INTERVIEW: BioConnect CEO Rob Douglas on Biometric Enterprises, Converged Security, and San Francisco’s Face Recognition Ban

INTERVIEW: BioConnect CEO Rob Douglas on Biometric Enterprises, Converged Security, and San Francisco's Face Recognition Ban
INTERVIEW: BioConnect CEO Rob Douglas on Biometric Enterprises, Converged Security, and San Francisco's Face Recognition Ban

For many years now, BioConnect has been a high-profile leader in offering compelling security solutions to the enterprise market, with a strong focus on post-password security technologies like biometrics. And in some ways, the larger enterprise security market is now starting to catch up with the company, with a growing number of organizations coming to recognize the need for this kind of security, whether it’s applied to digital assets or physical infrastructure.

Indeed, BioConnect’s CEO and Chairman, Rob Douglas, has emerged as a thought leader in the growing convergence of physical and digital security, and in a new interview with FindBiometrics Managing Editor Peter Counter, Douglas brings that expertise to the fore, starting with overviews of BioConnect’s partnerships with Duo and ForgeRock. Douglas and Counter also delve into healthcare biometrics, the importance of education about post-password security, the issue of privacy, San Francisco’s facial recognition ban, consumer biometrics trends, and more, in this wide-ranging interview.

Read our full interview with Rob Douglas, CEO & Chairman, BioConnect:

Peter Counter, Managing Editor, FindBiometrics: BioConnect recently partnered with Duo Security, which was a big piece of news leading into ISC West this year. I’m wondering, how will BioConnect’s new partnership with Duo Security enhance your platform?

Rob Douglas, CEO & Chairman, BioConnect: I think this is a very significant moment for us, and I’ll tell you why. Since about 2007, we have been seeking to find a way to unify the enterprise so that you can actually authenticate people physically into buildings and digitally into applications, and the authentication mechanisms are the same. And this is an idea of unification. So, literally, this is something that’s been going on for 12 years. And this partnership, in my experience, is now the first time where we really can bring unification to play.

Duo, now part of Cisco, is the leading provider of multi-factor authentication (MFA) and Zero Trust for the Workforce. Duo protects against stolen credentials, phishing and other identity-based attacks by verifying user identities and establishing device trust before granting access to applications. So, with this partnership, we are bringing MFA to the door. 

And so, if you can imagine a world now where all those HID card readers, which will continue to stay there – we’ll leave all existing infrastructure in the building today – and now we’re going to bring step-up authentication to the door to give higher levels of security. And then secondly, better data visibility of who’s actually moving around the facilities. Duo is excited about this particular area because this opens up a whole new use case for them. I’m pretty sure that the enterprise is equally going to be excited about it because this will extend their investment that they’ve made into Duo and give them higher visibility of access, and unification of who’s authenticating into doors, as well as who’s authenticating into applications.

FindBiometrics: That’s really fascinating. I think that there’s something really important to be said about how this solves the problem of legacy systems, in terms of addressing that challenge that has plagued the enterprise market for a long time, and in bringing it all together.

BioConnect: Yes it does. It was actually about a year ago. Like everybody, we were all trying to figure out how to bring mobile to the door, and there’s certainly ways that that’s now happening. But the challenge is that it requires a rip-and-replace. These mobile solutions mean that the core infrastructure in the wall is likely going to need to get upgraded or replaced. And we wanted to find a solution where you didn’t have to do any of that. And that’s the real fun part about this idea: everything in the door can remain as is, and yet, we can upgrade a higher level of security and identity assurance.

FindBiometrics: It’s also fascinating that this comes at a perfect time in the security industry in general. I know, at ISC West, you participated in our panel. Then you and I did a webinar shortly thereafter where we talked about the convergence of information and physical security. It just seems like this is finally the perfect time for it.

In March, BioConnect joined the ForgeRock platform. And I’m wondering: what does BioConnect ID bring to ForgeRock, and how do you expect this integration to affect your business in the enterprise market?

BioConnect: Sure, I’d be happy to answer that. So, as a context, what is BioConnect really doing? BioConnect is really enabling trust in the connected world. We happen to do it by using biometric information because we fundamentally believe that, to establish the final trust of the person, we need to be able to authenticate them against their biometrics. We believe that it’s not good enough just to authenticate a device, but we need to authenticate the human, also.

And so in the case of this overarching plan of ‘how do we unify authentication across the enterprise,’ this partnership with ForgeRock is another partnership (that follows one that we signed up with IBM and several years ago) which is to integrate our biometric authenticator – which is a mobile biometric authentication system – into ForgeRock’s IAM system, which is an identity and access management system. It is a very powerful system, and its purpose is to be able to manage identity across the enterprise, as well as the customer-and-consumer-facing applications of the enterprise. Putting down a layer on top of that, the biometric platform, is where we fit: to provide that higher level of assurance of authentication.

So, we see it as a very good fit to be able to improve the overall trust of digital transactions for the enterprise.

FindBiometrics: And you know, taking a larger view of the enterprise market, a recent Gartner report predicted that over 70 percent of offices will be embracing app-based biometric ID in the next three years. From your perspective, what do you see driving this market demand, and what challenges are still facing businesses that want to make that biometric upgrade?

BioConnect: We really have Apple to thank for this. When the iPhone came out with Touch ID, back five-plus years ago, to where it is today, we’ve got now approximately 2 billion people that are using biometrics every day on their phone. So what’s driving it is the fact that it’s just a more convenient way to be able to get access to things, to unlock things like your phone. One big challenge is that people think that, “Oh if I just use my finger or my face recognition on my phone, somehow I have higher security.” That is completely false. What you have is you have higher personal security of your lock unlocked device, but the enterprise has no binding of the biometric information, and as a result has no trust in the device or the biometrics.

The real challenge here is you’ve got to find a platform like BioConnect – and there are a couple of other companies like us – where you can actually bind the biometric information on the device to the application so that we’ve got certainty that it always remains the same person. And so the challenge really is: many people start with the on device, a biometrics, that’s fine, to get yourself going, but in the end, to really be successful, you’re going to need to find a platform where you combine the identity of the person with the biometric information.

FindBiometrics: That seems to be going along with this larger trend we see in the biometrics industry. It really does seem like there’s a lot more trust in centralized biometrics and larger biometrics platforms than there used to be. Even, I would say, three years ago, people were still skeptical of them. So it really seems to be growing in that direction.

BioConnect: I would agree with you.

FindBiometrics: A large driver for enterprise is also that we live in the era of the data breach. Over the past few years, we’ve seen major breaches in health data, specifically. Most recently Quest Diagnostics was breached. How can BioConnect serve the healthcare industry, and how is it different than the enterprise space?

BioConnect: Well, specifically around data breaches, as it relates to healthcare, I think people would be absolutely shocked to find out how many ID’s and passwords have been stolen and are available on the black market. I think people would be shocked to know the quantity. The number, by the way, is over 3 billion. And they’re for sale, available for anyone who wants to try to hack into anything, you can get your hands on very significant, large databases of ID and passwords. And normally I would think, ‘oh, that sounds like a big number,’ but wait until it happens to you personally and then you will realize how serious this problem is.

This is something I’ve personally experienced in the last 12 months. And then I’ve come to realize, wow, geez, I’ve even had it happen to myself. And when our CISO was able to show my ID and password that was available in this 3 billion, it was quite real for me, personally, to think, “Wow, this really is a serious problem.”

So, any healthcare application that strictly using an ID and password, is just a ticking time bomb, waiting to be hacked. It’s not a question of if, it’s just a question of when the hacker will get through and get access to your data. There is no point in waiting any longer. Biometrics closes the threat surface area for the hacker to be able to get in, either as a step-up or replacement to a password. The whole point of why these multi-factor authentication systems have come in market is to make it much more difficult to be hacked because you have an ID, a password, plus a push notification. And in our case I could be doing your eye recognition, face recognition, voice recognition or finger. There’s a lot of combinations there, which makes it much more difficult to be penetrated and therefore hacked.

The other comment I’d make specific to healthcare is: there are some very specific regulations in the U.S. that one must be able to adhere to in order to be able to provide authentication around patient data. And I think these particular standards are actually very good for protecting us. And companies like BioConnect need to be able to adhere to those standards, like we do, in order to help protect patient data from being hacked.

FindBiometrics: You know, as we’ve been talking in both of these industries, enterprise and healthcare, a theme that keeps coming up is this perception on the end user side of how biometrics work and how safe we are with our digital lives. BioConnect is an industry role model for education. You’re regularly a guest on panels at user-facing conferences like ISC West and Money20/20. You speak in FindBiometrics webinars. And the BioConnect blog, it’s a great resource to learn everything from biometric surveillance panic, to dealing with legacy security systems. Why is education such a priority for BioConnect?

BioConnect: We want to enable trust in the connected world. And part of being able to achieve that is for our society to understand. It’s more than just our ability to provide technology, there’s so much information that is not correct about how biometrics can help people. It’s just remarkable to us. So we see ourself as one organization standing on a hilltop, communicating and helping educate for the betterment of everyone – not just for the betterment of BioConnect – to understand how these technologies can actually provide higher levels of privacy and security. That, in fact, what people fear with biometrics, is the exact opposite. You can have higher privacy and higher security with the use of biometrics than without. And that is completely in conflict with what, generally, people initially think. So that’s just one example of understanding it.

And you know, if you want to know a perfect example of it: if any of your readers are trusted travelers. When they’re traveling between countries and they’re seeking to move through an airport, and they’ve got a Nexus, or they’ve got some type of a trusted traveler authentication – that is the most non-intrusive, private, secure way to be able to move from one country to another, and it’s done by biometrics. Your biometric information is the key that’s allowing you to have a very private transaction like this. Versus: if you don’t have biometrics, you’re not trusted, and now you’re into long lines, talking to border agents who are asking you all kinds of questions of interrogation. It’s a completely different experience when you start using biometrics.

FindBiometrics: It’s interesting because that’s such a contrast with, specifically, what’s going on right now in the media with the facial recognition panic in the United States. And it really does feel like a lot of the issues come down to a lack of nuance in the conversation, and just a few small details kind of being misunderstood, re: the privacy enhancing aspects of biometrics, like you just described, and those that could be potentially used in public spaces to infringe on people’s civil rights. But really there is a very strong use case for privacy-enhancing biometrics.

BioConnect: Yes there is, and I’d like to make a comment about this facial recognition. A couple of years ago when I was in Asia, we were looking at other technologies and we came across an algorithm that we were considering licensing to put into our platform. And this particular algorithm was a face recognition app where you could see people blocks away and you could be able to recognize them. A very strong algorithm. It was done through cameras and in essence it was really surveillance biometrics. And at the time I thought, “Wow, that’s very intrusive, and really cool technology.” And I came back to North America. And I thought about it for a couple of months, whether this would be something we would want to bring into our platform, and concluded that no, we are never going to bring this technology into our platform because it’s gone too far.

So when you see face recognition being used for surveillance versus being used for access control, that is a line that should not be crossed. And I commend San Francisco. The city of San Francisco, a couple of weeks ago, just announced that they banned all face recognition for surveillance application. And I blogged about it afterwards and I said, great for them. That’s exactly what every city needs to do. We, as people, do not want face recognition being used as a surveillance tool, tracking people moving around through city. That is just not acceptable. And in there in their ban, they excluded face recognition for access control. They said that that’s fine to do, and that’s what we do.

So my point is: I think access control using face recognition is something that humans are going to feel great about. Face recognition for surveillance over large areas of space is a surveillance application and that should be dead in the water, and we all should fight against it.

FindBiometrics: Absolutely. I think that’s a really great point. I do wonder now that we’ve been talking about it, how much of this do you think is because biometrics really went through five year period of incredibly fast evolution, and it created this industry that kind of raced ahead of regulation” It seems like now we just don’t have the legislation to prevent this kind of thing. And so we’re kind of playing catch up on this stuff.

BioConnect: Well, we are, for sure. And as I just pointed on the City of San Francisco example, actually… They’re either catching up or they’re leading. I may, in their case, put them in the leadership category. But I do agree that the technology is definitely across the world at a much faster rate than regulation and regulation is now coming.

FindBiometrics: I think that is a really good distinction you make. Yes, San Francisco is leading in this push and it’s really quite amazing that they were able to do such sweeping changes, and so quickly, and so decisively. 

BioConnect has been a leader in biometric security for a long time. How have recent trends in the consumer biometrics market affected identity as a whole, from your perspective?

BioConnect: Well, it’s been profound. What’s happened, is when we’ve gone from the physical world to the digital world, we’ve lost trust. When you think of fake news, when you think that nobody has to be accountable of communicating information or receiving information, we really have a digital world that has erosion around trust, and trust needs to be restored. And this is very, very true for the consumer.

The consumer wants to be able now consume many, many services digitally, and it needs to know that they’re dealing with an authorized provider of the service and the provider needs to know that they’re dealing with a legitimate, authenticated consumer. And so biometrics in consumer based applications – it doesn’t matter whether it’s financial services or healthcare or any other application, or even just requesting a mortgage or doing a wire transfer – biometric information is a key part of a consumer’s ability to be able to receive those services and know that there’s a trusted relationship between the provider and the consumer.

FindBiometrics: That sparked an interesting thought for me, when you were talking about fake news. The past couple of years, we’ve been talking in the culture about how there’s a real problem with social media. We don’t use the term fraud when we talk about it, but there are false identities and bots on social media that are essentially being weaponized. Do you think that strong identity – or as BioConnect puts it, Rightful Identity – potentially has a role in righting the wrongs of that sort of anonymous social media, and bringing trust back to those platforms?

BioConnect: Yeah, I don’t believe in anonymous platforms. I think history has now proven that what happens with anonymous platforms, or anonymous communication tools, is you end up with the worst of people coming out. There is something to be said for being accountable. Being accountable for your message, for your communication. I do believe that there’s a role to be played for companies like BioConnect to bring that trust and accountability into social media applications.

FindBiometrics: Excellent. We’re just at the halfway mark of 2019. How has this year been for BioConnect, and what can we expect from you in the future?

BioConnect: Well, it’s been very good. It’s been strong, and I see it as a blessing. I do believe that our particular market area is in very high demand and we’re not alone in experiencing significant growth. Many other companies that are participating in the similar markets to us, my guess is they’re probably experiencing the same. But BioConnect is having a very strong year. And I do attribute a lot of it to just the overall health of our economy and, in particular, the pressing need for higher levels of assurance of identity and many, many enterprise and healthcare applications.

FindBiometrics: And what other verticals do you also see that demand coming from?

BioConnect: I almost feel like I want to reverse the question. I can’t think of a market that’s not consuming BioConnect. Even even applications that you would never expect. Like how about a professional athletes dressing room? We have many clients like that. Or how about police facilities or fire departments? All the way through to data center colocation facilities through to financial services, through telecommunication, through utilities, through to healthcare, through education. It’s the technology’s being consumed in every market segment and as you look forward to part of your question, which is where are we headed? Ultimately, we’ve built a platform that’s integrated into 80 percent of the world’s access control software systems, and we are unifying the digital authentication with the physical authentication so that the enterprise can have a single view of both the employee, as well as their customer, and their consumer. And we’ve got some other technologies that we’ll release this fall, that are all designed around solving, fundamentally, the same problem, just doing it in different application use cases.

FindBiometrics: And when you put it that way, it makes a lot of sense. Everybody is having this same problem, and when you have an elegant solution, you just have to do a few small tweaks. Everybody has an identity, and it should be asserted. Taking a broader, larger view, how do you expect the biometrics industry to evolve in the next five years?

BioConnect: I think we’re going to continue to see more supply solutions coming to market. More vendors will come to market. We definitely have noticed that over the last five years. I believe that we’re going to continue to see that. I think we’re also going to see a couple of players are going to going to breakout and take a market leadership position. I think that the broad view of the biometric space over the next two to four years continues to be very bright, but on a global basis, not just in North America. And that’s my view of how I see the future.

FindBiometrics: Well, again, thanks for taking the time to talk to me today, Rob. Very excited about everything that’s going on with BioConnect. Thank you.

BioConnect: Thank you, Peter, and thank you for the opportunity.