Passwords are passé, brace for biometrics
For quite some time now, employees in many offices have been using biometric systems to mark attendance. Educational institutions like colleges too are adopting them to mark attendance in classes. More recently, biometric authentication has been integrated into our electronic devices like smartphones and laptops, giving us more secure control over them.
Not just devices, even services are being integrated with biometric systems. All new mobile phone connections need to be linked with Aadhaar, a process that will need biometric verification. Even older phone connections will need to be authenticated with Aadhaar. You may have already got a reminder from your telecom operator to link your phone number with Aadhaar.
“In the near future, passwords could potentially be eliminated and biometrics may become the key element for authentication along with presence of a device such as a mobile phone or smart watch,” said Amit Jaju, executive director, forensic technology and discovery services, EY LLP.
Going forward, we would see our electronic Aadhaar Pay transactions at commercial establishments being authenticated using just our fingerprints.
But biometric entail more than fingerprint scans. It also includes iris scans and facial recognition. “That is where I see greater possibilities. Imagine being able to simply walk out of a retail store, while an iris-recognition camera captures your iris information, knows your Aadhaar number (as you are a frequent shopper) and as the Aadhaar account is connected to your bank, simply deducts the amount of the goods you are carrying in a bag,” said Saket Modi, co-founder and chief executive officer, Lucideus Tech. “The banking industry is already seeing an upsurge in use of biometric for authenticating a transaction. It could further be used for identity verification such as at airport immigration,” Jaju said.
We take a look at how these biometric systems work.
How it works
Biometric authentication uses some form of unique biological characteristic—such as fingerprints, retinal scan, facial recognition or voice detection. Fingerprint and retinal scans have been more popular forms of identification, but face recognition is also gaining popularity as most devices these days have high resolution cameras.
“A device reads (biometric reader) the biological characteristic and uses an algorithm to convert the readings into a digital hash (numbers and digits). The algorithm and design of the device ensures that the digital hash cannot be converted back into the source (such as the fingerprint). This hash is then authenticated with a server which has a similar hash generated at the time of registering the user (master copy),” Jaju said. If both the hashes match, then authentication is granted.
A fingerprint reader, for instance, reads the fingerprint and coverts it into a digital hash and the underlying software sends the hash—securely in an encrypted manner—to the server for authentication. “A biometric reader without the underlying software has no utility. The software itself has security mechanism to be able to interact with the authenticating server,” Jaju said.
“Biometric authentication tends to be much safer than sharing your documents and physical signature on a form,” Jaju said. Using biometrics, a user can instantly get alerted, by SMS or email, regarding the status and source of the authentication and can take immediate action, if needed. When a someone uses biometric authentication in place of physical copies of documents, she can be sure that her documents’ copies cannot be forged or misused for data or identity theft. Modi said that devices and scanners that adhere to the standards set by Unique Identification Authority of India (UIDAI) are perfectly safe to share one’s biometrics on.
“One key change that’s going to come in the next few months is the enforcement of having the Aadhaar encryption key at device level itself. Currently, there is still a channel where the device sends the raw biometric data to the phone where encryption is applied. So technically, the wire that’s connecting the phone with the device can today be tapped to capture the biometric data. Although there are some checks and balances in place to counter this too,” Modi said.
A regular fingerprint reader, like the one used by representatives of telecom companies for Aadhaar authentication, does not have a memory of its own, said Atish Saoji, vice president sales (information technology) at BioEnable Technologies Pvt. Ltd, a company that manufactures biometric devices.
“Other forms of devices—like the ones used for attendance in offices or access control devices—have a memory of their own,” he said.
Storing biometric info
Most secure biometric authentication mechanisms use two-factor authentication techniques, such as biometric plus SMS/email or biometric plus password.
“One should also check if the biometric authentication process would send an alert SMS or email confirming the authentication attempt. This can be valuable to identify potential fraudulent attempt for fake authentication. Always remember that a biometric authentication system is more secure if it uses an additional form of authentication such as a password or PIN,” Jaju said.
“In the worst-case scenario, if a hacker is able to impersonate someone else’s biometric data and enter their Aadhaar number along with it, they would still get notifications on the registered phone number about the transaction that is happening,” Modi said.
On the widespread and increasing use of biometric-based Aadhaar authentication, he said that most people still do not realise that your Aadhaar number is like your email Address. “You can give it to as many people you want and no one can do anything with just your Aadhaar number, as they will need your fingerprint with it to authenticate and impersonate you,” he said.
Moreover, Modi added, that most “so-called hacks of Aadhaar card data reported till now have been the leak of Aadhaar card numbers only, and not of the biometric data.”
Jaju said that not so long ago, passwords were considered safe and many industries depended on it. Now passwords are strengthened with additional two-factor authentications methods such as one-time passwords (OTPs) and device recognition.
“Biometric is one of the safest forms of authentication techniques available today, when clubbed with another form of two factor authentication. It tends to bridge the gaps that could be exploited for corruption such as identity theft for obtaining fraudulent loans and benefits,” he said.
While many experts insist that biometric identification is a secure process, the debate around use of biometrics has got polarised. We will keep updating this space with stories that go beyond the rhetoric.