Biometrics: a question of standards and yet more questions

Tapiwa Manjengwa: raising practical and philosophical questions on biometrics

Watching the recent of smartphone launches, I am taken aback by just how much smartphone manufacturers have led to the normalisation and acceptance of biometrics by consumers.

Biometric technologies can be used to provide a means for uniquely identifying a person based upon one or more physical or behavioural characteristics. The term “biometrics” is derived from the Greek words “bio” meaning life and “metric” meaning to measure. In the 1800s, Alphonse Bertillon was a French police officer and biometrics researcher created the Bertillon system, which identified prisoners by means of a detailed record of body measurements, physical description, and photographs. The Bertillon system was the precursor to fingerprinting which is now so common it is almost on every recent smart phone.

From face recognition, voice recognition to fingerprint scanners on one’s mobile device, today’s very real biometric solutions, were previously considered to be the stuff of science fiction. We are far enough in our appreciation and acceptance in these technologies that, not only are we willing to provide our biometrics in exchange for the convenience of faster phone unlocking but we allow these same details stored on devices – thus, separating them from our physical person and immediate control.

Smartphone manufacturers may well continue to ease the acceptance and path to biometric adoption for other industries and verticals. A small stretch of the imagination sees biometrics potential use in education, financial services, smart homes and internet of things (IoT). The reason for this wide opportunity set is that they help resolve the all-important issue of a “unique identifier” that is difficult to steal, falsify or otherwise easily replicate.

For financial services, regulations such as the upcoming PSD2 have requirements for strong customer authentication (SCA). This will require what is called “two-factor authentication” to ensure the approvals are in place for electronic transactions. Two factor authentication means that authentication of a customer’s identity must be based on 2 or more independent elements:

• knowledge (something only the user knows) – this could be a password;
• possession (something only the user possesses) – this could be a mobile device;
• inherence (something the user is) – this is where the biometric comes in.

Further, fingerprints, voice authentication and face scans are becoming more ideal solutions for cutting down on customer identification costs, while simultaneously increasing the overall know your customer (KYC) criteria. This can go a long way to improving a customer’s experience during client onboarding.

HSBC, for example, is working with FacePhi on biometric projects whose aim is that clients can access to their banking accounts and restricted areas just taking a selfie. Selfie, a concept and word so young it was Oxford Dictionaries Word of the Year 2013.

My bet is still on the fingerprint continuing to be the fastest adopted in the biometric revolution as it pertains to financial services. With, firms like Fingopay (part of Sthaler), which is the first “match-on-cloud” biometric platform already being trialed by supermarkets in the UK. One can easily foresee a cashless, cardless or even “dare-I-say” mobile phone-less purchasing experience. Fingopay uses the VeinID technology to read your finger. This is similar to Barclays‘ Hitachi Vein ID, which is aimed at corporate customers and allows authorisation of transactions by simply placing one’s finger on a sensor. This take advantage of the fact that vein patterns, remain unchanged throughout a person’s life.

A report by Oxford University and Mastercard – “Mobile Biometrics in Financial Services: A Five Factor Framework” – highlights performance, usability, interoperability, security and privacy as the major factors in accelerating the successful deployment and adoption of mobile biometrics.

The main challenges I see are inextricably linked to those factors. The first is in the need for a common standard for collection, management, and use of biometrics data. With potential use cases as far afield as health, payments and driverless cars the ability to correctly, securely identify an individual across platforms will be key. The Oxford and Mastercard study quotes a GlobalWebIndex statistics that “each a typical digital consumer owned 3.6 connected devices in 2016”. Without embellishing too much, I think this number can and will increase exponentially as we enter the world of IoT.

With so many different uses cases, I think biometric technologies standards are the best way to ensure interoperability and data interchange among applications and systems. While, at the same time, ensuring the requisite security and privacy required. In short, standards are the only way to create a world that we (today) can only imagine, one where your car can verify a payment or your desk verify you did the homework assignment. To arrive at that world, elements such as standard biometric APIs; standard biometric data formats; as well as standard application evaluation and testing criteria will be needed.

ISO/IEC 24745:2011, for example, provides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, it provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information.

This leads me to the second challenge, that of what I refer to as the “second order” or “follow on” questions. Simply put, there questions that surround biometrics usage that are not simple to resolve, ones that are a mix of practical as well as more philosophical considerations. Practically – how many consumers are even aware of the above ISO standard? Or the implications General Data Protection Regulation (GDPR) for them as individuals? While GDPR has steep fines for loss or misuse of personal data (greater of 4% of turnover or €20million), I believe the more “personal” and able to identify each of us, our technology becomes the more we as data owners will need to understand the rules governing its use. Thankfully, a consequence of GDPR is likely that terms and conditions for use of data will be made easier to understand to facility mandatory consent and more control of one’s personal data.

In the recent Equifax data breach, where birth dates, Social Security numbers, and addresses of Equifax users were stolen, one can easily imagine soon fingerprint data and other biometric data also being part of such headlines. This raises some less practical and more philosophical questions such as – who should be allowed to aggregate and store such mass volumes of sensitive biometric data? Should it be private firms? Should it be governments? Or some utility controlled by both? And more so what is the role of us individuals in ensuring our data’s security?

In closing, the world we can imagine, as I referred to earlier may not be that far away. In Singapore, for example, biometrics have been made a requirement at major checkpoints (Tuas and Woodlands checkpoints). It is hoped that in addition to better managing immigration, that since biometrics will be linked to medical records – their use may also halt the spread of diseases. Yet more questions- who should have the right to know/see your medical information?

We will only harness the true potential of biometric technologies when we can agree on the magnitude of the trade-off between security and convenience along with the at least some agreements on the follow-up questions – both practical and philosophical – regarding how such data will be collected, used, stored and protected.

By Tapiwa Manjengwa, a financial services technology professional
Follow him on Twitter @T4PiW4