INTERVIEW: Ned Hayes, General Manager, SureID, on Fingerprint Biometrics and the Human Element of Identity

INTERVIEW: Ned Hayes, General Manager, SureID, on Fingerprint Biometrics and the Human Element of Identity

FindBiometrics Director of Digital Content, Susan Stover, spoke with Ned Hayes, General Manager of Sure ID. Their discussion starts on the topic of SureID’s decades-long history in access management and identity, and its recent “re-start up”, before delving into the aspects of its biometric technology that differentiate it in the fingerprint recognition market. Hayes also speaks about the role of human verification in identity systems, and guides the conversation through a vision of user personalization in our biometrics-enabled future.

Read the full FindBiometrics interview with Ned Hayes, General Manager, SureID:

Susan Stover, Director of Digital Content, FindBiometrics: SureID has been working to revolutionize the fingerprint services industry, and has recently revitalized itself with a re-start up. Can you let our readers know what that means?

Ned Hayes, General Manager, SureID: SureID was in business for nearly 20 years, doing fantastic work in PIV-I and access management and identity writ large. The team was delivering a number of different important identity management functions.

In fact, SureID created an identity access system that recorded over five hundred million ingress and egress events for government entities and for private corporations, making them able to track and understand entry and exit behavior of people.

When Sterling, our parent company, acquired this great team, they acquired it because it had deep expertise in biometrics and fingerprinting. But they also valued the SureID legacy. So, they took the legacy name with the smaller team and we restarted the company, focused around biometrics and fingerprinting, but with this veteran team that had a great depth of experience in identity and biometrics.

We started with a day-zero mindset — with the idea that this was a start-up again. Today, we have amazing people with fantastic experience and expertise, but we have to act like a start-up once more. Sterling has really been gracious to give us that runway to re-launch and deliver new ground-breaking solutions.

Another important reason why Sterling acquired SureID is because of the convergence between background screening and personal information about people — this convergence between traditional background screening and biometrics is rapidly accelerating. And because of SureID’s leadership in fingerprinting, it made sense that Sterling, who is the national leader in background screening, wanted to be able to add this important function at scale. Together, SureID and Sterling can offer fingerprinting across the entire industry, so that every Lyft driver, and every gig economy customer and provider, can use this ultra secure yet really quick way of understanding their arrest record, or understanding their background without having to endure weeks of delay. Our customers can get results back from us in under 24 hours — often in a matter of minutes. SureID provides Sterling with a differentiator for our business.

FindBiometrics: Amazing. Fingerprint recognition is a very hot modality and we’re seeing it deployed across a wide range of applications in vertical markets. What would you say makes SureID fingerprinting unique?

SureID: As we’ve all seen recently, fingerprints can be captured at a low resolution, as you see on your phone or tablet, but they can also be captured in high resolution for a much higher degree of security and veracity. We are, of course, at that ultra secure and high definition end of that spectrum. SureID does not deal in the low-end consumer verification where you just capture and retain a few millimeters of a person’s fingerprint.

Instead, we’re able to capture a multitude of biometric modalities. To start with, we’re capturing every single fingerprint from all the fingers, and we’re capturing the full surface of the fingerprint on our scanners. We’re also, simultaneously, able to capture the face and create a facial geometry template. We’re also able to add additional security barriers so this can’t be spoofed the same way that a phone login could be, with just a few faked millimeters of a finger. And so, we’re able to match against a much deeper and richer dataset that is pretty darn hard to spoof. I think you’d have to work on it for a few million years to spoof the kind of biometric data that we’re collecting. Now, it’s not impossible, but you would need geological time.

FindBiometrics: Yes, I don’t know if anyone has that kind of time, but that’s really reassuring. So, when it comes to the evolution from fingerprinting to biometric authentication, how do you bridge the past to the future?

SureID: In the past, biometrics data collection was a very manual process, meaning that you would actually take a print with ink and the police were able to match that against the print found at a crime scene and they would match it visually. They wouldn’t have a software algorithm that would match it. They would not have any ability except highly trained individuals.

We’ve all heard Marc Andreessen say, “Software eats the world,” right? So, software algorithms and AI and machine learning, doing all of the long-term matching, that’s the type of algorithmic matching that’s being done on mobile phones today. You have a local template, you match against that template. If it’s matching to a certain degree, then you’ll allow access, right?

What we’ve been able to do is combine the best of both ends of the spectrum. We’ve been able to use human expertise and ensure that there is a human in the loop to validate the input of biometrics and then use matching algorithms that are best in class that we have patents around, in order to validate that. Applying human expertise, as well as the best in class for machine learning, or algorithmic matching, really creates a viable bridge.

As we move forward into systems taking over more and more relationships with human beings, this has potential dangers. We’re seeing that right now with the Boeing crashes, as systems are making decisions with human lives at stake. This is why I think it’s always important to give human beings an ability to flip the switch. At the end of the day, a human being should be able to grab that wheel, or understand that cockpit. The same thing is true with biometrics. We allow trained technicians on our end and at the point of enrollment, to be able to assess whether this is an actual person, not just a bot.

FindBiometrics: That’s definitely a critical aspect that you’re integrating there.

SureID: Yes, and frankly I see too many systems today taking what a biometric system declares as proof positive and just stating, “Well the system told me this, so it must be a match.” And what we have is this critical point of someone actually, a person standing there saying, “This person in front of me is enrolling their fingerprints so I can validate this against document based ID. I can validate it with my human eyes looking at their face.” It’s pretty hard to spoof.

FindBiometrics: You touched on this, but we’re seeing a huge deployment of fingerprint recognition for smartphone logins. Would you say this would be the major difference between mobile device authentication and SureID fingerprinting?

SureID: Yes, I think that there are actually three different aspects where we can distinguish ourselves from mobile phone fingerprinting. The three aspects include the actual person in the loop, the trained technician. The second aspect of our system is that we are enrolling multiple modalities— different biometrics, face and fingers at the same time. Finally, we’re also enrolling a greater spectrum of those modalities. So instead of just getting one shot of one finger, we’re getting a full set of all fingertips. And we’re getting the full fingerprint because we are able to do a roll. So these are the three components. It’s a person in the loop, it’s multiple modalities, and it’s a greater spectrum of those modalities.

FindBiometrics:  In terms of biometrics, obviously security is a very critical issue, and talking about biometric hacking is definitely something that needs to be addressed by our industry as a whole, how is SureID system addressing this?

SureID: Today, we have the largest single source deployed network, which means that we have individual kiosks at stores, throughout the United States and in each of the 50 states — we have nearly 1000 kiosks nationwide. And these kiosks are protected through physical security; this is a military grade enclosure that is fully locked down. It’s survived extensive penetration testing. And then secondarily, we also have a secure encrypted channel directly from the kiosk in the field to our secure servers. We’re not transmitting via email over wifi I’m still surprised that so many companies use email to transmit extremely sensitive personal information, and I think that human beings should start to consider our biometrics as extremely sensitive information, because they can be used make purchases, to do transactions, and to assert identity in all manner of situations.

In terms of addressing hacking, it’s a physical security level, and then it’s the transmission and encryption end to end, that we’re providing. And then we also provide a secure service that’s been regularly tested and validated by the FBI, that the service is in conformance with FBI standards for both collection, transmission and finally, returning results to end users. And so, we are one of only a handful of companies that have been certified by the FBI and by other organizations such as the Department of Defense to do government level clearances on our systems. And so our actual software and hardware, both have to be validated by the FBI as serving at that level of clearance. And I can guarantee you there’s a reason why senior government officials are not supposed to be using the iPhone. It does not create or support the same sort of secure operating environment.

FindBiometrics: Yes, I think, this is going to be a huge thing in our industry, as you know, the standardization of security and protecting anti-biometric hacks and it’s leading companies like yours that are really thinking this through and actually protecting this data. In terms of the future of identity, where do you see the future of identity going, and how does SureID play a role in this?

SureID: The fascinating thing about identity is that we have identity in us. It’s innate. I can walk up to you and say, “I’m Ned” and then two days later I can come back to you and say, “I’m Ned,” and you would still believe me. I’m still the same entity that came to you two days before. So when we assert identity, we’re actually making a statement to someone that we are the same person that we were the day before.

And time and again, companies or organizations, if it’s a multi-stage or global organization, have attempted to create a proxy for that physical presence. And that can be your Gmail login, that can be your PGP key, you know, your private key that matches your public key, right? Or it can be other ways of providing a token that verifies that the person who came to you two days ago is still that same person, right? Yet those proxies only go so far. And one of the chief issues with those proxies are that the proxy tokens are typically owned by private third parties.

So, a corporation will establish a standard. For example, I myself, I don’t work at Google – I cannot influence what services are attached to my Gmail ID. And I don’t work at RSA – I can’t influence how I am tracked in their database, right? I can’t say, “I want these services. I want those.” And that’s because the actual identity proxy is owned by a third party.

What’s fascinating about biometrics is that the standard already exists. Human fingerprints, human faces, those standards exist and they are not owned by a private entity. They can be understood by different people having input into it. But it’s almost like the perfect way of shaping and moving forward with identity, because you know that a third party is not going flip the switch and change all fingerprints to being a different style or format or standard. They’re already a standard. We’re born with them.

And what’s fantastic about fingerprints and other methods of biometrics, like iris scans, are that when you have this done as a child it’s still persists into your ’90’s. It’s still the same biometric. That’s not going to shift. That’s not true of my MySpace ID, right?

The ability to lock on to one standard, I think increasingly, identity is going to converge on biometrics as the obvious standard, because it’s an essential standard that every human being in the world shares. You don’t have to explain to people how to use your fingerprint or how to use your eyes. You just walk around with them.

And so, if you were really distrustful … Maybe we’re living in a Mission Impossible world, and I came back to you in two days and said, “I’m Ned,” and you were really distrustful of the rubber mask that I’m wearing – if you’re familiar with the Mission Impossible movie.

FindBiometrics: Yes, of course.

SureID: You could still scan my iris. Or you can still take my fingerprint. And if you took fingerprints at a high enough resolution and you did an actual iris scan, even with the Mission Impossible tech,  that I’m not sure quite exists yet, right? Even with that tech, it would still be impossible to spoof a complete set of high resolution fingerprints.

So, I think the future of biometrics is that biometric attestation becomes the standard for identity proofing and becomes the central locus of how we assert ourselves in the world. There’s increasingly going to be a marriage of digital identity and biometric identity, and we’re already seeing it with things like mobile phones, on a very small scale. Even though that seems pervasive, it’s still kind of a  kindergarten use case. I think moving forward we’re going to see things like, you walk up to a building and the building changes all settings because it recognized your face. And while we’re already seeing stuff like this in houses, we’re going to start seeing it on the corporate level, where I show up in a building and my desk configures itself for me and my computer knows who I am on a very deep level. It can even do things like detect my blood pressure, and deliver the kind of music that’s appropriate to me not having a heart attack that day.

Personalization and customization of the world around us is going to happen because of biometrics. So I think that’s really the future of biometrics. And I think one area that is really important that will emerge, is an ability to pin a high-resolution dataset. A mobile phone can’t get a high-resolution fingerprint or a high-resolution iris scan, so over time it does get hacked.

I don’t know if you’ve heard about the Philip Bontrager machine learning hack, but it’s basically able to hack a huge number of fingerprints that could be used on tablets or phones. And so Bontrager actually consults for SureID now on how to make our systems more secure and he has already validated our systems as being able to beat his fingerprint hack that has worked on iPhones or Android phones.

So, we’re able to rise to a higher level, but I think increasingly the entire industry will need this. I mean this parallels the rise of secure functions in web browsers, for example. Netscape came up with SSL and over time there have been increasing ways of circumventing that and then fixing that, and we’re going to see the same thing with biometrics. And I’m happy to say that SureID is already well ahead of the curve there.

FindBiometrics: Yes, for sure. That most definitely is what it sounds like and, thank you so much for talking to me today, and letting our readers know more about you and we’re looking forward to continue to cover what’s next from SureID.

SureID: Absolutely. Thank you for the opportunity to share our story.