- Email: [email protected]
Passwords are broken – the future shape of biometrics
FEATURE
Passwords are broken – the future shape of biometrics
David Ferbrache
David Ferbrache, KPMG The headline assertion – that ‘passwords are broken’ – was one of my somewhat hopeful security predictions for 2016, which KPMG was good enough to publish. The comment was somewhat tongue in cheek, but the truth is that passwords have become one of the weakest links in our security chain, compounded by our inability to memorise the long and complex passcodes demanded by our security systems (see box on page 6). This has prompted the current drive in organisations like banks and internet services providers to standardise on multi-factor authentication. The idea is that the SMS text message sent to your device confirms that you are indeed who you say you are by blending ‘something you know’ with ‘something you have’, making it more difficult for hackers. Of course cyber-attackers look for ways to defeat this approach – they target the mobile devices that receive the SMS, perhaps they even explore how to redirect and divert calls, looking for weaknesses in the very protocols that handle our telephone signalling.
“We are now seeing a proliferation of innovative new start-up firms all focused on novel biometric methods or the fusion of many methods, each looking for that novel nugget of intellectual property that might be their ticket to success” To combat this, biometrics provides the last of the three authentication methods – ‘something you are’. Yet biometrics historically has heralded much promise, while always seeming to fall short of delivering that promise, simultaneously raising privacy concerns. Fingerprints carried with them the faint implication of criminality, retinal scans always seemed too intrusive, facial recognition hinted at Big Brother, while speaker recognition seemed dogged by microphone variability and background noise. But this is changing – and curiously the mobile phone and the coming Internet of
March 2016
Things may be providing both the impetus and the opportunity to change. We are now entering an era where we interact with the devices we use to access the internet in a far richer and more intimate manner than we ever did with the telephones and keyboards of yesteryear. Our laptops offer microphones, touchscreens, webcams, fingerprint readers and graphical user interfaces, which provide the opportunity to interact with the user in sophisticated ways. Our mobile phones go further, offering gyroscopes, accelerometers and GPS. Our digital watches and personal fitness devices go yet further, offering pulse detection, and even the ability to monitor our gait and movements. Building on this, banks are now trialling and rolling out a wide range of biometric techniques – fingerprint, facial and voice recognition; even heart rate monitoring. We seem to have crossed the threshold of acceptability, and finally false positives are beginning to decline to acceptable levels. But there is a new world of biometrics which looks beyond these initial implementations – one which doesn’t rely on a single authentication method, but rather a rich fusion of techniques, all of which contribute to certainty that the individual interacting with that device is indeed who they purport to be. Suddenly the keystroke patterns on the laptop and the movements of the mouse come together into a single behavioural fingerprint of the user. The subtle movements of the mobile phone and the context provided by the GPS location add colour and confidence, while the unique pattern of your electro-cardiogram as read by your personal fitness device adds the final piece of the puzzle, while simultaneously tracking the health of your heart. We are now seeing a proliferation of innovative start-up firms all focused on novel
biometric methods or the fusion of many methods. Every year KPMG runs a talent-spotting competition to pick the Fintech 100 – the 100 firms we believe will reshape the financial sector. This time round, hiding among the peerto-peer lending, blockchain, micro-payment, robot adviser and digital banking services were identity management and biometrics firms, each looking for that novel nugget of intellectual property that might be their ticket to success.
So where might the answer lie? Biometrics need to be robust in the face of some quite cunning attacks. The rollout of fingerprint scanners has not been without problems. Fingerprints can be lifted from devices using good old-fashioned forensic techniques, replicated and used to defeat fingerprint readers. High-resolution photographs are even used to provide the basis for building those fake fingerprints. So we go further and look for ways to avoid replay attacks. Heart rate monitors confirm that you are indeed whom you say you are, picking up the unique sinus rhythm of the heart – but also recognising that every heartbeat is subtly different. We look for challenge and response methods – such as speaker recognition using particular prompt phrases. We use other indicators such as device inclination and vibration to confirm that a real person is interacting with the device. And so a new set of possibilities begins to open up – that of active authentication using intrinsic physical and behavioural traits, which begin to build a cognitive ‘fingerprint’ for a user. As the individual is stimulated to interact with the system they are using (whether laptop, mobile or other device), we can monitor their behaviours and responses. How do they move their mouse, how do they type a phrase in response to a prompt (ie, stylometrics), how do
Biometric Technology Today
5
FEATURE
Problem with passwords The search for new and more varied biometric-based and other forms of authentication – more suited to the sophisticated online interactions of today – has been driven by a range of problems with passwords. First, organised crime groups and hackers with various motivations are often able to breach system security and will look to acquire large files of encrypted passwords. This makes sense as attackers know that users tend to reuse passwords. Gaining access to one system means you have access to one system; getting access to a large encrypted password file gives you the potential to access a large number of systems. Hackers like the easy life as much as anyone else. Faced with this threat, we might expect passwords to be stored in the form of oneway hashes, which map each password to an encrypted form that can’t be readily reversed to recover the original. Salts are also used in the hashing algorithm to avoid trivial identification of password re-use by comparing hash values. Computationally complex hashing functions are used to increase the time it takes to crack each password. Unfortunately these techniques don’t always seem to be used, or if they are, the implementation can be rather sloppy. As such, a surprising number of compromised password
they track the objects displayed on the touchscreen, how do they handle and orient their device as they do so?
“A new set of possibilities begins to open up – that of active authentication using intrinsic physical and behavioural traits, which begin to build a cognitive ‘fingerprint’ for a user. We can monitor people’s behaviours and responses, how they move their mouse, how they type a phrase, how do they track the objects displayed on the touchscreen” These techniques don’t provide absolute authentication. And indeed conventional oneoff statistics around false positives and false negatives seem crude ways of characterising the continuous process of authentication that 6
Biometric Technology Today
files seem to lend themselves to rapid dictionary-based attacks and use of pre-calculated rainbow tables. When these files are cracked, the picture of user-selected passwords seems all too familiar, with ‘123456’, ‘password’ and ‘qwerty’ being common – along with frequent use of the word ‘football’ and the rather more topical ‘starwars’.
“A surprising number of compromised password files lend themselves to rapid dictionary-based attacks. The picture of user-selected passwords seems all too familiar, with ‘123456’, ‘password’ and ‘qwerty’ being common – along with ‘football’ and the rather more topical ‘starwars’” The BBC reported1 in August 2014 that Russian hackers had amassed 1.2bn usernames and passwords collected from a variety of hacks, which of course led to determined attempts to crack those passwords with surprising levels of success. Their efforts seemed to be aided by a number of organisations that
occurs as the user interacts with their device in a myriad of different ways. However, this provides the basis for us to build user profiles, not a single static biometric print, but a more complex multi-dimensional characterisation of the behaviours of an individual. If stolen, this profile doesn’t provide an easy basis for masquerading as that individual. Suddenly the simple password seems a very basic and unsophisticated authenticator indeed. Of course we also need to think differently about what we mean by authentication. It becomes less an absolute concept of identity, and more that of sufficient confidence to support the transactions which the user wishes to undertake. If the confidence level isn’t sufficiently high, then a few more stimulated interactions with the device may provide the additional confirmation needed to permit the transaction.
Managing risk The concept of risk is well-known and wellunderstood in the business world, and we spend much time determining just how much certainty is enough to allow a given payment or financial
helpfully kept their password reminder questions and responses in plaintext, which when compromised gave the attackers a head start on guessing those passwords. Of course, many people re-used passwords across sites, which again points to our innate tendency towards laziness and our inability to remember dozens of different passwords. Naturally, sites introduce password complexity rules to reduce the risk of passwords being cracked. Unfortunately, there seems to be little agreement on quite how this might be implemented. Some require numbers, mixed case, punctuation, the list continues to grow – while users become more and more frustrated. Of course there are also machinegenerated passwords. These are tricky to remember. Governments provide advice on memorable password selection, only to find that their convenient passwords won’t quite pass the complexity tests imposed by service providers. Difficult-to-remember passwords find their way on to convenient notes stuck to keyboards. Password vaults might be part of the solution, but can they withstand a determined hacker who has compromised the computer that hosts the password vault, or has established a ghostly presence in the browser the user trusts to access the internet?
transfer. This judgement isn’t static, it changes with the nature of the transaction, the recent history of the user’s activities and the changing threat to the business. So the door is now open for banks (and other firms) to implement very sophisticated fraud control and risk-scoring approaches, linking behavioural biometrics to a wide range of information on previous user transactions and pattern of movements. They can also go just a little further by taking steps to build behavioural ‘fingerprints’ from potential fraudsters – although the format in which those fingerprints might be shared between banks has yet to be explored, let alone how they might be shared with law enforcement. Of course, active authentication also goes a long way to helping identify and block ‘robots’, those computer programs pretending to mimic the actions of real people in order to automate the penetration and compromise of user accounts. The Captcha – that wonderful acronym which stands for ‘Completed Automated Public Turing test to tell Computers and Humans Apart’ – may be rendered obsolete. So what of privacy? That’s tricky. While we have a clear expectation that conventional
March 2016
FEATURE biometric information is adequately protected – and rightly become deeply concerned when our fingerprint information might be compromised – our expectations of privacy around behavioural ‘fingerprints’ seem much less clear. In fact, the complexity of privacy in the biometric sphere is transforming. For example, in Europe the recently agreed EU-wide General Data Protection Regulation explicitly calls out biometric information as a special category of personal information (ie, Sensitive Personal Information) whereby this is used in order to uniquely identify a person, which for authentication is generally the primary purpose. So we naturally think about fingerprints when we talk biometrics; but this regulation would cover the depth and breadth of biometrics and even include photographs where they are processed through a specific technical means, allowing the unique identification or authentication of an individual. This creates an interesting risk dynamic for organisations that wish to use biometric technologies. The security baseline they would have used previously may no longer be sufficient; the liability position has increased and there are increased privacy requirements as organisations look to collect (hopefully with the individual’s consent), use, retain and disclose the biometric information. This in turn creates a quandary. Do you collect sensitive personal information or increase your privacy risk profile in order to reduce the risk of harm being caused to an individual as a result of a privacy issue involving the loss of sensitive personal information? As more and more sensitive information is collected through the Internet of Things and through increased
profiling, a lot of organisations are likely to face a tipping point in this dilemma.
Significant innovation
“Organisations will also look for technical approaches that minimise the harm to the individual, by ensuring information cannot be reverse-engineered to expose that individual’s identity. Ironically we return to a debate on how we ‘hash’ biometric identifiers, in much the same way we have debated password hashes”
So are passwords really dead? Perhaps not yet and perhaps not for years to come. But as we look to the future, it is time to contemplate very different ways of authenticating users through a much richer range of interactions mediated by more sophisticated devices in an Internet of Things. We are seeing significant innovation in the area of biometrics. Both the number of providers and the variety of approaches they are adopting continue to accelerate and expand. We can’t see this trend slowing down in the short to medium term. It is now over 50 years since the first computer password was used. Let’s hope it doesn’t take another 50 years to find a mechanism that better fits our needs.
Organisations will also look for technical approaches that minimise the harm to the individual, by ensuring information cannot be reverse-engineered to expose that individual’s identity, or to allow subsequent frauds on the individual. Ironically we return to a debate on how we ‘hash’ biometric identifiers, in much the same way we have debated password hashes. We also have standards emerging that ensure that the biometric details never leave the user’s device (or perhaps the systems of a third party identity verification service), but rather just unlock a cryptographic exchange confirming the user’s identity. The FIDO (Fast IDentity Online) Alliance has made good progress in this area, but these protocols need to continue to evolve and develop to meet the needs of a richer risk-based transaction authentication environment.
References 1
Russia gang hacks 1.2 billion usernames and passwords. BBC. 6 August 2014. http:// www.bbc.co.uk/news/technology-28654613
About the author David Ferbrache OBE is technical director for cyber-security at KPMG UK. He leads the technical strategy for the cyber security team, working with KPMG’s largest clients to deal with cyber threats. He was previously head of cyber for the UK Ministry of Defence, having worked for over 25 years in the field, as well as in a range of senior policy and science roles. He is also a Fellow of the British Computer Society This article was written with helpful inputs from George Quigley, Mark Thompson, Morgan Phillips and Neil Coutts of the KPMG cyber-security practice.
Biometrics as a Service: the next giant leap? Jeremy Rose, SmilePass and FaceCrypt
Jeremy Rose
Doesn’t the cloud conjure up a mystical picture? For the ordinary consumer, it’s like some kind of floating vehicle in cyberspace that magically performs services and delivers information by the hand of the internet god. So, ask most people what they think the cloud is exactly, and it is likely they will frown with unknowingness. But if you explain to them it’s just a word that’s excessively used to describe a computer with a disk drive somewhere else, and you’ll see them getting the point; the cloud can enable them to stop making purchases and getting left in the lurch with old tech. The point is that by simplifying the jargon and making technology less complicated, it informs the non-IT literate person and also makes the technology more appealing. So as with ‘the
March 2016
cloud’, so it is with Biometrics as a Service (BaaS). Explain that BaaS is simply identity checks on another computer and people are more positive and informed about it.
Of course, there are quite a lot of components, and trust, needed to make BaaS happen. We all know why biometrics are important in the ID space. With big issues like terrorism, cybercrime and immigration, we are just scratching the surface of the need for better identification. But why BaaS specifically? What has changed recently to make this way of managing identification online more attractive?
Biometric Technology Today
7
Passwords are broken – the future shape of biometrics
David Ferbrache
David Ferbrache, KPMG The headline assertion – that ‘passwords are broken’ – was one of my somewhat hopeful security predictions for 2016, which KPMG was good enough to publish. The comment was somewhat tongue in cheek, but the truth is that passwords have become one of the weakest links in our security chain, compounded by our inability to memorise the long and complex passcodes demanded by our security systems (see box on page 6). This has prompted the current drive in organisations like banks and internet services providers to standardise on multi-factor authentication. The idea is that the SMS text message sent to your device confirms that you are indeed who you say you are by blending ‘something you know’ with ‘something you have’, making it more difficult for hackers. Of course cyber-attackers look for ways to defeat this approach – they target the mobile devices that receive the SMS, perhaps they even explore how to redirect and divert calls, looking for weaknesses in the very protocols that handle our telephone signalling.
“We are now seeing a proliferation of innovative new start-up firms all focused on novel biometric methods or the fusion of many methods, each looking for that novel nugget of intellectual property that might be their ticket to success” To combat this, biometrics provides the last of the three authentication methods – ‘something you are’. Yet biometrics historically has heralded much promise, while always seeming to fall short of delivering that promise, simultaneously raising privacy concerns. Fingerprints carried with them the faint implication of criminality, retinal scans always seemed too intrusive, facial recognition hinted at Big Brother, while speaker recognition seemed dogged by microphone variability and background noise. But this is changing – and curiously the mobile phone and the coming Internet of
March 2016
Things may be providing both the impetus and the opportunity to change. We are now entering an era where we interact with the devices we use to access the internet in a far richer and more intimate manner than we ever did with the telephones and keyboards of yesteryear. Our laptops offer microphones, touchscreens, webcams, fingerprint readers and graphical user interfaces, which provide the opportunity to interact with the user in sophisticated ways. Our mobile phones go further, offering gyroscopes, accelerometers and GPS. Our digital watches and personal fitness devices go yet further, offering pulse detection, and even the ability to monitor our gait and movements. Building on this, banks are now trialling and rolling out a wide range of biometric techniques – fingerprint, facial and voice recognition; even heart rate monitoring. We seem to have crossed the threshold of acceptability, and finally false positives are beginning to decline to acceptable levels. But there is a new world of biometrics which looks beyond these initial implementations – one which doesn’t rely on a single authentication method, but rather a rich fusion of techniques, all of which contribute to certainty that the individual interacting with that device is indeed who they purport to be. Suddenly the keystroke patterns on the laptop and the movements of the mouse come together into a single behavioural fingerprint of the user. The subtle movements of the mobile phone and the context provided by the GPS location add colour and confidence, while the unique pattern of your electro-cardiogram as read by your personal fitness device adds the final piece of the puzzle, while simultaneously tracking the health of your heart. We are now seeing a proliferation of innovative start-up firms all focused on novel
biometric methods or the fusion of many methods. Every year KPMG runs a talent-spotting competition to pick the Fintech 100 – the 100 firms we believe will reshape the financial sector. This time round, hiding among the peerto-peer lending, blockchain, micro-payment, robot adviser and digital banking services were identity management and biometrics firms, each looking for that novel nugget of intellectual property that might be their ticket to success.
So where might the answer lie? Biometrics need to be robust in the face of some quite cunning attacks. The rollout of fingerprint scanners has not been without problems. Fingerprints can be lifted from devices using good old-fashioned forensic techniques, replicated and used to defeat fingerprint readers. High-resolution photographs are even used to provide the basis for building those fake fingerprints. So we go further and look for ways to avoid replay attacks. Heart rate monitors confirm that you are indeed whom you say you are, picking up the unique sinus rhythm of the heart – but also recognising that every heartbeat is subtly different. We look for challenge and response methods – such as speaker recognition using particular prompt phrases. We use other indicators such as device inclination and vibration to confirm that a real person is interacting with the device. And so a new set of possibilities begins to open up – that of active authentication using intrinsic physical and behavioural traits, which begin to build a cognitive ‘fingerprint’ for a user. As the individual is stimulated to interact with the system they are using (whether laptop, mobile or other device), we can monitor their behaviours and responses. How do they move their mouse, how do they type a phrase in response to a prompt (ie, stylometrics), how do
Biometric Technology Today
5
FEATURE
Problem with passwords The search for new and more varied biometric-based and other forms of authentication – more suited to the sophisticated online interactions of today – has been driven by a range of problems with passwords. First, organised crime groups and hackers with various motivations are often able to breach system security and will look to acquire large files of encrypted passwords. This makes sense as attackers know that users tend to reuse passwords. Gaining access to one system means you have access to one system; getting access to a large encrypted password file gives you the potential to access a large number of systems. Hackers like the easy life as much as anyone else. Faced with this threat, we might expect passwords to be stored in the form of oneway hashes, which map each password to an encrypted form that can’t be readily reversed to recover the original. Salts are also used in the hashing algorithm to avoid trivial identification of password re-use by comparing hash values. Computationally complex hashing functions are used to increase the time it takes to crack each password. Unfortunately these techniques don’t always seem to be used, or if they are, the implementation can be rather sloppy. As such, a surprising number of compromised password
they track the objects displayed on the touchscreen, how do they handle and orient their device as they do so?
“A new set of possibilities begins to open up – that of active authentication using intrinsic physical and behavioural traits, which begin to build a cognitive ‘fingerprint’ for a user. We can monitor people’s behaviours and responses, how they move their mouse, how they type a phrase, how do they track the objects displayed on the touchscreen” These techniques don’t provide absolute authentication. And indeed conventional oneoff statistics around false positives and false negatives seem crude ways of characterising the continuous process of authentication that 6
Biometric Technology Today
files seem to lend themselves to rapid dictionary-based attacks and use of pre-calculated rainbow tables. When these files are cracked, the picture of user-selected passwords seems all too familiar, with ‘123456’, ‘password’ and ‘qwerty’ being common – along with frequent use of the word ‘football’ and the rather more topical ‘starwars’.
“A surprising number of compromised password files lend themselves to rapid dictionary-based attacks. The picture of user-selected passwords seems all too familiar, with ‘123456’, ‘password’ and ‘qwerty’ being common – along with ‘football’ and the rather more topical ‘starwars’” The BBC reported1 in August 2014 that Russian hackers had amassed 1.2bn usernames and passwords collected from a variety of hacks, which of course led to determined attempts to crack those passwords with surprising levels of success. Their efforts seemed to be aided by a number of organisations that
occurs as the user interacts with their device in a myriad of different ways. However, this provides the basis for us to build user profiles, not a single static biometric print, but a more complex multi-dimensional characterisation of the behaviours of an individual. If stolen, this profile doesn’t provide an easy basis for masquerading as that individual. Suddenly the simple password seems a very basic and unsophisticated authenticator indeed. Of course we also need to think differently about what we mean by authentication. It becomes less an absolute concept of identity, and more that of sufficient confidence to support the transactions which the user wishes to undertake. If the confidence level isn’t sufficiently high, then a few more stimulated interactions with the device may provide the additional confirmation needed to permit the transaction.
Managing risk The concept of risk is well-known and wellunderstood in the business world, and we spend much time determining just how much certainty is enough to allow a given payment or financial
helpfully kept their password reminder questions and responses in plaintext, which when compromised gave the attackers a head start on guessing those passwords. Of course, many people re-used passwords across sites, which again points to our innate tendency towards laziness and our inability to remember dozens of different passwords. Naturally, sites introduce password complexity rules to reduce the risk of passwords being cracked. Unfortunately, there seems to be little agreement on quite how this might be implemented. Some require numbers, mixed case, punctuation, the list continues to grow – while users become more and more frustrated. Of course there are also machinegenerated passwords. These are tricky to remember. Governments provide advice on memorable password selection, only to find that their convenient passwords won’t quite pass the complexity tests imposed by service providers. Difficult-to-remember passwords find their way on to convenient notes stuck to keyboards. Password vaults might be part of the solution, but can they withstand a determined hacker who has compromised the computer that hosts the password vault, or has established a ghostly presence in the browser the user trusts to access the internet?
transfer. This judgement isn’t static, it changes with the nature of the transaction, the recent history of the user’s activities and the changing threat to the business. So the door is now open for banks (and other firms) to implement very sophisticated fraud control and risk-scoring approaches, linking behavioural biometrics to a wide range of information on previous user transactions and pattern of movements. They can also go just a little further by taking steps to build behavioural ‘fingerprints’ from potential fraudsters – although the format in which those fingerprints might be shared between banks has yet to be explored, let alone how they might be shared with law enforcement. Of course, active authentication also goes a long way to helping identify and block ‘robots’, those computer programs pretending to mimic the actions of real people in order to automate the penetration and compromise of user accounts. The Captcha – that wonderful acronym which stands for ‘Completed Automated Public Turing test to tell Computers and Humans Apart’ – may be rendered obsolete. So what of privacy? That’s tricky. While we have a clear expectation that conventional
March 2016
FEATURE biometric information is adequately protected – and rightly become deeply concerned when our fingerprint information might be compromised – our expectations of privacy around behavioural ‘fingerprints’ seem much less clear. In fact, the complexity of privacy in the biometric sphere is transforming. For example, in Europe the recently agreed EU-wide General Data Protection Regulation explicitly calls out biometric information as a special category of personal information (ie, Sensitive Personal Information) whereby this is used in order to uniquely identify a person, which for authentication is generally the primary purpose. So we naturally think about fingerprints when we talk biometrics; but this regulation would cover the depth and breadth of biometrics and even include photographs where they are processed through a specific technical means, allowing the unique identification or authentication of an individual. This creates an interesting risk dynamic for organisations that wish to use biometric technologies. The security baseline they would have used previously may no longer be sufficient; the liability position has increased and there are increased privacy requirements as organisations look to collect (hopefully with the individual’s consent), use, retain and disclose the biometric information. This in turn creates a quandary. Do you collect sensitive personal information or increase your privacy risk profile in order to reduce the risk of harm being caused to an individual as a result of a privacy issue involving the loss of sensitive personal information? As more and more sensitive information is collected through the Internet of Things and through increased
profiling, a lot of organisations are likely to face a tipping point in this dilemma.
Significant innovation
“Organisations will also look for technical approaches that minimise the harm to the individual, by ensuring information cannot be reverse-engineered to expose that individual’s identity. Ironically we return to a debate on how we ‘hash’ biometric identifiers, in much the same way we have debated password hashes”
So are passwords really dead? Perhaps not yet and perhaps not for years to come. But as we look to the future, it is time to contemplate very different ways of authenticating users through a much richer range of interactions mediated by more sophisticated devices in an Internet of Things. We are seeing significant innovation in the area of biometrics. Both the number of providers and the variety of approaches they are adopting continue to accelerate and expand. We can’t see this trend slowing down in the short to medium term. It is now over 50 years since the first computer password was used. Let’s hope it doesn’t take another 50 years to find a mechanism that better fits our needs.
Organisations will also look for technical approaches that minimise the harm to the individual, by ensuring information cannot be reverse-engineered to expose that individual’s identity, or to allow subsequent frauds on the individual. Ironically we return to a debate on how we ‘hash’ biometric identifiers, in much the same way we have debated password hashes. We also have standards emerging that ensure that the biometric details never leave the user’s device (or perhaps the systems of a third party identity verification service), but rather just unlock a cryptographic exchange confirming the user’s identity. The FIDO (Fast IDentity Online) Alliance has made good progress in this area, but these protocols need to continue to evolve and develop to meet the needs of a richer risk-based transaction authentication environment.
References 1
Russia gang hacks 1.2 billion usernames and passwords. BBC. 6 August 2014. http:// www.bbc.co.uk/news/technology-28654613
About the author David Ferbrache OBE is technical director for cyber-security at KPMG UK. He leads the technical strategy for the cyber security team, working with KPMG’s largest clients to deal with cyber threats. He was previously head of cyber for the UK Ministry of Defence, having worked for over 25 years in the field, as well as in a range of senior policy and science roles. He is also a Fellow of the British Computer Society This article was written with helpful inputs from George Quigley, Mark Thompson, Morgan Phillips and Neil Coutts of the KPMG cyber-security practice.
Biometrics as a Service: the next giant leap? Jeremy Rose, SmilePass and FaceCrypt
Jeremy Rose
Doesn’t the cloud conjure up a mystical picture? For the ordinary consumer, it’s like some kind of floating vehicle in cyberspace that magically performs services and delivers information by the hand of the internet god. So, ask most people what they think the cloud is exactly, and it is likely they will frown with unknowingness. But if you explain to them it’s just a word that’s excessively used to describe a computer with a disk drive somewhere else, and you’ll see them getting the point; the cloud can enable them to stop making purchases and getting left in the lurch with old tech. The point is that by simplifying the jargon and making technology less complicated, it informs the non-IT literate person and also makes the technology more appealing. So as with ‘the
March 2016
cloud’, so it is with Biometrics as a Service (BaaS). Explain that BaaS is simply identity checks on another computer and people are more positive and informed about it.
Of course, there are quite a lot of components, and trust, needed to make BaaS happen. We all know why biometrics are important in the ID space. With big issues like terrorism, cybercrime and immigration, we are just scratching the surface of the need for better identification. But why BaaS specifically? What has changed recently to make this way of managing identification online more attractive?
Biometric Technology Today
7