Passwords are out, ‘persistent identity’ is in
A new research report from Mercator Advisory Group, Biometrics: A New Wrinkle Changes the Authentication Landscape, looks at the fundamentals of biometrics and predicts that the combination of voice and face recognition, and now the addition of behavioral biometrics will drive rapid new innovation and tip the market in favor of mobile architecture.
“Behavioral dynamics will play an increasingly important [role] in establishing trust factors for the authenticating consumers’ identity across every channel and for establishing persistent identity,” Tim Sloane, vice president of payments innovation at Mercator and author of report, said in a press release.
“With the introduction of new authentication factors, new secure mobile platforms, and software- and cloud-based authentication mechanisms, it will be extremely risky for banks to make an investment decision that includes hardware and requires five-plus years to achieve a positive return on investment.”
For persistent identity, authentication no longer entails just a single challenge event such as a fingerprint scan, but evolves into a passive trust value uniquely associated with an individual, Mercator said.
This trust value is constantly updated based on multiple factors, including location and passive sound (voice and ambiance) as well as facial recognition and a range of behavioral inputs.
With the mobile device an essential component in formulating this trust factor, it is highly likely that Apple and Google will be critical partners in consumer authentication for the majority of access control scenarios, Mercator said.
Keeping the credentials in the handset eliminates the honeypots that attract criminals, increases consumer trust, and converts the authentication infrastructure into a shared resource that will greatly lower deployment costs currently associated with all authentication solutions.
Other Mercator predictions:
- given the effectiveness of cybercriminals, security will continue to be at risk until passwords are eliminated;
- consumers are wary of biometrics today but will come to accept it just as they did mobile banking.
- Apple and Google will continue to upgrade and extend security and biometrics in hardware and operating systems and, given the visibility they have into the life of the device user, will have more data than all others for authenticating the individual;
- authentication will evolve from a single challenge event (e.g., a fingerprint reader) into a passive persistent identity trust value. This value will be based on factors including geolocation, known commute and work patterns, passive voice and face recognition, and a range of behavioral inputs. As these improve in verifying authenticity, the challenge event will become relatively rare, and specific to high-risk situations;
- smartphone technology is rapidly becoming more secure and broadly available in the U.S. As a result biometric hardware deployed by financial institutions is likely to be obsolete in less than 5 years;
- Apple and Google solutions likely will become critical hardware and software authentication suppliers for most access control scenarios — devices, call centers, cloud, and application authentication needs.
- biometric tags and trust decisions should be held and calculated in the device to ensure consumer trust. Centralized repositories, no matter how secure, represent a liability from the consumer’s perspective;
- FIDO authentication architecture will establish a framework that moves much of the hardware and software into a shared asset resident on the mobile phone, which will greatly lower the cost of deploying authentication solutions; and
- financial institutions should plan for the biometric world, use the mobile device for authentication wherever possible, and avoid collect biometric data in a central location where it would present a target for criminals.
One of 8 exhibits in the report.