Welcome to the KuppingerCole Analysts Chat. I'm your host. My name is Matthias Reinwarth. I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Research Analyst Alejandro Leal. He's working with KuppingerCole Analysts out of Stuttgart.Hi Alejandro.
Hi Matthias.
Great to have you. And we want to continue a discussion that we started a few weeks ago when we talked about your Leadership Compass Passwordless. And we want to continue the discussion around passwordless authentication a bit. One key component for passwordless authentication is the use of biometrics. Why is this so important? And where are maybe some of the challenges regarding biometrics within passwordless?
Sure. Well, thank you for having me back, Matthias. I think it's a good idea to first start talking about authentication factors. As we know, there are three factors, factors based on something you have such as the possession of a smart card or a token, factors based on something you know, such as login information and passwords and factors based on something you are.
And that's when biometric authentication comes in. We also know that biometric technology is not new. However, the rise of biometric as a service in recent years has created a very competitive and innovative space. Well, essentially, biometrics are mathematical representations of a person's physical and behavioral characteristics, while the former measures physical traits such as the iris, fingerprints and the face.
The latter focuses on behavioral attributes. These, in the long run, can be a bit less trustworthy because user behavior can change due to age or stress or other factors. So biometric technology, biometric authentication can be accompanied or used as an alternative to other methods of authentication. And like you said, it's one of the common features of passwordless authentication.
And in the past few years, we've seen a surge in creating passwordless experiences. Although this middle ground retains the vulnerability of credential based attacks or spoofing attacks, biometric authentication still offers the convenient user experience that is associated with passwordless authentication. So when combined with other mechanisms such as behavioral biometrics or cryptographic keys, step up authentication, risk based MFA, logins can be even more secure for users.
Therefore, vendors are offering multiple ways to authenticate their users, and they're developing new techniques to keep biometrics secure. As we also talked about last time account recovery procedures are important things to consider. So instead of using knowledge based authentication methods or even passwords to recover your account, many solutions are now using biometric authentication to do this.
However, there are architectural security and privacy concerns that need to be considered. And I'm sure that's something you would like to discuss.
Absolutely. Let's start with the security side of things. I'm very much a privacy guy, so I keep that for the later part of this episode. But where do you think are key security issues when it comes to biometrics and how are they addressed within products?
Well, despite the promise of biometric authentication, many people are still reluctant to move away from traditional methods of authentication because of user acceptance or privacy limitations, deployment cause, security concerns. I think there are two questions that are important to consider when it comes to implementing biometric authentication. One is, How can organizations deploy biometrics responsibly? And the other is, How can we use biometrics to enable trust and privacy?
You see, everyone wants the benefits of biometric authentication, it's very convenient, it's easy to use, but nobody wants to pay the security price. So the biometric industry facing the challenge to deliver a secure and at the same time convenient authentication processes. If we look at the history of the industry, there are several inflection points. I think the first one was probably over 20 years ago after 9/11, the American government and the industry started to use biometric authentication to increase security.
But I would say that maybe the most important inflection point was the use of mobile biometrics, because they popularized the use of fingerprints to authenticate. Apple's touch ID implemented this fingerprint technology for their new iPads and iPhones, as well as their Apple service payment and other devices such as Samsung Galaxy, they use iris technology and later the iPhone X has been using facial recognition technology.
So as these options become more popular, other biometric modalities are expected to grow as well. But more recently, the outbreak of the COVID 19 pandemic drastically accelerated digitalization in many organizations and businesses, and it also increased the adoption of biometric authentication. If we see the rise of online transactions and e-commerce during the pandemic, that pushed biometrics to the forefront.
Additionally, during the pandemic, many of the vendors and service providers of biometric authentication, they also increased innovation because as people started to use masks, many of these solutions had to innovate and acquire new capabilities to recognize people while wearing a mask. So essentially, the practicability of biometrics authentication depends on the use cases they intend to address. In the private sectors we see the use of biometric authentication in many industries, but specifically in the financial industry.
In addition to the private industry, the public sector is also a space that implements biometric authentication. Major initiatives such as e-passports, e-driving licenses, cross-border collaboration and national I.D.s are continuously pushing and driving the market in the public sector. However, there is a great deal of variation in the deployment, usability, functionality and reliability of both different biometric modalities and vendor implementations.
So as we were talking before, data privacy and security are probably the main concerns that organizations and users have. The regulation of biometric data is still in the making and discussions about legislative and regulatory interventions are challenges, but are also presenting an opportunity to raise public awareness. For example, in Europe we see the implementation of GDPR, which is one of the best known privacy regulations, and it imposes stiff penalties if there are no compliance.
In addition, since the introduction of GDPR, privacy has become closely associated with data protection. For example, biometric samples are considered to be personal identifiable information, according to GDPR. On the contrary, we see in the United States that there there's an absence of a comprehensive federal law that focuses and regulates the usage of biometric data.
So we see this difference between Europe and the United States. When we're in the United States, perhaps users are looking forward to having a more convenient method, whereas in Europe, perhaps users are more aware of privacy concerns.
Yeah, I think collecting and storing and processing biometric data is actually in Europe, I'm not a lawyer, but this is what I assume from a practice perspective, it's not that easy. And it's usually also not that common, I hope at least. But that has changed or is different in other countries, I assume. So that’s really an important topic because our biometrics cannot be considered as a secret.
I'm showing my face to that camera. So my face, as the authenticating factor, cannot be considered as a secret. So we need to add additional mechanisms. Is this where security issues also arise from, that data can be collected somewhere else?
Yes, that's right. Many people have this, let's say, lack of trust when it comes to maybe cloud providers storing their biometric data, for example. So if we take a look at the financial industry, many organizations are also subject to anti-money laundering and know your customer regulations. In Europe, the EU Revised Payment Service Directive is also an important element that many organizations and users alike are paying attention to, because these mandates that financial consumers, they must be authenticated strongly.
So strong authentication meaning that they have to have two of the following, something you know, something you have or something you are. So many vendors are trying to combine something you have, let's say, a device and something you are, and in this context, that would be biometrics.
Right. I'm a rather late joiner of the of the face ID community. I've just switched over to a new phone and have this facial recognition. But I think that is exactly what you mean. So when we do biometric authentication, using our phone, our mobile device, it is actually the combination of both, it is something I own because it's my phone and my face as the biometrics, which is then also stored within the secret element within my phone.
So the phone in effect, plus that I use it, is actually the combination of something I am and something I own. Does that increase security and reduce privacy issues?
Yes, but I’d say that high deployment costs and the fear of privacy and the fear of security are going to hamper the growth of the market. As long as there is no security or privacy scandal in Europe or in North America, it seems that users are still going to continue using biometric to authenticate themselves.
So I think it's important that service providers adhere to industry standards. They also deliver a clear message to users to raise public awareness of what biometric authentication really is, what are the challenges, and they need to place security and privacy at the forefront of the conversation in order to make biometric authentication be more secure and convenient and deliver its promise.
Right. So it's a call to action from your side towards the vendors, the service providers, to increase the level of information about what they are doing and how they process data. And on the other hand, an education part towards the end users to understand where the risks really are because there are risks and they need to be properly mitigated.
And then the increased security that biometrics obviously deliver can be leveraged in a proper way. Would that be one of the takeaways of our discussion today?
Yes, certainly. And as passwordless authentication continues to grow, because it's expected to grow, I think this is an important message that passwordless vendors need to also consider.
Absolutely. Thank you very much, Alejandro for that insight. I want to hint at a new service that we will be launching at KuppingerCole early in 2023. It will be a highly interactive, a more digital service that will be available very soon. I cannot give away too much as of now, but I think passwordless is a topic that will be around that service as well.
Until then, and thank you very much, Alejandro, for sharing your thoughts about passwordless authentication, biometrics and the challenges that go with that. And I'm really looking forward to having you very soon for another episode. Thanks again.
Thank you, Matthias.
Thank you. Bye bye.
