Posts Tagged ‘FIDO’
October 25, 2018
I just returned from the four-day Money 20/20 event in Las Vegas. The show covers the overlap of Money and Technology including FinTech, Payment, Ecommerce and more. It had tens of thousands of attendees, over 3,500 companies, and 400 startups and lots of starpower including Richard Branson, Shaquille O’Neil, Akon, and yours truly speaking on a biometrics panel.
I walked the show floor to find the latest news in embedded biometrics and to better understand the choice between embedded and cloud based biometrics in the fintech/money space. I was impressed by how biometrics has moved into the mainstream conversation. Before mentioning the other companies I talked to, I’ll kick off with Sensory, my company.
Sensory’s focus on AI and biometrics has always been on the embedded side. We believe in data privacy and we think the best way to accomplish that is through keeping in the hands and control of the user. On a less promotional front there is also a strategic reason we focus on embedded, and that’s because the industry giants are really good at cloud based and unconstrained AI tasks, and they often give it away for free, so we are focused on a place where the Googles and Amazons of the world can be our customers and not just our competitors. On the last day of Money 20/20, Sensory introduced TrulySecure 4.0, a fusion of face and voice biometrics with improved accuracy, speed, and support for 3D.
BioConnect sponsored one of the excellent lunches at the show. I spoke to Rob Douglas, Founder and CEO of BioConnect who said, “We are on the quest for rightful identity and what we offer is a market leading mobile biometric authentication solution for the enterprise. We provide a building block like a piece of LEGO that you can apply into all the infrastructure of an Enterprise to upgrade from passwords and key fobs to a world where you have higher assurance when you are conducting digital or physical transactions.” BioConnect has been in business for eight years and has 1,600 customers and at Money 20/20, the Bank of Montreal announced a partnership with BioConnect and IBM.
BioConnect has a strong belief in face authentication, but also works with other biometrics including voice, eye, fingerprint, and behavioral. According to Douglas, “We believe in both cloud and client and we support the FIDO approach, but there are use cases where the transport of the biometrics through a cloud-based infrastructure can make a lot of sense.”
The FIDO Alliance had a large area with alliance members touting their wares. FIDO (fast identity online) is “the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication.” I spoke to Andrew Shikiar, the CMO of the FIDO Alliance. Local authentication with biometrics is key to the FIDO approach. “Whether you are storing passwords or biometrics, a central repository will be targeted, and will be breached to be used in nefarious ways.” When I asked Shikiar about the desire to share biometrics across platforms he said, “That’s typical of the type of use case that our technical working groups are working to address, while leveraging the FIDO standards”
Conor White, President Americas at Daon described Daon as “a human authentication company that provides technologies to allow customers to create and manage digital identities of their users in a way that’s advantageous in a risk and security perspective.” At the show they announced a partnership to expand from their base in mobile into the contact center.
Daon provides support to a wide cross section of biometrics and provides embedded solutions through the FIDO standard but can support cloud based biometrics when desired. Daon is seeing more customers getting comfortable with going from on premise to cloud based implementations but in the vast majority of cases, the biometrics still resides on the device even if the service is run in the cloud. White sits on the board of the FIDO alliance and sees the FIDO standard with embedded biometrics gaining ground.
Veritran is a software company based in Buenos Aires and developing innovative and secure digital banking platforms for the Latin American markets. They process over 4 billion banking transactions each year, and they are now expanding from Banking into other Enterprise markets and geographies beyond Latin America. At Mobile World Congress in February, they announced a new platform for secure application development, and at Money 20/20 ,they demonstrated some of the apps developed on this platform.
Like other companies, Veritran offers a mix of biometric modalities and in talking with Veritran’s CEO Marcelo Gonzales, I learned a very interesting reason as to why they prefer embedded biometrics instead of processing in the cloud. The Latin American customers buy prepaid plans with limited data. To keep their costs down, they must keep their data usage down, and with the biometrics stored and processed on the device, transactions can occur with minimal data costs.
There were a lot of other companies at Mobile 20/20. As a quick summary I would say a few important things stood out. Biometrics are definitely taking off as we all understand the problems with passwords. A variety of biometric modalities are offered but there does seem to be a preference and movement toward face authentication that can run cross platform without specialized hardware. Most vendors offer a choice between having the biometric data stored and processed on the device or in the cloud, but with the FIDO Alliance behind embedded and the clear advantages for security and privacy, the embedded usage case seems to be winning out.
July 19, 2016
Cybersecurity was an important topic at Mobile World Congress Shanghai. I was invited to join a panel with cybersecurity experts from Intel, Huawei, NEC, Nokia, and Ericsson with commentary by a McKinsey analyst. Peter O’Neil, a biometrics industry expert and CEO of FindBiometrics, led the panel. Interestingly, Peter was given a late invitation to lead a Keynote discussion on biometrics (in addition to our pane) when the GSMA decided to put more emphasis on biometrics in response to the broad interest in improving cybersecurity.
I’m about to tell you the painful irony in all this. But first, to get into China I needed a Chinese business visa, and a business visa requires an invitation from a Chinese organization. I was offered an invitation from the GSMA and they had a very effective system for filling out an online form and submitting it to them, all in the process of registering as a speaker. This quickly produced a formal invitation that I could use for my VISA application.
On July 7th I received an email that began as follows:
Dear Mobile World Congress Shanghai Attendee:
The GSMA today confirmed that an individual or individuals made unauthorized access to a database system managed by a third-party supplier for Mobile World Congress Shanghai. The system has now been secured and the supplier has provided the GSMA access to its system to conduct a thorough analysis of the incident.
The system that was accessed contained information on Mobile World Congress Shanghai 2016 attendees, including name, company, mobile number, email address and password used for registration and, for those attendees that requested a visa invitation letter from the GSMA, their passport details.
It was really that last line about passport details that upset me. The other information on me is fairly easy to find, but my passport details? I did some Internet searching and called the US Department of State, and I concluded that lost or stolen passports need to be reported immediately, but stolen information from them is only optional to report. So maybe it’s not a big deal. I’m still not sure.
But what if my biometric data had been used as online ID and had been compromised?
Biometrics offers a more convenient and more secure solution than passwords. However as a result of their uniqueness and intrinsic nature to an individual, biometrics are much more sensitive and (except for voice passwords) are not easy to change. For example, we only have two eyes, so if one’s retinal scan (or periocular region, or iris, etc.) is compromised, then we only get one more try. With face we only have one, with fingers 10, etc. This difficulty in changing the biometric leads to a need for “liveness testing” to make sure it isn’t a stolen biometric without a real person behind it. But advances in spoofing approaches (rubber fingers, etc.) force liveness tests to impede the natural convenience of biometrics with unnatural behaviors following random requests.
There’s no real easy solution, but placing the biometric on device is certainly a step in the right direction by keeping it out of the cloud or accessible servers and in a less accessible zone, such as a trusted execution environment (TEE) within a chip on the device the user has (e.g. smart phone).
The FIDO Alliance (Fast ID Online) Alliance, has been gaining much momentum. FIDO has laid out standards for a user authentication framework (UAF) for passwordless security that, as part of the FIDO spec, requires the biometric to be stored on-device. On-device authentication and FIDO works well for verifying a person (confirming one from one). Performing identification (one out of many) can be done on device for small numbers, like differentiating between family members, but it becomes impractical for things like passport control without a passport where a camera looks at you and just knows who you are out of billions of people.
Security itself comes from something we have (like a passport), something we know (like a PIN/password or a key questions answer), and something we are (the biometric in us).
So, I think passports will be around for a while, but maybe they will become a software app on my mobile phone that provides the have, are, and know. I’d like my Chinese visa there too!