FindBiometrics President Peter O’Neill recently spoke with Jim Sullivan, Senior Vice President, Strategy and Business Development, BIO-key. The interview begins with highlights from BIO-key’s exciting and productive 2017, as well as discussion of the financial biometrics market, before taking a deep-dive into the company’s enterprise operations. O’Neill and Sullivan delve into the nuances of implementing multifactor access control, why convenience is driving biometric adoption by businesses, and how the Equifax breach affected demand for strong authentication solutions. The conversation concludes with some mythbusting about biometrics in the cloud, carrying forward a trend in industry discussions that’s emerged this fall.
Read our full interview with Jim Sullivan, Senior Vice President Strategy and Business Development, BIO-key
Peter O’Neill, President, FindBiometrics (FB): Has this been a good year for BIO-key? What have been some of the highlights?
Jim Sullivan, Senior Vice President, Strategy and Business Development, BIO-key: Yes, this has been a great year for a lot of reasons. We have seen continued growth and expansion of our existing relationships with large enterprise customers using our biometric authentication as the foundation of their identity strategies, but we also have added a number of interesting additions to our product line. We have introduced a line of consumer-oriented products for everyday uses of biometrics, starting with our line of TouchLock padlocks. These locks are fingerprint-enabled as well as Bluetooth enabled, so you have a choice of how you go keyless. This product line realizes all of the advantages of biometrics as a way of making life more convenient. In the end, it is a nice complement for what we are doing in the enterprise, because it creates more awareness on the part of consumers – who all work at companies – that biometrics works, is secure, and is convenient.
FB: It is interesting when you talk about the consumer side. We’ve been saying for years at FindBiometrics that the timing is perfect for products like you have just launched, that are cool with a spectacular design, to hit the marketplace.
The financial services area is growing rapidly with biometrics, can you describe your focus in the financial segment?
BIO-key: We have a long history of financial institution customers using our products as their enterprise authentication platform for employees. What we are seeing now is that there is greater interest in how banks can leverage biometrics focusing on their customers both inside and outside the four walls of the institution. Forward-looking banks are into their second- or even third-generation of trying to get consumers to accept stronger authentication, but without much success. They’ve finally recognized what’s unique about biometrics and different than other online authentication schemes that they might have used in the past. Biometrics allows banks to leverage the same authentication technology to identify a customer in-person, in a branch, as they would use online. This greatly expands the value proposition for the bank to build, own, and operate a biometric service within their enterprise. We are seeing a realization on the part of the banking community that there is a technology that can actually be universal and can work both physically and online giving them kind of twice the bang for the buck, and BIO-key’s unique privacy enabling and compliance features make remaining compliant much more manageable than other solutions.
FB: Multifactor authentication is another hot area in our industry right now, can you please describe BIO-key’s solutions in this area?
BIO-key: Sure, we have always been fans of biometrics, of course, but in order to really be able to compete in the enterprise marketplace, you need a solution that delivers equivalent functionality to what enterprises have available already. So, we have augmented our world-class biometric technology, adding all of the traditional multifactor options to go with it, such as prox cards, smart cards, one-time password tokens, or using your smartphone with either a one-time password code on the phone or a push-to confirm app on your phone.
By offering all of those traditional two factor options, in addition to the biometric options. An enterprise can move into biometric authentication knowing that they will add a stellar biometric experience to the majority of their users, while still accommodating any circumstances where another option is needed as a fall-back.
FB: Does that help with the integration into legacy systems?
BIO-key: It does, because first of all, you’ve got a user base that’s been through the pain and training to learn to use another technology, and you want to allow them to transition. In order to be able to come in and seamlessly integrate into an environment, you need to offer at least equivalent function in order to then show them the benefits of the convenience of one touch fingerprint authentication instead of the old-school factors.
What is interesting, however, is that many enterprises which have never had to use multifactor authentication before are now being forced to step up to multifactor authentication, either because of regulatory pressures like the New York DFS cybersecurity law, HIPAA or the PCI DSS standards. Regulations are creating a new population of multifactor users that are new to multifactor. That population is actually much more ready to accept a biometric option, because they just hate the new reality that they have to fumble around for their token whenever they sign in.
Consequently, we have two existing markets, one is well familiar with the pain of using multifactor and then a second, new market, with users that have just transitioned from passwords and are really hating the idea of having to use a multifactor that adds friction. So, those two markets are both served well with having a multifactor solution that includes biometrics but still allows them to be able to cover their bases for anything else they might use.
FB: Your products are used in quite a variety of vertical markets. I know you are very strong in healthcare, in retail, financial services, where are you seeing the greatest growth?
BIO-key: I think the general enterprise is where the growth is happening. In the past we had specific verticals that either through having the specific regulatory pressure to comply with multifactor authentication in things like healthcare with the EPCS laws, or things like retail where they were trying to be strong authentication for PCI. But now we are seeing that general enterprise community that really, as I said previously, probably relied on passwords changing every 90 days and all the traditional password-based authentication, that group is coming to the multifactor awareness and biometric awareness in much greater numbers than they have in the past. We’re seeing that really any enterprises are the ones that are growing the fastest for us. We had for examples an insurance company who had planned on doing a roll out of a multifactor, had evaluated and had just selected our product but was planning on rolling it out next year but after the Equifax breach they stepped up and immediately came in with an order four or five months before they had planned to because of the re-prioritization in light of Equifax. So, those enterprise customers are where we are seeing the most growth.
FB: We had a webinar recently and we were talking about the Equifax breach and how biometrics can help. What are you thoughts on this and what is your take on the industry discussion re cloud vs. on-device storage of data and security?
BIO-key: I think that it really is multiple scenarios where you would use biometrics. There are some scenarios where it is purely a substitute for a password. So, for example, a relationship with an online service that you want to use a password for but would like the convenience of a biometric, a solution that works with my device or Touch ID to build or automate that login, that makes sense for that kind of a relationship where they know it is my phone, my Touch ID and they’ll let me in. But then some relationships have a longer term, or what I will call a more intimate relationship between the customer and the service provider; people like banks or certainly anyone that has your money is going to be someone that you are going to want to have a tighter level of relationship and control with, and those relationships also have the characteristics of needing to deal with you over long periods of time. So, when you look at those scenarios you really are pushed towards the idea that you can’t rely on a device that’s being the critical lynchpin of your authentication strategy; you have to have something that spans time and spans devices so that if that user, for example, if a user is in Puerto Rico and has lost everything they can walk into a bank branch and identify themselves with a biometric that doesn’t rely on the fact that their phone or some other device that they’ve previously used is still in the game.
So, that concept is where you really see the most demand for some sort of on-server based environment and I think a lot of the misconceptions that come in that create fear of putting a biometric in the cloud really need to be addressed because they are somewhat misplaced. There is an equating of biometric enrollment data with the way passwords would be vulnerable if someone else has them. If someone gets my password they can get a keyboard and an internet connection and immediately become me to any application that relies on that password. A biometric is different as it is simply a factual measurement of something about me and the measurement is the fact that can be known by others but doesn’t allow them to measure up to that measurement. From an analogy point of view, it is kind of like Cinderella and her slipper. You have Cinderella’s slipper that was left behind at the ball and the Prince was able to take that slipper which forms a perfect template of her foot and he could allow anyone else to try the slipper on and they simply wouldn’t fit the slipper. But having access to that slipper for those impostors did not allow them to make their feet the size of the slipper.
That misunderstanding – that having access to the measurements, the biometric templates, would allow the bad guy to immediately step in and substitute for you with that measurement in hand – is really where the big misconception is. Once they realize that a factual measurement that is retained and has good integrity to it can be used to positively identify someone, then they’ll realize that it is actually a better way to proceed to have positive identifiers that don’t change about a person and then reliably measure them with good liveness detection to be able to know that you are actually getting a good comparison. But again, it is taking time for the market to realize that, but our customers tend to recognize that there is a benefit in that and I think that is a very good thing. I think we’ll look back in a few years and say we were kind of silly to worry so much about that.
FB: Well Jim thank you very much for taking the time to speak with us today. It is always a pleasure to chat about the industry with someone with your in-depth knowledge and experience so thank you very much.
BIO-key: Well, I appreciate the time. Thank you very much, Peter.