in a very interesting Post, Brien Buckman explores how Biometrics can safely replace the password. At Natural Security Alliance, we share this vision. But biometric identity will play a key role in the authentication of the future only if 4 main issues have been addressed:
- Biometrics is about implementation. Strong authentication should rely on the use on several factors including a personal device (wearable, token or mobile phone…). Coupling factors(what you have- the token and what you are- biometrics) ensure a strengthened confidence link among various actors of the solution. For several reasons (privacy, quality of service, security, business models, legal aspects…), the era of biometric database for non-governmental applications is over.
- If Biometrics is about security, we should be able to bring visibility on the performance of the biometrics technology used (in terms of interoperability, security, functionality). Biometrics Alliance Initiative for instance, paves the road to real use cases of biometrics by setting up a certification and evaluation process based on framework built on business requirements. Coming to the non-repudiability aspect of biometrics you depicted, crypto biometric solutions do address this issue, while opening another inked to interoperability. Biometric Alliance Initiative is currently working on a benchmark to give better appreciation of these aspects.
- Privacy. Defining the right implementation (Privacy by Design) and commitments from service providers (Privacy Rules) help addressing concerns by end users.
- Standard approach. The current roll out of biometric authentication is the roll out of proprietary implementation. Insuring interoperability, performance and security should rely on open standard, specifications and technologies shared by the whole industry. A standard approach also allows to develop various implementations of the same authentication method (token & wearables & mobile phone) in order to address the different categories of end-users.