In theory, identification methods predicated on "something you are" should be secure as the identifier is unique. Every fingerprint is different and personal, so a fingerprint scan should be a perfect identifier. Each retina is unique, so a retina scan should work flawlessly. The same goes for facial recognition and similar biometric identification methods. The problem is that the validity of these identity authentication methods disappears completely if the credential becomes compromised.
If a person makes a copy of your fingerprint with wax, that bit of material can be used to hack a phone. Retina scans can be similarly problematic, but for a different reason. Computerworld reported that iris scanning can prove so finicky and complicated to use that many people would rather ignore it than deal with the complexity. In the mobile world, inconvenient equals insecure as people will often take inadvisable shortcuts instead of dealing with a cumbersome solution.
Something that you are is only secure if nobody else can, in any way, lay claim to that identifier, making many biometrics methodologies incredibly risky if they are used exclusively within an identity management strategy.
What happens when something you are gets compromised
A recent Reddit post highlighted just how problematic it becomes when something a person is becomes difficult to verify. The post tells the story of an individual who ran into identity verification problems because somebody with the same first name, last name and date of birth had a criminal record. At one point, the individual writing the post had been denied employment because a background check found a criminal history that wasn't accurate. This issue was resolved, but the issue arose again when the author tried to lease an apartment.
The problem in this situation was quite simple - courts generally track first name, last name and date of birth when creating and maintaining criminal records. Therefore, because this person shared all of these credentials with somebody else who had performed criminal activities, background checks falsely confused the two people as one.
The entire situation here became incredibly complicated and frustrating for all parties involved. The person whose identity was being confused was left somewhat powerless to do anything to rectify the problem. At the same time, the companies doing the background checks could do little to accurately verify that the problem was legitimate because the court records and similar documents were relying heavily on something you are as the primary means of authentication. In this case, the identity verification was happening through names and dates of birth, but the issue shows just how quickly problems can escalate when organizations are relying on something a person is to identify them.
These same issues can arise in the event that a biometric identifier becomes compromised. It becomes incredibly difficult to accurately verify the mistake and individuals and businesses alike can be left scrambling to figure out the truth of somebody's identity.
Safeguarding biometrics with diverse identifiers
The problem that arose in the Reddit thread and the issue highlighted by the Best Security Search report stem from a common issue - relying on something a person is as the primary authenticator. Best Security Search explained that financial institutions have largely countered the problem of people working around biometrics by using PIN techniques and similar practices, but this only complicates the end-user experience. Furthermore, having to fall back on less ideal identification methods because the primary option is fairly easily broken shows just how readily security systems can be countered.
Identifiers aren't just limited in effectiveness because they can be copied or otherwise compromised. There are also issues such as clerical errors and hacking that can make using biometrics risky. Something as simple as associating the wrong fingerprint with a person in a backend data storage system can completely undermine identity verification processes. Furthermore, once there is confusion, how does one go about ensuring new biometrics are accurate? You'd have to collect multiple forms of alternative identification along with the correct biometrics to restore the system to an accurate state, an awkward and time-consuming process for everybody involved.
All of these issues point to the need to rely on more than just biometrics when it comes to identity management. However, combining biometrics with passwords, PINs, security questions and other traditional tactics is unwieldy from a user experience perspective and leaves organizations reliant on outmoded identity verification methodologies. It is time for businesses to move beyond these tactics and take on a more comprehensive, user-friendly approach that leverages modern digital technologies.
Today's smartphones have high-quality digital cameras. Asking users to snap an image of their driver's license or similar identification is a quick, easy way to gain access to a multi-factor authentication document. State-issued IDs combine biometrics, built-in fraud prevention techniques, names, date-of-birth details and similar data points that provide multiple layers of something-you-are identification in one place. No more errors with duplicate names or stolen biometric identifiers - the single document has built in checks and balances.When combined with other user-friendly identity verification methods, a digital scan provides the multi-factor authentication businesses need to verify identity, something that is particularly crucial as financial services firms embrace digital and remote banking processes. Biometrics and any other form of "something you are" security methods come up short when relied on as exclusive identity verification tools. When combined into a full identity management suite, however, they become a powerful authentication option. At Confirm, we bring together the backend digital scanning and verification capabilities organizations need into a centralized app, freeing businesses to build intuitive, user-friendly apps that offer secure user authentication without compromising consumer privacy or the overall experience.