SlideShare a Scribd company logo

Removing Vendor Bias with Open Biometric Standards

Download as DOCX, PDF
Hector Hoyos
Hector Hoyos
1 of 7
Using Open Standards to Remove Vendor Bias By Hector Hoyos Biometrics and biometric technologies have taken front and center stage for consumers and enterprises as more and more hacks are exposed, and businesses explore new and better ways to secure their customer’s identities and data. Yet, even as the use of biometrics has rapidly expanded and become more mainstream – thanks to companies like Apple and the development of TouchID – there are still misperceptions about the technology. Many of these misperceptions stem from the proliferation of vendors that purport themselves to be biometrics experts, who have created a glut of misinformation touting their products in order to grab a share of the global biometrics market that is expected to generate more than $30 billion in annual revenue by 2020.1 Each vendor claims to solve the identity management problem by using biometrics to replace or reduce reliance on passwords – which have been universally acknowledged to be difficult and costly to manage as well as prone to hacks and data breaches. Each has also created a surfeit of marketing materials to support their claims, leading to the aforementioned misperception. For consumer and enterprises, wading through the sheer volume of marketing information in order to understand the technology is a daunting prospect. So how does one cut through the vendor bias to focus on the science of the biometrics? The Identity Problem Today, vendors have utilized vastly differing approaches to addressing identity and access problems. Some have gone the way of vendor alliances – in which members’ band together to create guidelines that advance common goals and interests. Others have taken the approach of creating their own customized solutions utilizing third- party open and closed frameworks that are still largely based on pins and passwords. While at first glance these approaches may seem attractive, there is a fundamental flaw in the design in that they depend on the willingness of vendors to work together despite often-competing business interests and dependencies that may shift over time as the global market changes. In a world where analysts have predicted that there will be 4.8 billion biometrically enabled smart mobile devices generating $6.2 billion in biometric sensor revenue, 5.4 billion biometric app downloads generating $21.7 billion in annual revenues from direct purchase and
software development fees, and 807 billion biometrically secured payment and non- payment transactions generating $6.7 billion in authentication fees by 20202, that is a major cause for concern. After all, history has proven that an ally today may be an adversary tomorrow. At Hoyos, we’ve chosen to eliminate reliance on any one vendor or group of vendors by creating technology that can be openly and freely shared and developed upon by whomever wishes to utilize it. Hoyos has chosen that approach because, at the end of the day, the primary goal of biometrics technology is identity authentication. Remember that biometrics tell us that a person is who he or she claims to be with a high degree of assurance by utilizing a person’s unique physical characteristics. In order to achieve this authentication assurance at scale, and for any type of transaction and industry, a solution must offer three things:  Standardization to ensure interoperability between vendors, and an open set of protocols on top of which a robust ecosystem of products and services can be developed by anyone wishing to do so  Security of the solution and the biometric vector itself to prevent hackers from accessing and using a person’s data  Convenience to ensure widespread adoption and continued usage BOP as a Standard The lack of interoperability of existing authentication solutions has long been regarded as an industry-wide problem that stretches beyond the biometrics space, and which directly relates to increasing instances of fraud across many sectors. The Biometric Open Protocol was developed by Hoyos Labs to enable interoperability between biometric products. At its core, it is a biometric neutral protocol that allows for pluggable and interchangeable modules, including those that provide identification, access control, authentication, role gathering and auditing. The protocol defines an end-to-end identity authentication platform and access control infrastructure, integrating front and backend systems and including rules governing secure communications within those environments, as well as the protection of digital assets and identities – all of which are necessary to perform server-based enhanced biometric security. It was developed to specifically address issues directly pertaining to biometrics as it is fundamentally based on biometrics as the outset, unlike other identity frameworks or protocols in existence today. Its open-source, RESTFul API and
modular components enable integration with third-party biometric solutions, and it can also plum into existing non-biometric authentication protocols, functioning as a seamless bridge from legacy to new technology without requiring new hardware purchases or lengthy implementation schedules. This essentially enables any device to be controlled with biometrics, and solutions that can be developed and deployed in a cost effective manner. Ensuing interoperability, however, was only one of the goals of creating the research. It was also very important that the technology be open and shareable. To accomplish that, Hoyos submitted the protocol to the Institute of Electrical and Electronics Engineers [IEEE] in early 2014 for consideration as an industry standard. On September 2, 2015, the Biometric Open Protocol Standard [BOPS 2410-2015] was officially approved by the IEEE, making it the only global industry standard that provides a functional framework for the implementation of biometrics in end-to-end identity authentication platforms. This milestone is important in that it marks the first time that any vendor has opened up their biometric algorithms to be ratified by an international organization. In addition, the biometric algorithms will be managed by a centrally recognized compliance organization moving forward, making it vendor independent and allowing anyone to contribute to improvements. BOPS delivers end-to-end infrastructure utilizing three core components: client software, a BOPS-compliant server and an Intrusion Detection System. The client software resides on mobile devices, which millions of people already own and use on a daily basis, a key to widespread adoption and ease of implementation. The BOPS server utilizes an open source framework that leverages existing hardware, and has built-in classifying algorithms that search large stores of data in polynomial time to support faster and more accurate responses. The Intrusion Detection System (IDS) identifies and tracks attempts to forge two- way SSL/TLS certificates impersonation, session replay, forged packets, and a variety of other attempts to circumvent the BOPS server. It also blacklists a subject or device that makes malicious access attempts, and has full audit capabilities that can be set up per user, group, action or role.
Security In addition to being open and sharable, the standard eliminates the need for continued integration and management of multi-vendor solutions where security is only as good as the weakest link. Hackers have long exploited vulnerabilities in systems that authorize access to resources but don’t go the extra step to authenticate individuals. This is due to the fact that authentication is often confused or used synonymously with the term authorization, yet they mean very different things when designing a secure biometrics technology solution. Authorization refers to rules that determine who is allowed to perform an operation and at what location and with what resources that person is allowed to perform it. Authentication is the process of ascertaining that the person is who they say they are. Once that person’s identity is validated, that person can then be linked to the role they are authorized to perform. This distinction is critical. Utilizing passwords and pins is a means of providing access, NOT a means to authenticate a person’s identity. Passwords are easily shared, and there is no reliable method to ensure that the person entering a user credential or swiping a badge or credit card is the person who is authorized to use them. A true biometrics identity authentication solution MUST bind the person to the role they are authorized to perform, the location and/or resources they are given access to and the device(s) they are authorized to use. To do this, BOPS defines a Genesis process that identifies a subject irrespective of any down stream processing. Then, BOPS binds directly to the biometric during registration, which carries that biometric throughout the entire transaction of creating the biometric identity (Genesis) and linking it to the devices and resources that the person is authorized to access (Enrollment). This includes authorization to devices, physical spaces, systems, sites, networks, assets, transactions and environments. BOPS supports enrollment of one person to many devices, multiple biometrics to one device and one device to many people, as needed. This is different from solutions that use SAML and other frameworks, which don’t have the ability to identify the person in one transaction layer. SAML and other non- biometric solutions say nothing about Genesis or enrollment. Therefore, at least one additional layer is needed (and sometimes more) to process the non-biometric authentication method and create the biometric identity, and a separate transaction layer is needed to link the biometric identity to the authorization scheme. This introduces multiple fault points throughout the process, adds unneeded complexity and increases the security attack surface.
Another concern is for the security of the biometric vector itself. BOPS splits the initial biometric vector supplied during registration between the client and the server, which is an important security feature in that a user’s data and the private key are never stored together. An enhancement to the Standard, known as BOPS2, encrypts each piece using visual cryptography, and generates the private key specific to a security certificate issued by the BOPS compliant server and to a user identity. This allows a person to maintain multiple devices linked to his/her identity without creating duplicate identities on the server, and it also guarantees the security of the biometric vector. Convenience I have often said that one can have the best technology offering the highest levels of security but if people don’t use it, does it really matter? Technology today must be convenient and easy to use to facilitate widespread adoption. Period. End of Story. This is true no matter what the sector. A prime example is the financial services industry. With the explosive growth and usage of smartphones in recent years, financial institutions have begun implementing biometric solutions that allow their customers to process secure payment and other transactions on their mobile devices. Bank of America was an early leader – deploying an iris-based access control system back in 2010 – and many others have followed with solutions ranging from withdrawing cash from ATMs, proving identity in person or online, and authenticating into their mobile bank app using fingerprints. This trend is expected to continue over the next few years. A recent study by Goode Intelligence showed that by the end of 2015, approximately 450 million banking customers will use biometrics in various banking scenarios. By 2017, more than 1 billion people are expected to access banking services through biometric systems. 3 This growth will lead to even more reliance on biometric technology as businesses continue to explore new ways to anticipate consumer demand, and create key differentiators to gain a strategic advantage. The desire for simple, intuitive interfaces and robust feature sets will continue to need to be balanced against the requirement for strong security, especially in the financial services and mobile payments sectors. One way to achieve this balance is to utilize technology solutions that allow for seamless integration into existing products and features so that authentication is largely transparent to the user after initial registration. This is one of advantages of using BOPS.
Behind the scenes, BOPS processes the three pieces of information needed to perform a visual decryption of the person’s biometric data: access to the server, receipt of the biometric vector and the source code. All user data and a unique client certificate are stored on the device for secure communication that works only with a BOPS compliant server, which means that even if the pieces are compromised, the net authentication will not allow access. In addition to the behind the scenes processes, BOPS allows differing levels of security to be configured to balance the convenience of the user experience against risks associated with a transaction. Levels are based on the combination of identity attributes linked to a user. For example, Level 1 may consist of the verification of ownership of 1 asset – such as a user being verified through SMS - while Level 4 may consist of physical verification of a document providing identity along with the user, e.g. a Drivers License or passport. Each level can also be defined based on the risk of a transaction or group of transactions, with simpler transactions utilizing Level 1 and high-risk transactions utilizing Level 4, which provides the highest assurance in the binding between the entity (user) and the identity that is presented for authentication. This allows a business to customize their solution per their unique requirements, as well as design the appropriate balance between convenience and security. Conclusion Misinformation and confusion in the biometric technology space will become an even bigger problem in the future, as the application of biometrics becomes more widespread in a variety of sectors – including financial services, retail, telecommunications, government and technology – and as more governments and businesses experiment with the opportunities afforded by biometric technologies. In addition, more and more companies will jump on the bandwagon to provide solutions and fight for a share of the billions of dollars in revenue generated by the global biometrics market. There is tremendous opportunity to use biometric technologies to protect and authenticate our digital identities, and it is critical for people using and evaluating biometric technologies to educate themselves on the fundamentals – and ask questions – in order to navigate through the deluge of information created by the various vendors in the biometrics space. Only by removing vendor bias will enterprises and consumers be able to knowledgably select the biometrics solution that is best for them.
Footnotes: 1. Industry Experts. Biometrics – A Global Market Overview. Jan 2015. 2. Acuity Market Intelligence. The Global Biometrics and Mobility Report. June 2015 3. Goode Intelligence. Biometrics for Banking: Market and Technology Analysis, Adoption Strategies and Forecasts 2015-2020. June 2015

Recommended

March 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineMarch 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineHector Hoyos
 
02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of BiometricsHector Hoyos
 
Identity in the Internet Age
Identity in the Internet Age Identity in the Internet Age
Identity in the Internet Age Cartesian (formerly CSMG)
 
Biometrics: A New Wrinkle Changes the Authentication Landscape
Biometrics: A New Wrinkle Changes the Authentication Landscape Biometrics: A New Wrinkle Changes the Authentication Landscape
Biometrics: A New Wrinkle Changes the Authentication Landscape mercatoradvisory
 
Top Tech Trends of 2020
Top Tech Trends of 2020Top Tech Trends of 2020
Top Tech Trends of 2020The TNS Group
 
WIFUTURE Conference - Artificial Intelligence and ChatBots - Milan
WIFUTURE Conference - Artificial Intelligence and ChatBots - MilanWIFUTURE Conference - Artificial Intelligence and ChatBots - Milan
WIFUTURE Conference - Artificial Intelligence and ChatBots - MilanPietro Leo
 
Global Identity Fraud Report 2020
Global Identity Fraud Report 2020Global Identity Fraud Report 2020
Global Identity Fraud Report 2020Shufti Pro
 
ThingsCon: Trustable Tech mark (26 Sept 2018)
ThingsCon: Trustable Tech mark (26 Sept 2018)ThingsCon: Trustable Tech mark (26 Sept 2018)
ThingsCon: Trustable Tech mark (26 Sept 2018)Peter Bihr
 

Recommended

March 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineMarch 2014 - Biometric Technology Today - Token-less Tech Byline
March 2014 - Biometric Technology Today - Token-less Tech BylineHector Hoyos
 
02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of Biometrics02-05-15 - Evolution of Biometrics
02-05-15 - Evolution of BiometricsHector Hoyos
 
Identity in the Internet Age
Identity in the Internet Age Identity in the Internet Age
Identity in the Internet Age Cartesian (formerly CSMG)
 
Biometrics: A New Wrinkle Changes the Authentication Landscape
Biometrics: A New Wrinkle Changes the Authentication Landscape Biometrics: A New Wrinkle Changes the Authentication Landscape
Biometrics: A New Wrinkle Changes the Authentication Landscape mercatoradvisory
 
Top Tech Trends of 2020
Top Tech Trends of 2020Top Tech Trends of 2020
Top Tech Trends of 2020The TNS Group
 
WIFUTURE Conference - Artificial Intelligence and ChatBots - Milan
WIFUTURE Conference - Artificial Intelligence and ChatBots - MilanWIFUTURE Conference - Artificial Intelligence and ChatBots - Milan
WIFUTURE Conference - Artificial Intelligence and ChatBots - MilanPietro Leo
 
Global Identity Fraud Report 2020
Global Identity Fraud Report 2020Global Identity Fraud Report 2020
Global Identity Fraud Report 2020Shufti Pro
 
ThingsCon: Trustable Tech mark (26 Sept 2018)
ThingsCon: Trustable Tech mark (26 Sept 2018)ThingsCon: Trustable Tech mark (26 Sept 2018)
ThingsCon: Trustable Tech mark (26 Sept 2018)Peter Bihr
 
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013Alix Murphy
 
10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemic10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemicLora Berr
 
ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)Peter Bihr
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transactionIJARIIT
 
The future of digital identity 2019 future agenda
The future of digital identity 2019 future agendaThe future of digital identity 2019 future agenda
The future of digital identity 2019 future agendaFuture Agenda
 
Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)Peter Bihr
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentEric BILLIAERT
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationInvestorideas.com
 
The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021Bernard Marr
 
Future of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lrFuture of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lrFuture Agenda
 
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...Bernard Marr
 
The Trustable Technology Mark
The Trustable Technology MarkThe Trustable Technology Mark
The Trustable Technology MarkPeter Bihr
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Pietro Leo
 
Identity progress-linked-digital-world
Identity progress-linked-digital-worldIdentity progress-linked-digital-world
Identity progress-linked-digital-worldMEDICI
 
How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby Boomers How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby BoomersCigniti Technologies Ltd
 
The future of digital identity initial perspective
The future of digital identity initial perspectiveThe future of digital identity initial perspective
The future of digital identity initial perspectiveFuture Agenda
 
Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...Secure Identity Alliance
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...Ubisecure
 
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...Katy Slemon
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 
Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White PaperHector Hoyos
 
Regulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdfRegulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdfBahaa Abdulhadi
 

More Related Content

What's hot

GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013Alix Murphy
 
10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemic10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemicLora Berr
 
ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)Peter Bihr
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transactionIJARIIT
 
The future of digital identity 2019 future agenda
The future of digital identity 2019 future agendaThe future of digital identity 2019 future agenda
The future of digital identity 2019 future agendaFuture Agenda
 
Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)Peter Bihr
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentEric BILLIAERT
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationInvestorideas.com
 
The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021Bernard Marr
 
Future of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lrFuture of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lrFuture Agenda
 
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...Bernard Marr
 
The Trustable Technology Mark
The Trustable Technology MarkThe Trustable Technology Mark
The Trustable Technology MarkPeter Bihr
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Pietro Leo
 
Identity progress-linked-digital-world
Identity progress-linked-digital-worldIdentity progress-linked-digital-world
Identity progress-linked-digital-worldMEDICI
 
How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby Boomers How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby BoomersCigniti Technologies Ltd
 
The future of digital identity initial perspective
The future of digital identity initial perspectiveThe future of digital identity initial perspective
The future of digital identity initial perspectiveFuture Agenda
 
Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...Secure Identity Alliance
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...Ubisecure
 
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...Katy Slemon
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 

What's hot (20)

GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
GSMA-Mobile-Identity_Case-Study_Dialog-Connect_May2013
 
10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemic10 technology trends to watch in the COVID- 19 pandemic
10 technology trends to watch in the COVID- 19 pandemic
 
ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)ThingsCon: Trustable Tech Mark (10 Oct 2018)
ThingsCon: Trustable Tech Mark (10 Oct 2018)
 
Bio metrics in secure e transaction
Bio metrics in secure e transactionBio metrics in secure e transaction
Bio metrics in secure e transaction
 
The future of digital identity 2019 future agenda
The future of digital identity 2019 future agendaThe future of digital identity 2019 future agenda
The future of digital identity 2019 future agenda
 
Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)Trustable Tech mark (10 August 2018)
Trustable Tech mark (10 August 2018)
 
National identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernmentNational identity schemes - digital identity - national ID - eGovernment
National identity schemes - digital identity - national ID - eGovernment
 
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) PresentationNXT-ID, Inc.'s (OTCQB:NXTD) Presentation
NXT-ID, Inc.'s (OTCQB:NXTD) Presentation
 
The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021The Six Biggest Blockchain Trends Everyone Should Know About In 2021
The Six Biggest Blockchain Trends Everyone Should Know About In 2021
 
Future of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lrFuture of digital identity Programme summary - 15 dec 2018 lr
Future of digital identity Programme summary - 15 dec 2018 lr
 
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
The 5 Biggest Blockchain And Distributed Ledger Trends Everyone Should Be Wat...
 
The Trustable Technology Mark
The Trustable Technology MarkThe Trustable Technology Mark
The Trustable Technology Mark
 
Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...Creative Computing: how artificial intelligence could augment designer’s deci...
Creative Computing: how artificial intelligence could augment designer’s deci...
 
Identity progress-linked-digital-world
Identity progress-linked-digital-worldIdentity progress-linked-digital-world
Identity progress-linked-digital-world
 
How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby Boomers How Testing FinTech Supports Catering to the Baby Boomers
How Testing FinTech Supports Catering to the Baby Boomers
 
The future of digital identity initial perspective
The future of digital identity initial perspectiveThe future of digital identity initial perspective
The future of digital identity initial perspective
 
Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...Accelerating the creation and deployment of e-Government services by ensuring...
Accelerating the creation and deployment of e-Government services by ensuring...
 
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
GSMA - How To Combine Cross-border eID Recognition With Convenience For Users...
 
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
Top 08 IoT Trends to Watch Out in 2020 (Top IoT Trends + Digital Transformati...
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
 

Similar to Removing Vendor Bias with Open Biometric Standards

Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White PaperHector Hoyos
 
Regulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdfRegulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdfBahaa Abdulhadi
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachJigisha Aryya
 
CB insights: How Blockchain Technology Could Disrupt Healthcare
CB insights: How Blockchain Technology Could Disrupt HealthcareCB insights: How Blockchain Technology Could Disrupt Healthcare
CB insights: How Blockchain Technology Could Disrupt HealthcareLevi Shapiro
 
PharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for HealthcarePharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for HealthcareSSIMeetup
 
Ten Blockchain Applications
Ten Blockchain ApplicationsTen Blockchain Applications
Ten Blockchain ApplicationsAhmed Banafa
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3DigitalPersona
 
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs Pablo Junco
 
"Does blockchain hold the key to a new age of supply chain transparency and t...
"Does blockchain hold the key to a new age of supply chain transparency and t..."Does blockchain hold the key to a new age of supply chain transparency and t...
"Does blockchain hold the key to a new age of supply chain transparency and t...eraser Juan José Calderón
 
The future of identity verification predictions and trends in blockchain tech...
The future of identity verification predictions and trends in blockchain tech...The future of identity verification predictions and trends in blockchain tech...
The future of identity verification predictions and trends in blockchain tech...Techgropse Pvt.Ltd.
 
Blockchain Bootcamp - Leadership Edition
Blockchain Bootcamp - Leadership EditionBlockchain Bootcamp - Leadership Edition
Blockchain Bootcamp - Leadership EditionFarhan Farrukh
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companiesiasaglobal
 
The Rise of Behavioral Biometrics and Its Potential Applications.pdf
The Rise of Behavioral Biometrics and Its Potential Applications.pdfThe Rise of Behavioral Biometrics and Its Potential Applications.pdf
The Rise of Behavioral Biometrics and Its Potential Applications.pdfBahaa Abdulhadi
 
Hazards of Biometric Authentication in Practice
Hazards of Biometric Authentication in PracticeHazards of Biometric Authentication in Practice
Hazards of Biometric Authentication in PracticeITIIIndustries
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 

Similar to Removing Vendor Bias with Open Biometric Standards (20)

Identiy Authentication White Paper
Identiy Authentication White PaperIdentiy Authentication White Paper
Identiy Authentication White Paper
 
Regulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdfRegulatory Affairs for Voice Biometric.pdf
Regulatory Affairs for Voice Biometric.pdf
 
Biometrics
BiometricsBiometrics
Biometrics
 
Multi-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and ApproachMulti-factor Implicit Biometric Authentication: Analysis and Approach
Multi-factor Implicit Biometric Authentication: Analysis and Approach
 
CB insights: How Blockchain Technology Could Disrupt Healthcare
CB insights: How Blockchain Technology Could Disrupt HealthcareCB insights: How Blockchain Technology Could Disrupt Healthcare
CB insights: How Blockchain Technology Could Disrupt Healthcare
 
PharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for HealthcarePharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for Healthcare
 
Ten Blockchain Applications
Ten Blockchain ApplicationsTen Blockchain Applications
Ten Blockchain Applications
 
Biometrics and authentication webinar v3
Biometrics and authentication webinar v3Biometrics and authentication webinar v3
Biometrics and authentication webinar v3
 
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs
NEO DevCon 2019 - Blockchain Use Cases and Enterprise Needs
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
 
Automating trust with new technologies
Automating trust with new technologiesAutomating trust with new technologies
Automating trust with new technologies
 
"Does blockchain hold the key to a new age of supply chain transparency and t...
"Does blockchain hold the key to a new age of supply chain transparency and t..."Does blockchain hold the key to a new age of supply chain transparency and t...
"Does blockchain hold the key to a new age of supply chain transparency and t...
 
The future of identity verification predictions and trends in blockchain tech...
The future of identity verification predictions and trends in blockchain tech...The future of identity verification predictions and trends in blockchain tech...
The future of identity verification predictions and trends in blockchain tech...
 
Blockchain Bootcamp - Leadership Edition
Blockchain Bootcamp - Leadership EditionBlockchain Bootcamp - Leadership Edition
Blockchain Bootcamp - Leadership Edition
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
 
The Rise of Behavioral Biometrics and Its Potential Applications.pdf
The Rise of Behavioral Biometrics and Its Potential Applications.pdfThe Rise of Behavioral Biometrics and Its Potential Applications.pdf
The Rise of Behavioral Biometrics and Its Potential Applications.pdf
 
GHC-2014-Lavanya
GHC-2014-LavanyaGHC-2014-Lavanya
GHC-2014-Lavanya
 
Hazards of Biometric Authentication in Practice
Hazards of Biometric Authentication in PracticeHazards of Biometric Authentication in Practice
Hazards of Biometric Authentication in Practice
 
76 s201923
76 s20192376 s201923
76 s201923
 
13_2
13_213_2
13_2
 

Removing Vendor Bias with Open Biometric Standards

  • 1. Using Open Standards to Remove Vendor Bias By Hector Hoyos Biometrics and biometric technologies have taken front and center stage for consumers and enterprises as more and more hacks are exposed, and businesses explore new and better ways to secure their customer’s identities and data. Yet, even as the use of biometrics has rapidly expanded and become more mainstream – thanks to companies like Apple and the development of TouchID – there are still misperceptions about the technology. Many of these misperceptions stem from the proliferation of vendors that purport themselves to be biometrics experts, who have created a glut of misinformation touting their products in order to grab a share of the global biometrics market that is expected to generate more than $30 billion in annual revenue by 2020.1 Each vendor claims to solve the identity management problem by using biometrics to replace or reduce reliance on passwords – which have been universally acknowledged to be difficult and costly to manage as well as prone to hacks and data breaches. Each has also created a surfeit of marketing materials to support their claims, leading to the aforementioned misperception. For consumer and enterprises, wading through the sheer volume of marketing information in order to understand the technology is a daunting prospect. So how does one cut through the vendor bias to focus on the science of the biometrics? The Identity Problem Today, vendors have utilized vastly differing approaches to addressing identity and access problems. Some have gone the way of vendor alliances – in which members’ band together to create guidelines that advance common goals and interests. Others have taken the approach of creating their own customized solutions utilizing third- party open and closed frameworks that are still largely based on pins and passwords. While at first glance these approaches may seem attractive, there is a fundamental flaw in the design in that they depend on the willingness of vendors to work together despite often-competing business interests and dependencies that may shift over time as the global market changes. In a world where analysts have predicted that there will be 4.8 billion biometrically enabled smart mobile devices generating $6.2 billion in biometric sensor revenue, 5.4 billion biometric app downloads generating $21.7 billion in annual revenues from direct purchase and
  • 2. software development fees, and 807 billion biometrically secured payment and non- payment transactions generating $6.7 billion in authentication fees by 20202, that is a major cause for concern. After all, history has proven that an ally today may be an adversary tomorrow. At Hoyos, we’ve chosen to eliminate reliance on any one vendor or group of vendors by creating technology that can be openly and freely shared and developed upon by whomever wishes to utilize it. Hoyos has chosen that approach because, at the end of the day, the primary goal of biometrics technology is identity authentication. Remember that biometrics tell us that a person is who he or she claims to be with a high degree of assurance by utilizing a person’s unique physical characteristics. In order to achieve this authentication assurance at scale, and for any type of transaction and industry, a solution must offer three things:  Standardization to ensure interoperability between vendors, and an open set of protocols on top of which a robust ecosystem of products and services can be developed by anyone wishing to do so  Security of the solution and the biometric vector itself to prevent hackers from accessing and using a person’s data  Convenience to ensure widespread adoption and continued usage BOP as a Standard The lack of interoperability of existing authentication solutions has long been regarded as an industry-wide problem that stretches beyond the biometrics space, and which directly relates to increasing instances of fraud across many sectors. The Biometric Open Protocol was developed by Hoyos Labs to enable interoperability between biometric products. At its core, it is a biometric neutral protocol that allows for pluggable and interchangeable modules, including those that provide identification, access control, authentication, role gathering and auditing. The protocol defines an end-to-end identity authentication platform and access control infrastructure, integrating front and backend systems and including rules governing secure communications within those environments, as well as the protection of digital assets and identities – all of which are necessary to perform server-based enhanced biometric security. It was developed to specifically address issues directly pertaining to biometrics as it is fundamentally based on biometrics as the outset, unlike other identity frameworks or protocols in existence today. Its open-source, RESTFul API and
  • 3. modular components enable integration with third-party biometric solutions, and it can also plum into existing non-biometric authentication protocols, functioning as a seamless bridge from legacy to new technology without requiring new hardware purchases or lengthy implementation schedules. This essentially enables any device to be controlled with biometrics, and solutions that can be developed and deployed in a cost effective manner. Ensuing interoperability, however, was only one of the goals of creating the research. It was also very important that the technology be open and shareable. To accomplish that, Hoyos submitted the protocol to the Institute of Electrical and Electronics Engineers [IEEE] in early 2014 for consideration as an industry standard. On September 2, 2015, the Biometric Open Protocol Standard [BOPS 2410-2015] was officially approved by the IEEE, making it the only global industry standard that provides a functional framework for the implementation of biometrics in end-to-end identity authentication platforms. This milestone is important in that it marks the first time that any vendor has opened up their biometric algorithms to be ratified by an international organization. In addition, the biometric algorithms will be managed by a centrally recognized compliance organization moving forward, making it vendor independent and allowing anyone to contribute to improvements. BOPS delivers end-to-end infrastructure utilizing three core components: client software, a BOPS-compliant server and an Intrusion Detection System. The client software resides on mobile devices, which millions of people already own and use on a daily basis, a key to widespread adoption and ease of implementation. The BOPS server utilizes an open source framework that leverages existing hardware, and has built-in classifying algorithms that search large stores of data in polynomial time to support faster and more accurate responses. The Intrusion Detection System (IDS) identifies and tracks attempts to forge two- way SSL/TLS certificates impersonation, session replay, forged packets, and a variety of other attempts to circumvent the BOPS server. It also blacklists a subject or device that makes malicious access attempts, and has full audit capabilities that can be set up per user, group, action or role.
  • 4. Security In addition to being open and sharable, the standard eliminates the need for continued integration and management of multi-vendor solutions where security is only as good as the weakest link. Hackers have long exploited vulnerabilities in systems that authorize access to resources but don’t go the extra step to authenticate individuals. This is due to the fact that authentication is often confused or used synonymously with the term authorization, yet they mean very different things when designing a secure biometrics technology solution. Authorization refers to rules that determine who is allowed to perform an operation and at what location and with what resources that person is allowed to perform it. Authentication is the process of ascertaining that the person is who they say they are. Once that person’s identity is validated, that person can then be linked to the role they are authorized to perform. This distinction is critical. Utilizing passwords and pins is a means of providing access, NOT a means to authenticate a person’s identity. Passwords are easily shared, and there is no reliable method to ensure that the person entering a user credential or swiping a badge or credit card is the person who is authorized to use them. A true biometrics identity authentication solution MUST bind the person to the role they are authorized to perform, the location and/or resources they are given access to and the device(s) they are authorized to use. To do this, BOPS defines a Genesis process that identifies a subject irrespective of any down stream processing. Then, BOPS binds directly to the biometric during registration, which carries that biometric throughout the entire transaction of creating the biometric identity (Genesis) and linking it to the devices and resources that the person is authorized to access (Enrollment). This includes authorization to devices, physical spaces, systems, sites, networks, assets, transactions and environments. BOPS supports enrollment of one person to many devices, multiple biometrics to one device and one device to many people, as needed. This is different from solutions that use SAML and other frameworks, which don’t have the ability to identify the person in one transaction layer. SAML and other non- biometric solutions say nothing about Genesis or enrollment. Therefore, at least one additional layer is needed (and sometimes more) to process the non-biometric authentication method and create the biometric identity, and a separate transaction layer is needed to link the biometric identity to the authorization scheme. This introduces multiple fault points throughout the process, adds unneeded complexity and increases the security attack surface.
  • 5. Another concern is for the security of the biometric vector itself. BOPS splits the initial biometric vector supplied during registration between the client and the server, which is an important security feature in that a user’s data and the private key are never stored together. An enhancement to the Standard, known as BOPS2, encrypts each piece using visual cryptography, and generates the private key specific to a security certificate issued by the BOPS compliant server and to a user identity. This allows a person to maintain multiple devices linked to his/her identity without creating duplicate identities on the server, and it also guarantees the security of the biometric vector. Convenience I have often said that one can have the best technology offering the highest levels of security but if people don’t use it, does it really matter? Technology today must be convenient and easy to use to facilitate widespread adoption. Period. End of Story. This is true no matter what the sector. A prime example is the financial services industry. With the explosive growth and usage of smartphones in recent years, financial institutions have begun implementing biometric solutions that allow their customers to process secure payment and other transactions on their mobile devices. Bank of America was an early leader – deploying an iris-based access control system back in 2010 – and many others have followed with solutions ranging from withdrawing cash from ATMs, proving identity in person or online, and authenticating into their mobile bank app using fingerprints. This trend is expected to continue over the next few years. A recent study by Goode Intelligence showed that by the end of 2015, approximately 450 million banking customers will use biometrics in various banking scenarios. By 2017, more than 1 billion people are expected to access banking services through biometric systems. 3 This growth will lead to even more reliance on biometric technology as businesses continue to explore new ways to anticipate consumer demand, and create key differentiators to gain a strategic advantage. The desire for simple, intuitive interfaces and robust feature sets will continue to need to be balanced against the requirement for strong security, especially in the financial services and mobile payments sectors. One way to achieve this balance is to utilize technology solutions that allow for seamless integration into existing products and features so that authentication is largely transparent to the user after initial registration. This is one of advantages of using BOPS.
  • 6. Behind the scenes, BOPS processes the three pieces of information needed to perform a visual decryption of the person’s biometric data: access to the server, receipt of the biometric vector and the source code. All user data and a unique client certificate are stored on the device for secure communication that works only with a BOPS compliant server, which means that even if the pieces are compromised, the net authentication will not allow access. In addition to the behind the scenes processes, BOPS allows differing levels of security to be configured to balance the convenience of the user experience against risks associated with a transaction. Levels are based on the combination of identity attributes linked to a user. For example, Level 1 may consist of the verification of ownership of 1 asset – such as a user being verified through SMS - while Level 4 may consist of physical verification of a document providing identity along with the user, e.g. a Drivers License or passport. Each level can also be defined based on the risk of a transaction or group of transactions, with simpler transactions utilizing Level 1 and high-risk transactions utilizing Level 4, which provides the highest assurance in the binding between the entity (user) and the identity that is presented for authentication. This allows a business to customize their solution per their unique requirements, as well as design the appropriate balance between convenience and security. Conclusion Misinformation and confusion in the biometric technology space will become an even bigger problem in the future, as the application of biometrics becomes more widespread in a variety of sectors – including financial services, retail, telecommunications, government and technology – and as more governments and businesses experiment with the opportunities afforded by biometric technologies. In addition, more and more companies will jump on the bandwagon to provide solutions and fight for a share of the billions of dollars in revenue generated by the global biometrics market. There is tremendous opportunity to use biometric technologies to protect and authenticate our digital identities, and it is critical for people using and evaluating biometric technologies to educate themselves on the fundamentals – and ask questions – in order to navigate through the deluge of information created by the various vendors in the biometrics space. Only by removing vendor bias will enterprises and consumers be able to knowledgably select the biometrics solution that is best for them.
  • 7. Footnotes: 1. Industry Experts. Biometrics – A Global Market Overview. Jan 2015. 2. Acuity Market Intelligence. The Global Biometrics and Mobility Report. June 2015 3. Goode Intelligence. Biometrics for Banking: Market and Technology Analysis, Adoption Strategies and Forecasts 2015-2020. June 2015