What We Learned at the K(NO)W Identity Conference: Part Two
June 1, 2017
B&B: Biometrics & Blockchain
We are back with more from the K(NO)W Conference and focusing on solutions that create trusted transactions. Digital identity is relatively new. Physical identity has been around for millions of years. We are really just starting to figure out how to build digital trust and what that means for different industries. There were certainly a fair share of buzzwords and solutions spoken of, but the B’s were front and center with Biometrics and Blockchain in the top slots (honorable mention to the Internet of Things).
Maxine Most, founding Principal of Acuity Market Intelligence, the definitive authority on global biometrics market development, stated that customer friction has resulted in 13 times more lost revenue than fraud. We are in a time when we can increase security and decrease friction, which should be the goal for every transaction. Biometrics allows companies to solve both friction and fraud. Born out of tech and the coolness factor, biometrics has cooled over time into a solution-oriented approach, especially in government. For a long time biometrics was about surveillance. Biometrics today is more about security, and the evolution of mobile devices has played a key role.
The stats cited by Maxine on the number of mobile devices that enable biometrics and the number of transactions that will be on occurring on them in 2020 is staggering- truly game changing. The global smartphone install base is set to grow 50 percent in the next four years to 6 billion devices totaling $355 billion in revenues. We were asked to think about all of the ways we use our mobile devices today and how dramatically that has changed over the past few years. Think of how often you make a phone call vs. the many routine uses that are now second nature. A lot of these uses likely include biometric authentication such as a fingerprint. Touch ID was a tipping point for the industry.
Biometric authentication is very passive compared to other authentication options. There is no fumbling around to find and capture a credential, no remembering crazy passwords or answers to annoying questions. If companies make it hard for people to do the things they want to do- they won’t do it. With biometrics, you must also consider giving consumers a choice otherwise it can seem creepy. For example, today at airports in Canada, travelers can opt for a retina scan to expedite the security process, rather than going thru the slow line. If it was mandatory, it would likely feel like a violation rather than a benefit. Having options at the device level where consumers control the choice also makes biometrics more adoptable and less creepy.
While there is a much broader acceptance of biometrics today, there is still a false perception that when you authenticate yourself one time you are protected throughout the transaction and future transactions with that entity. This is not the case; real threats go beyond just the login or one-time action. Verification must be continuous to truly safeguard those involved in the transaction. For example, patients in hospitals, customers banking and even sharing economy apps- verification for use cases here should not be considered a one-time thing. The idea of the fabric of an identity of authentication was conveyed. If the same person is not repeatedly represented in an authentication process, the whole thing is destroyed. It was stated that the only way we can do this repeatedly, consistently and unquestionably is with biometrics- as opposed to something you know which is not sufficient anymore (passwords, KBA’s, etc.). This is the opinion of some.
But we know there is no such thing as a perfect solution. Companies must consider what fraudsters are doing today and innovate as they authenticate. One issue is liveness detection for images. Stealing images and passing them off for facial recognition will work if there is not a liveness detection test in the solution. To further layer on top of innate biometrics that could be stolen, the case was made for behavioral biometrics to protect users and data when it comes to mobile device spoofing, being tricked into downloading malware on your device and simply having your device stolen. Behavioral biometrics measure and track uniquely identifying patterns in human activities and range from tracking keystrokes and navigation, to location and device login frequency. This offers another way for consumers to be protected by being passive.
The other B word that was highly mentioned in addressing the question of establishing a trusted digital identity was blockchain. Maybe you know blockchain and are a big fan, maybe you thought it was thing of the past. Let’s start with the definition according to wiki: blockchain is a digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly. The first blockchain was then conceptualized by Satoshi Nakamoto in 2008 and implemented the following year as a core component of the digital currency bitcoin, where it serves as the public ledger for all transactions. The bitcoin design has been the inspiration for other applications.
Essentially blockchain keeps a record of transactions that cannot be manipulated and establishes decentralized and distributed trust. Blockchain was spoken of as more of a movement than a technology. This is largely due to the fact that, as speaker David Birch of Consult Hyperion put it, we have gone from not being able to tell if you are a dog on the internet to not being able to tell if you are a fridge pretending to be a dog. Maybe a tad dramatic, but maybe also too true – hello, catfishing.
Fraud has dramatically increased in recent years, and it is his belief is that it’s going to get worse because of the movement to make everything frictionless in payments and financial transactions. He stated that this is a hacker’s paradise- to make everything easy. One example is the fact that we still use SMS messages for security even though we know this is not secure. And thanks to the internet of things, we live in a world where we have kettles that are connected to Wi-Fi so that we can remotely operate them, where we have Bluetooth socks and Fitbits for dogs (unclear why but they are both allegedly amazing and in high demand). The dark side of this to consider is that all of this connectivity leaves us vulnerable and more open to attacks. But, as David says…there’s blockchain. Bitcoin is a remarkable cryptographic achievement and the ability to create something not duplicable in the digital world has enormous value. TBD on the future of blockchain but it says something that almost every major financial institution in the world is doing blockchain research at the moment and 15% of banks are expected to be using blockchain in 2017.
Conclusion: Problems Aren’t Changing, They Just Look Different
When it comes to tech solutions for authentication, in a lot of ways we are still at step one. If institutions want to scale, it has to be easy – take the human out of the equation whenever possible, but we are not there yet. There is still too much room for human error and institutions and providers are figuring out how to adapt solutions for different environments.
In a room of hundreds of identity professionals, less than 10% confirmed using a crypto key to protect their personal email when we know we are at risk. Consumers will always choose the path of least resistance. Users have to clearly see the value. There are no silver bullets or absolutes. Institutions must consider the use case and the best solution, identifying a point where the authentication meets the level of trust required and addresses the level of risk associated.