It’s Multi-Modal Month here at findBIOMETRICS: a celebration of the diversity in today’s biometric technology. Last week we looked at the many modes of biometric identity in our week-one Primer. This week we are going to examine the benefits and applications of combining authentication factors.
It stands to reason that if biometrics are stronger than passwords, then two biometrics should increase that difference in strength by an order of magnitude. It’s a little more complicated that just that, of course. Multi-factor doesn’t necessarily just refer to combined biometrics. Multi-factor is a different way for thinking about strong authentication
All For One, One For All
In identity management a multi-factor solution can be easily defined as any system or device requiring more than one positive signal in order to authenticate a user or subject. It is a nearly self-explanatory concept in theory, but the applications and manifestations of this are far reaching.
A very common application of multi-factor authentication is in physical access control. This is because, generally, in critical areas that need to limit access to only a few authorized personnel, any extra time spent on authentication is insignificant in comparison to the added security.
Multi-factor physical access control can combine two biometrics, but it can also pair something like fingerprint recognition with a PIN, token or access card. In the case of the last pairing, a smartcard can actually contain the user templates, creating an integral three-way link between user, device and card.
Of course, there is no reason to stop at two factors. A user’s body is literally made out of biometric tokens that can be used to verify her identity. Anything that there is a sensor for is on the table here, and not just for physical access.
The smartphone, for instance, is a device that already has the potential to measure face, voice, fingerprint, eyeprint and even ear biometrics. That isn’t even considering the stated plans of manufacturers to put palm-vein and iris scanning on mobile devices. Thanks to this functionality, combined with the freedom of mobility and advances in wireless communication, multi-factor authentication can be brought anywhere, from personal finance to physical access control to border control.
The real fun comes when considering how frictionless some factors can actually be.
Consider one of the main drivers in end-user targeted strong online authentication: convenience. Passwords, in addition to being relatively easy for cybercriminals to crack and hack, are exhausting to maintain. Passwords need to be changed regularly, unique from account to account and unintelligible (any word in your password that can be found in a dictionary has made you more vulnerable and simple number-letter substitution doesn’t count) and they shouldn’t be written in digital places.
At first glance, multi-factor authentication would be a step back in the direction of inconvenience. Having to submit a second or third factor might not be as daunting as having to remember the answers to your security questions on your bank account, but they are additional obstacles.
Luckily, invisible factors exist, able to make multi-factor easy on authorized users and increasingly difficult for fraudsters.
Generally, these are passive factors that run in the background of transactions, scaling up the security as anomalies are detected. This is common in phone banking and starting to show up in online shopping, but there is no reason it can’t be layered into every scenario calling for it once wearable technology becomes more prevalent.
A smartwatch-based proximity factor, in combination with biometrics might be the best way to describe this idea. In previous feature article, we have seen that smartphones have an increasing number of authentication related applications across a number of verticals. Imagine having authentication via biometric smartphone contingent on both your close proximity to the device and your resting heart rate.
It’s not difficult to throw those two ideas into a biometric smartphone solution. A smartwatch already syncs to an associated phone and vital biometrics are key features on every next gen wrist mounted gadget. These require zero interaction on behalf of the user while adding two strong factors to the biometric that could be opening doors or making payments.
It is an example I like to use in this area because of its hypothetical nature. Though this specific type of multi-factor doesn;t exist, it represents the end-user ideal: security that is stronger than a password by orders of magnitude without requiring much in terms of friction.
The Power of Choice
The diversity of biometric solutions are, conceptually, also a factor. Particularly in regards to software-based biometrics. In May, we saw how biometric sensors are potentially all around us. A webcam, a microphone or a smartphone can all be turned into a biometric reader with the addition of the right kind of software. Add in Plug n Play biometric peripherals and you have a range of choices as daunting to fraudsters as the modes themselves.
With cloud based platforms like the GoCloudID solution from ImageWare Systems, enterprises can differentiate their authentication methods based on their needs. This means that two nearly identical offices might be using completely different logical access control combinations.
One multi-factor situation might combine fingerprint biometrics with a One Time Password token while another might combine iris, face and smart card factors. Different situations call for different security, and with multi-factor biometrics your protection can be as unique as you are.
Stick with us throughout the month of June as we dive deeper into the diversity of biometric solutions. Have something to contribute to this discussion? Follow us on Twitter and use the hashtag #fBMultiModal to keep the conversation going all month.
June 11, 2014 – by Peter B. Counter