Biometric identification is a fact of life. Yet choosing the wrong biometric solution can get you sued, increase your costs, cause a user rebellion and turn your life upside down. When choosing a biometric solution, it’s critical that you have certain minimum standards in place.
Whether choosing a biometric for user authentication or as part of a Multi-Factor Authentication (MFA) solution you need a worry-free platform that meets all current regulations and reduces your liability.
Biometric Signature ID (BSI) is a cutting-edge technology leader in the biometrics industry. The company has created and patented important advances in the field of biometrics with multiple national deployments. We wanted to share our experiences and put together questions that can help you evaluate a biometric on its merits.
After 100’s of deployments in multiple industries and over 14M authentications worldwide, we know what a biometric deployment needs to be successful. We recommend that you ask the following questions to your vendors before you adopt any type of biometric:
Top 10 “Must Haves” for Biometric Deployment Success:
- Adaptive and continuous assessment: Some biometrics are used only at log-in with no ability to provide multiple ID authentications when the user is in the account or network. This limits their ability to determine if it is the same person beyond the log-in. Look to see flexibility in inserting the biometric challenge in various parts of the session, and/or have them explain how they use Machine learning/AI to monitor atypical behaviors post-log-in (continuous adaptive authentication). It is important to have both real-time notifications of irregularities and the ability to complete detailed reports for compliance and legal purposes. Remember, the rule that to be a biometric solution you must have an enrollment and template to compare to. Best practice is for this to be interactive/participatory otherwise you never have the proof of identity you need. Instead, you get only an “Assurance Number” that this person is on a scale and likely to be the same person who presented previously. This risk assessment is based on human and non-human habit patterns. With some privacy laws, the fact that a user willingly/actively participates and provides their biometric is inferred consent, thereby reducing potential liability. Privacy laws might find issue if there’s no real or inferred consent (i.e. when information is captured from the user usually without their knowledge). Ask vendors about their ability to capture change over time, ask to see sample reports.
- Standards: This is a big issue in the industry. Many claims of accuracy abound with many having no science behind them. For example, with over 80 facial recognition vendors using different levels of algorithms/various modeling you need to see their independent studies to confirm accuracy with false positives or negatives. If there’s not a published, independent report available – RUN. There’s no sense putting in a system that is un-proven, poor or mediocre, it will catch up with you and you may have to start all over. Also, ask if they own the technology (i.e. is it their patents?). If not, it could mean trouble in the future. With so many solutions on the market today, patent infringement can become a real issue. The last thing you need is to have a solution recalled or your vendor’s vendor modifying the features you really wanted to avoid infringement.
- Collects “signals”: Signals are information that helps reassure the person is acting within norms post-log-in. These methods offer real-time alerts and machine learning to add strategies for identifying fraudsters in your system.
- Passive: Relying on mobile device sensors, measure many mini behaviors, how the user holds the phone, swipes the screen, patterns of access, or gestural shortcuts they use, and external data like bot attacks, geolocation, software algorithms build a unique user profile and a continuous layer of risk assessment for identity assurance. NOT a replacement for log-in passwords. Good for threat vulnerabilities.
- Active: Continuous authentications also captures: OS and browser, password resets, physical location, time, activity, application, level of success, accuracy, history, device used combined with random identity challenges, provides ID authentication PLUS a risk assessment. Good for authentication vulnerabilities.
- Deployment and integration: Ask about time to deploy, cost and integration specifics. It should take very little time and be completed in only a few hours (in most cases). Ensure they have deployed and have a history of success, ask for references. Cost and total cost of ownership (TCO) need to be quoted by service delivery.
- Identity recovery: Look for a system that has several ways of password resets. For example, email tokens or alternative methods that are reasonably seamless. Make sure they share their results of research showing levels of password resets requiring help desk calls. You also want to know how many users on average use a password reset without requiring a manual help desk call. You want to know these so you can resource up and look at the Total Cost of Ownership (TCO).
- User experience: A big issue and it should be measurable. Ask to see how they measure success with your users. Have them show their research studies for user experience. There are two types: first is survey information using validated instruments and second is the data itself. Get both. Ask how do they change/modify accuracy levels to adjust to their specific user group after your results show a need to alter? Can they adjust if your group has too many password resets (a sign of poor acceptance) or is too easy to spoof, takes more than average time, etc. If they are not measuring their own backyard metrics it spells trouble going forward. How do you know the solution is working and meeting your expectations? As a company you should NOT use something that appears weak, makes frequent errors, is not natural, takes too much time… as users will question your decision to use this and likely rebel.
- Multiple devices: ID authentication is necessary when users are logging in using multiple devices. Most bonus points go to the biometric that can work across your PC, tablet and phone, OS and browsers. Look for this feature as it will make your choice of biometrics adaptable to meet your future needs, even if you don’t know what these needs are yet. This is a great way to hedge your bet.
- Communication: This goes without saying. Can you call your biometric vendor directly and get an answer immediately? Do they provide training and updates for you? Many companies don’t own their own biometric solution, so this one step of distance is a huge disadvantage when things go wrong and for any modifications as the time to resolve is longer. Do you have a dedicated technical account rep? Effective and timely communication is part of the success recipe so do your homework with prospect vendors. Ask to see their latest client newsletter.
- Multiple applications: The “paralysis factor” is a real barrier to overcome. This is the step that a purchaser goes through as part of decision making. What if I buy now but then what I selected is obsolete in 2 years? You don’t want to be tied down to just one application, one device, so look for solutions that have multiple applications. These might include: Use at log-in, or continuously, is there an identity proofing feature for onboarding? Works on multiple devices. Do they offer AI/machine learning forensics? Can it be used for SSO/SIM? Can it integrate within multiple platforms? As your needs change, you want to know your biometric is adaptable otherwise you need to keep changing your solution provider – a task nobody wants.
- Liability Issues: The two types of biometrics Physical/static (fingerprint, retina, face and more) and Dynamic/Behavioral (gait, signature/gesture, keystroke) have different use cases, risks and liability issues. Biometrics are biologically unique to the individual and once compromised, you run out of options to use these going forward and are at higher risk for identity theft. Continuing to use physical biometrics for identity access is lower now than ever. The Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14/) names physical biometrics as biometric identifiers with higher risks as you can’t grow new fingers or face if compromised. Ransomware is also increasing and once your face is out there what is to stop criminals from showing your face in compromising web sites or situations and then demanding money to remove you? This has dampened some enthusiasm to select a physical biometric until the lawsuits are decided, and everyone knows the ongoing risks. A recent example of risk is the face recognition solution that failed to correctly identify 26 Senators who were wrongly flagged as criminals. In addition to poor accuracy solutions, privacy is the biggest concern. The recent settlement (January 30, 2020) of $550M by Facebook after they lost the appeal to change BIPA standards for facial recognition, now opens the market for multiple class action and personal lawsuits. Additionally, the federal government is going forward to create facial biometrics legislation that would regulate this technology to “protect the private and civil liberties of individuals”. https://www.planetbiometrics.com/article-details/i/10749/desc/monument-advocacy-memo-on-face-recognition-hearing-pt-iii/. Many are saying why gamble until this is all over?
BIPA also states that Biometric identifiers do not include writing samples, or written signatures so these biometrics are not subject to the same arduous obligations in the privacy act as physical biometrics.
Takeaway: Use a Dynamic/Behavioral biometric to lessen the risk of class action lawsuits. Make sure your selection passes the Top 10 Tips. These biometrics are considered less intensive/riskier because they collect a behavior and if hacked you can do a simple re-enrollment and change your patterns of drawing 4 characters. This do-over is like other regular passwords, except it is so much more secure. This makes them the only biometrics that can be changed/replaced so evaluate this biometric class first. Protect yourself and your virtual identity.
About the Author: Jeff Maynard is the CEO/Founder of Biometric Signature ID, a company with hundreds of successful deployments in multiple market sectors with over 14M authentications worldwide. Jeff is an expert in the field of dynamic/behavioral biometrics with several patented inventions using biometric technologies for identity authentication. A few of BSI’s awards include: Selection by White House for the National Strategy for Trusted Identities in Cyberspace, New Product of the Year from Frost and Sullivan, Top 10 Multi-factor Authentication Provider CIO Review, Emerging Technology Award State of Texas, Top 20 Ed Tech, featured in Fortune magazine. Jeff has been a guest speaker at over 20 conferences and guest lecturer at the University of Texas at Dallas and University of North Texas and is the author of numerous white papers/blogs on ID authentication.
To find out more, or schedule a sales demo, visit – www.biosig-id.com | (469) 480-0310