Biometrics and Mobile Security – Points to Ponder

May 12, 2011 by Mike Byrnes     2 Comments

Voice PrintingLast week’s FS-ISAC Annual Summit in Miami was once again top notch. This is the second year Entrust has participated in the event which in my opinion, is one of the top venues for bringing financial security decision makers and industry experts together to discuss, debate, brainstorm and overall collaborate on the top information security issues. Last year, the primary theme centered on Man-in-the-Browser (MITB) attacks; this year, as many would guess, mobile banking was the spotlight topic. It’s no wonder, given that every major bank has already rolled out a first generation solution – some with as many as 5 million subscribers – not too shabby as they say here in the Ottawa valley.  Many of the banks that I met with are still struggling to find an effective way to implement strong security for the Mobile channel and quickly admitted that user experience was very important, perhaps even more so than the strength of security provided.  Entrust launched a new offering at the conference that directly addresses both of these top priorities and also provides a compelling means to deliver cross channel authentication capabilities natively within the banks mobile application.

At the conference, I had two separate discussions on the use of biometric devices – one around the concept of using your thumbprint to unlock your smart phone and the other related to voice biometrics for transaction authentication.  The voice biometrics chat (one might say friendly debate) was particularly enjoyable since the woman with whom I was having the discussion was very passionate about the technology and my own background in the technology is pretty deep having worked in the speech recognition market for over 5 years.  She went on to describe her positive personal experience about using the technology – even with a very bad cold, the recognition engine accurately confirmed her unique identity. (I think it’s probably more accurate to say it didn’t reject her). She explained how the technology could be used to help with online security using and out of band approach to defeat advanced MITB threats. My response – you’re right! (not a bad response to give to a woman based on my experience J )  But, I went on to explain while speech recognition has come a long way in accuracy it just doesn’t make the grade on simple user experience. “What? Isn’t speaking one of the easiest things to do?”  she shot back. Well, yes, speaking is easy; but it’s not that conducive unless you’re in a private setting which is often not the case on a mobile device. Before smart phones, I could check my email by phoning into my email server and issuing speech commands” play, forward, record a reply” – effective yes; useable on a train, waiting for a bus, in an airport lounge, in a restaurant, while in the company of colleagues at lunch? – No.  Smart phones offer us the ability to easily communicate privately, in our own little world, in the presence of virtually anyone – think about how many times you have texted, emailed, check a sports score or Facebook status while in a public setting – my guess you’ve likely done it several times today alone. Now, imagine using speech as an alternative input mechanism…. Get my point?

To sew this up quickly, the second discussion was around thumbprint verification to access your device – seems pretty easy, perhaps easier than entering a PIN ( though I’m not convinced) – and its secure as well;   the question then becomes – do we really need it? For the amount of times we lose our device and a criminal obtains it, cracks our PIN, and cracks our online banking password, all BEFORE our device is remotely wiped – do we really need this level of sophisticated security. To me, it’s about balance – security, cost, and ease of use – sure, depending on the use case, one of these three may get more priority but in general, one must consider all 3 before implementing technology simple for technology sake.

Mike Byrnes

About

Entrust product manager Mike Byrnes has more than 20 years’ experience in product management and technology marketing with a focus on internet security and business communication systems. Mike drives product marketing for the Entrust IdentityGuard authentication platform with a significant focus on mobile solutions. In addition to mobile, his background covers identity and access management, fraud detection, malware protection, and email encryption solutions. Mike serves as vertical market prime for Entrust financial services segment, working with large banks across the globe to roll out solutions to their consumer- and corporate-banking client base.

2 thoughts on “Biometrics and Mobile Security – Points to Ponder

  1. Stephen Wilson

    So, “the [voice] recognition engine accurately confirmed her unique identity” but in the very next sentence we have “I think it’s probably more accurate to say it didn’t reject her”.

    That is, the system might well have recognised someone else in her place! So what’s “unique”?

    The casual use of the word “unique” is a curse in biometrics. There is little published scientific evidence that any of the common biometrics is “unique” (iris being a notable exception). But even if a trait is highly individual, the vagaries of real world measurement apparatus and conditions, and the desire to not inconvenience too many bona fide users by rejecting them means that every system commits false positives. No biometric system ever behaves like the trait is unique.

    This is not mere nit picking. The biometrics industry gets away with terrible hyperbole, aided and abetted by loose talk. Managers and strategists need to understand at every turn that there is no such thing as perfect security. Biometric systems fail. They do not behave as if people are unique: they occasionally confuse one person with another, and they occasionally fail to recognise a legitimate subject. But when lay people hear “unique” they think that’s the end of the story.

    With more critical thinking, managers and biometric buyers would start to ask the necessary tough questions. Like: How are you testing this system? How do real life error rates compare with bench testing? And what is the plan in the event that a criminal steals a user’s biometric?

    Reply
    1. Mike Byrnes

      Hey Stephen – thanks for your comments – I fully agree with your points. (I think in my original blog I should have put quotes around the second part of this sentence to make it clear which comments were the woman to whom I was speaking and which were mine. ie: She went on to describe her positive personal experience about using the technology – “even with a very bad cold, the recognition engine accurately confirmed my [her] unique identity”. MB->I think it’s probably more accurate to say it didn’t reject her)

      This said, while you and I concur that speech recognition does have short comings in that it cannot uniquely identify users and is subject to fraudulent access, I think there are use cases where it can play a role. In online security, experts often recommend a “layered approach” whereby different types of security / authentication are used depending on the type of transaction and situational risk (ie: are there anomalies that indicate potential fraud such as unusual user behavior or usual web access activity.) We know that each authentication approach has its own strengths and weaknesses when cost, usability and security effectiveness are assessed and, that there is no perfect authentication approach ( ie: top marks in all 3 categories). So when we consider voice biometrics as an authenticator, I think it can have a role to play depending on the use case. For example. if a “risky” transaction is occurring, a banking system may choose to place an automated phone call to the registered user of the account and challenge the user with voice biometrics. While it is conceivable a criminal could subvert the system to have that outbound call placed to his phone AND he may possibly be able to impersonate the registered account user, the likelihood of this occurring is quite low (not impossible though). You have to admit this approach is better than simply having they system place an outbound call to the user and providing them with a one time password to enter into the web session without the voice verification. So, it all comes down to balancing risk and cost and user experience.

      All this said, I still maintain my original point of my blog – while speech recognition offers some level of security, I do not believe it is user friendly in many situations. From original post: “Well, yes, speaking is easy; but it’s not that conducive unless you’re in a private setting which is often not the case on a mobile device. Before smart phones, I could check my email by phoning into my email server and issuing speech commands” play, forward, record a reply” – effective yes; useable on a train, waiting for a bus, in an airport lounge, in a restaurant, while in the company of colleagues at lunch? – No. Smart phones offer us the ability to easily communicate privately, in our own little world, in the presence of virtually anyone – think about how many times you have texted, emailed, check a sports score or Facebook status while in a public setting – my guess you’ve likely done it several times today alone. Now, imagine using speech as an alternative input mechanism…. Get my point?”

      Funny enough, I was reading a draft whitepaper yesterday from a top financial security analyst and he made some interesting points on the use of voice biometrics. While he accurately pointed out that the user may not always be in a location suitable for talking due to privacy considerations and excess background noise, he did submit that voice biometrics may be preferred by the user when it’s inopportune to type or they simply have a personal preference for this approach. I have to agree with his point to some degree. At the end of the day, the bank ( or any organization) deploying authentication to their customers really need to consider an authentication platform that supports a broad range of authentication options to meet varied use cases based on cost, usability and security protection.

      Reply

Add to the Conversation