningless digital representation of the user’s biometric data. This is referred to as biometric tokenization, similar to the tokenization process used to secure and complete credit card payments.

With biometric tokenization in place, even if a fraudster was able to steal your fingerprint, they wouldn’t be able to use it because they’d also need access from your device to generate a unique token.

With decentralized biometric authentication, next-generation security features once unavailable with passwords become a reality. An example of one such ability is Step-up authentication, powered by tokenized biometrics. In addition to decentralizing and encrypting biometric data, a multi-factor authentication request can be issued for use cases where speed and convenience are top of mind. For example, if you are making an online purchase of less than $50, you may only need to provide your fingerprint, but if you were making a large wire transfer of $10,000, you would be required to provide facial or voice recognition – or some combination of these factors.

Making Cybercrime Next to Impossible

Combined with decentralization, the diverse modalities and myriad types of multi-factor authentications will begin to deter hackers from going the extra mile to obtain biometric data which they ultimately will be unable to use due to the unique token applied to each individual use. Historically, these types of criminals have not gone out of their way for data that doesn’t produce a huge payoff. They are far more likely to go after the low-hanging fruit. For example, cybercriminals could try to use stolen information—say, a replica of your fingerprint—to make an online purchase. But if they know that along with the fingerprint they’ll need a second form of authentication, such as your voice or a profile of your geo-location, they won’t bother trying. Biometric authentication, then, disrupts the business model of most hackers and even large, collaborative hacking ventures.

Currently Fortune 500 enterprises including financial institutions, banks, insurance providers, ecommerce and government organizations, are leveraging decentralized biometric authentication securely across millions of users. Multi-factor security rooted in biometric tokenization is no longer just a scene from your favorite spy movies but a real-life “Mission Possible” password-less authentication experience for everyday use.

George Avetisov is the CEO and co-founder of HYPR Corp., provider of secure and decentralized biometric authentication for the Internet of Things.  As a repeat entrepreneur, George has focused on eCommerce security, specializing in fraud and identity for a decade. Years ago, a chance encounter with a computer virus that turned his PC into a bitcoin mining zombie inspired George to pursue technological advances in cyber security. George can be reached at george@hypr.com.