1. Using Open Standards to Remove Vendor Bias
By Hector Hoyos
Biometrics and biometric technologies have taken front and center stage for
consumers and enterprises as more and more hacks are exposed, and businesses
explore new and better ways to secure their customer’s identities and data.
Yet, even as the use of biometrics has rapidly expanded and become more
mainstream – thanks to companies like Apple and the development of TouchID –
there are still misperceptions about the technology.
Many of these misperceptions stem from the proliferation of vendors that purport
themselves to be biometrics experts, who have created a glut of misinformation
touting their products in order to grab a share of the global biometrics market that
is expected to generate more than $30 billion in annual revenue by 2020.1
Each vendor claims to solve the identity management problem by using biometrics
to replace or reduce reliance on passwords – which have been universally
acknowledged to be difficult and costly to manage as well as prone to hacks and data
breaches. Each has also created a surfeit of marketing materials to support their
claims, leading to the aforementioned misperception.
For consumer and enterprises, wading through the sheer volume of marketing
information in order to understand the technology is a daunting prospect. So how
does one cut through the vendor bias to focus on the science of the biometrics?
The Identity Problem
Today, vendors have utilized vastly differing approaches to addressing identity and
access problems. Some have gone the way of vendor alliances – in which members’
band together to create guidelines that advance common goals and interests. Others
have taken the approach of creating their own customized solutions utilizing third-
party open and closed frameworks that are still largely based on pins and
passwords.
While at first glance these approaches may seem attractive, there is a fundamental
flaw in the design in that they depend on the willingness of vendors to work
together despite often-competing business interests and dependencies that may
shift over time as the global market changes. In a world where analysts have
predicted that there will be 4.8 billion biometrically enabled smart mobile devices
generating $6.2 billion in biometric sensor revenue, 5.4 billion biometric app
downloads generating $21.7 billion in annual revenues from direct purchase and
2. software development fees, and 807 billion biometrically secured payment and non-
payment transactions generating $6.7 billion in authentication fees by 20202, that is
a major cause for concern. After all, history has proven that an ally today may be an
adversary tomorrow.
At Hoyos, we’ve chosen to eliminate reliance on any one vendor or group of vendors
by creating technology that can be openly and freely shared and developed upon by
whomever wishes to utilize it.
Hoyos has chosen that approach because, at the end of the day, the primary goal of
biometrics technology is identity authentication. Remember that biometrics tell us
that a person is who he or she claims to be with a high degree of assurance by
utilizing a person’s unique physical characteristics. In order to achieve this
authentication assurance at scale, and for any type of transaction and industry, a
solution must offer three things:
Standardization to ensure interoperability between vendors, and an open
set of protocols on top of which a robust ecosystem of products and services
can be developed by anyone wishing to do so
Security of the solution and the biometric vector itself to prevent hackers
from accessing and using a person’s data
Convenience to ensure widespread adoption and continued usage
BOP as a Standard
The lack of interoperability of existing authentication solutions has long been
regarded as an industry-wide problem that stretches beyond the biometrics space,
and which directly relates to increasing instances of fraud across many sectors.
The Biometric Open Protocol was developed by Hoyos Labs to enable
interoperability between biometric products. At its core, it is a biometric neutral
protocol that allows for pluggable and interchangeable modules, including those
that provide identification, access control, authentication, role gathering and
auditing.
The protocol defines an end-to-end identity authentication platform and access
control infrastructure, integrating front and backend systems and including rules
governing secure communications within those environments, as well as the
protection of digital assets and identities – all of which are necessary to perform
server-based enhanced biometric security.
It was developed to specifically address issues directly pertaining to biometrics as it
is fundamentally based on biometrics as the outset, unlike other identity
frameworks or protocols in existence today. Its open-source, RESTFul API and
3. modular components enable integration with third-party biometric solutions, and it
can also plum into existing non-biometric authentication protocols, functioning as a
seamless bridge from legacy to new technology without requiring new hardware
purchases or lengthy implementation schedules. This essentially enables any device
to be controlled with biometrics, and solutions that can be developed and deployed
in a cost effective manner.
Ensuing interoperability, however, was only one of the goals of creating the
research. It was also very important that the technology be open and shareable. To
accomplish that, Hoyos submitted the protocol to the Institute of Electrical and
Electronics Engineers [IEEE] in early 2014 for consideration as an industry
standard.
On September 2, 2015, the Biometric Open Protocol Standard [BOPS 2410-2015]
was officially approved by the IEEE, making it the only global industry standard that
provides a functional framework for the implementation of biometrics in end-to-end
identity authentication platforms. This milestone is important in that it marks the
first time that any vendor has opened up their biometric algorithms to be ratified by
an international organization. In addition, the biometric algorithms will be managed
by a centrally recognized compliance organization moving forward, making it
vendor independent and allowing anyone to contribute to improvements.
BOPS delivers end-to-end infrastructure utilizing three core components: client
software, a BOPS-compliant server and an Intrusion Detection System.
The client software resides on mobile devices, which millions of people already own
and use on a daily basis, a key to widespread adoption and ease of implementation.
The BOPS server utilizes an open source framework that leverages existing
hardware, and has built-in classifying algorithms that search large stores of data in
polynomial time to support faster and more accurate responses.
The Intrusion Detection System (IDS) identifies and tracks attempts to forge two-
way SSL/TLS certificates impersonation, session replay, forged packets, and a
variety of other attempts to circumvent the BOPS server. It also blacklists a subject
or device that makes malicious access attempts, and has full audit capabilities that
can be set up per user, group, action or role.
4. Security
In addition to being open and sharable, the standard eliminates the need for
continued integration and management of multi-vendor solutions where security is
only as good as the weakest link. Hackers have long exploited vulnerabilities in
systems that authorize access to resources but don’t go the extra step to
authenticate individuals. This is due to the fact that authentication is often confused
or used synonymously with the term authorization, yet they mean very different
things when designing a secure biometrics technology solution.
Authorization refers to rules that determine who is allowed to perform an operation
and at what location and with what resources that person is allowed to perform it.
Authentication is the process of ascertaining that the person is who they say they
are. Once that person’s identity is validated, that person can then be linked to the
role they are authorized to perform.
This distinction is critical. Utilizing passwords and pins is a means of providing
access, NOT a means to authenticate a person’s identity. Passwords are easily
shared, and there is no reliable method to ensure that the person entering a user
credential or swiping a badge or credit card is the person who is authorized to use
them.
A true biometrics identity authentication solution MUST bind the person to the role
they are authorized to perform, the location and/or resources they are given access
to and the device(s) they are authorized to use.
To do this, BOPS defines a Genesis process that identifies a subject irrespective of
any down stream processing. Then, BOPS binds directly to the biometric during
registration, which carries that biometric throughout the entire transaction of
creating the biometric identity (Genesis) and linking it to the devices and resources
that the person is authorized to access (Enrollment). This includes authorization to
devices, physical spaces, systems, sites, networks, assets, transactions and
environments. BOPS supports enrollment of one person to many devices, multiple
biometrics to one device and one device to many people, as needed.
This is different from solutions that use SAML and other frameworks, which don’t
have the ability to identify the person in one transaction layer. SAML and other non-
biometric solutions say nothing about Genesis or enrollment. Therefore, at least one
additional layer is needed (and sometimes more) to process the non-biometric
authentication method and create the biometric identity, and a separate transaction
layer is needed to link the biometric identity to the authorization scheme. This
introduces multiple fault points throughout the process, adds unneeded complexity
and increases the security attack surface.
5. Another concern is for the security of the biometric vector itself. BOPS splits the
initial biometric vector supplied during registration between the client and the
server, which is an important security feature in that a user’s data and the private
key are never stored together. An enhancement to the Standard, known as BOPS2,
encrypts each piece using visual cryptography, and generates the private key
specific to a security certificate issued by the BOPS compliant server and to a user
identity. This allows a person to maintain multiple devices linked to his/her identity
without creating duplicate identities on the server, and it also guarantees the
security of the biometric vector.
Convenience
I have often said that one can have the best technology offering the highest levels of
security but if people don’t use it, does it really matter?
Technology today must be convenient and easy to use to facilitate widespread
adoption. Period. End of Story.
This is true no matter what the sector. A prime example is the financial services
industry. With the explosive growth and usage of smartphones in recent years,
financial institutions have begun implementing biometric solutions that allow their
customers to process secure payment and other transactions on their mobile
devices. Bank of America was an early leader – deploying an iris-based access
control system back in 2010 – and many others have followed with solutions
ranging from withdrawing cash from ATMs, proving identity in person or online,
and authenticating into their mobile bank app using fingerprints.
This trend is expected to continue over the next few years. A recent study by Goode
Intelligence showed that by the end of 2015, approximately 450 million banking
customers will use biometrics in various banking scenarios. By 2017, more than 1
billion people are expected to access banking services through biometric systems. 3
This growth will lead to even more reliance on biometric technology as businesses
continue to explore new ways to anticipate consumer demand, and create key
differentiators to gain a strategic advantage. The desire for simple, intuitive
interfaces and robust feature sets will continue to need to be balanced against the
requirement for strong security, especially in the financial services and mobile
payments sectors.
One way to achieve this balance is to utilize technology solutions that allow for
seamless integration into existing products and features so that authentication is
largely transparent to the user after initial registration. This is one of advantages of
using BOPS.
6. Behind the scenes, BOPS processes the three pieces of information needed to
perform a visual decryption of the person’s biometric data: access to the server,
receipt of the biometric vector and the source code. All user data and a unique client
certificate are stored on the device for secure communication that works only with a
BOPS compliant server, which means that even if the pieces are compromised, the
net authentication will not allow access.
In addition to the behind the scenes processes, BOPS allows differing levels of
security to be configured to balance the convenience of the user experience against
risks associated with a transaction. Levels are based on the combination of identity
attributes linked to a user. For example, Level 1 may consist of the verification of
ownership of 1 asset – such as a user being verified through SMS - while Level 4 may
consist of physical verification of a document providing identity along with the user,
e.g. a Drivers License or passport.
Each level can also be defined based on the risk of a transaction or group of
transactions, with simpler transactions utilizing Level 1 and high-risk transactions
utilizing Level 4, which provides the highest assurance in the binding between the
entity (user) and the identity that is presented for authentication. This allows a
business to customize their solution per their unique requirements, as well as
design the appropriate balance between convenience and security.
Conclusion
Misinformation and confusion in the biometric technology space will become an
even bigger problem in the future, as the application of biometrics becomes more
widespread in a variety of sectors – including financial services, retail,
telecommunications, government and technology – and as more governments and
businesses experiment with the opportunities afforded by biometric technologies.
In addition, more and more companies will jump on the bandwagon to provide
solutions and fight for a share of the billions of dollars in revenue generated by the
global biometrics market.
There is tremendous opportunity to use biometric technologies to protect and
authenticate our digital identities, and it is critical for people using and evaluating
biometric technologies to educate themselves on the fundamentals – and ask
questions – in order to navigate through the deluge of information created by the
various vendors in the biometrics space. Only by removing vendor bias will
enterprises and consumers be able to knowledgably select the biometrics solution
that is best for them.
7. Footnotes:
1. Industry Experts. Biometrics – A Global Market Overview. Jan 2015.
2. Acuity Market Intelligence. The Global Biometrics and Mobility Report. June 2015
3. Goode Intelligence. Biometrics for Banking: Market and Technology Analysis,
Adoption Strategies and Forecasts 2015-2020. June 2015