Quality biometric solutions provide outstanding security with a seamless UX. This makes it appealing for use cases ranging from state-of-the-art access control for critical government infrastructure, to something as routine as unlocking your phone. However, this diversity of use cases brings its own challenges. The varying needs of different applications, coupled with the speed with which the technology has developed, has created a fragmented ecosystem with little standardisation.
Many emerging use cases rely on the biometric capabilities of consumer’s own commercially available off the shelf (COTS) device. Android platform recognized this and has laid the groundwork to enfranchise device manufacturers and biometric solution vendors to create the next generation of state-of-the-art authentication products. And it does so just in time. Artificial Intelligence has transformed the biometric security battleground, and it is vital that stakeholders understand both the threats they face, and the steps that must be taken to meet them head on.
The changing threat landscape.
Biometric authentication is based around using an individual’s unique identifiers such as their iris, fingerprint, or face to provide an additional data point to verify identity. When launched, it was praised for the infallibility and security it provided as biometric data was, quite literally, always ‘on hand’ for users, but it couldn’t be lost or stolen.
Except now it can. Easily.
Artificial Intelligence, or AI, has unlocked a host of efficiencies in our life, specifically in data management and customer experience. However, these same AI tools are also readily available to fraudsters who can use them to execute devastating attacks. For example, photos can be taken from a user’s social media and in a matter of moments be transformed into a deepfake video to be used in an injection attack that aims to spoof facial recognition technologies and gain access to private data.
Meanwhile, AI is also being used to work through extensive data caches to locate and exploit any vulnerability in a security system. This has caused a rapid expansion in both the scale and sophistication of cyberattacks.
Stakeholders throughout the authentication ecosystem are working to adopt more robust practices. Biometrics has a key role to play in this, but only if it can be secured and trusted. The uniqueness of each individual’s biometrics, its greatest strength as an authenticator, can also be its most fundamental risk. If the data is compromised, a user cannot simply rewrite their fingerprints in the same way they change their password. It is therefore crucial the data is protected and secure. Similarly, if a biometric solution can be easily spoofed fraudsters can gain access to the user’s device, accounts and personal information.
An updated approach.
To meet the challenges posed by this evolving threat landscape, Android defined its three classes of biometric strength for devices operating under its remit. Its Compatibility Definition Documents (CDD), the requirements that each Android device must comply with should it wish to participate in the Android ecosystem, outlines the requirements for biometric security as Class 3 (formerly known as Strong), Class 2 (formerly Weak), and Class 1 (formerly Convenience).
Devices require independent third-party testing to evaluate their Spoof Acceptance Rate (SAR) along with verification of False Acceptance Rate (FAR) and False Rejection Rate (FRR) as a part of their Biometrics Compliance Report (BCR).
Android’s biometric requirement and the ISO/IEC 30107 standard also defines Presentation Attack Detection (PAD) testing to evaluate the liveness detection capability of the biometric solutions. This is a crucial step towards detecting and resisting spoofing attacks such as deepfakes and protecting the end users.
Independent testing and compliance will raise the baseline for the minimum performance and security of biometric solutions. It requires all biometric solution providers and Android device OEMs to carefully develop their offer to ensure it meets the minimum thresholds backed by impartial evidence. This means that authentication should work right first time for the verified user, while also prevent spoofing and hacks. Not only will this help mitigate the rising threat of spoofing and fraud, it also elevates the user experience, thereby increasing trust in the biometrics ecosystem and proliferating its growth into additional use cases.
Adding value with testing and 3rd party validation.
The process of 3rd party evaluation with industrial standards acts as a layer of trust between all players operating in ecosystem. It should not be thought of as a tick-box exercise, but rather a continuous process to ensure compliance with the latest standards and regulatory requirements. In doing so, device manufacturers and biometric solution providers can collectively raise the bar for biometric security.
The robust testing and compliance protocols ensure that all devices and components meet standardized requirements. This is made possible by trusted and recognized labs, like Fime, who can provide OEMs and solution providers with tools and expertise to continually optimize their products.
But testing doesn’t just safeguard the ecosystem; it elevates it. As an example, new innovative techniques like test the biases of demographic groups (blog) or environmental conditions. Using these techniques allow testers to discover any differential performances by using or simulating different demographic groups or environmental conditions. Biases detection can prevent security issue on real life deployment. This allows also solution providers to optimize the quality and inclusivity of their solutions to meet the needs of more markets and differentiate from the competition.
Building for the future.
We have reached a critical moment for the future of biometric authentication. The success of the technology is predicated on the continued growth in its adoption, but with AI giving fraudsters the tools they need to transform the threat landscape at a faster pace than ever before, it is essential that biometric solution providers stay one step ahead to retain and grow user trust. Stakeholders must therefore focus on one key question:
Can the user trust that they are not sacrificing security for convenience when using biometric authentication?
Product managers must make sure that the performance of their biometric offer balances these two seemingly contradictory demands, but if successful, there are a whole host of emerging use cases that could unlock new revenue streams for them. These include biometrics backed in store checkout, enhanced access control, augmented automotive experiences, and more.
Another significant trend on the horizon is the increasing use of biometrics in identity verification for eID and eKYC use cases. Digital identity is offering a faster, more secure way to verify identity in the online world. Biometrics can provide a simple, seamless to augment the enrollment and verification process for this, but much like in the payments ecosystem, its success depends on the implementation of state of the art solutions throughout the user journey.
Compliance and quality validation are no longer optional. They are essential to protecting end users, preserving brand integrity, enabling innovation, and safeguarding the future of biometric technology.
