As you probably heard, last week Apple released their new and improved iPhone – the iPhone 5S. Much of the “hype” about this new apple phone surrounded the added Touch ID fingerprint sensor that can read the user’s fingerprint in order to unlock the phone.
While Apple is taking biometric technology more mainstream, biometrics is actually nothing new. Merriam-Webster defines biometrics as “the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint and voice patterns) especially as a means of verifying personal identity”. The first known use of biometric technology was in 1902, but as technology evolved, computer aided biometrics grew rapidly – especially in the last quarter of the twentieth century. Biometric technology is not limited to fingerprint and voice recognition. The first iris algorithm was patented in 1994, although used in practice well before then. At the 2001 Super Bowl in Tampa, Florida, face recognition technology was used to capture an image of each of the 100,000 fans via a security camera and check electronically against mug shots from the Tampa police. Examples of biometric uses are abundant.
Recently, some have begun speculating that biometric technology will replace KBA (knowledge-based authentication). But – is biometrics really enough to verify an identity? While using your fingerprint to unlock a phone might suffice – how about in larger applications? Registering for a new online bank account or credit card…password resets…accessing highly sensitive medical records… Does biometric technology alone give organizations confidence that their customers are who they say they are? The answer is simple – no.
Identity security requires a layered approach – not just a reliance on one technology. Standing alone, the use of biometric technology raises several security questions – How is the fingerprint itself validated? What happens when a fraudster scans or copies a fingerprint? Another security concern about biometric use is what happens if all these fingerprints are hacked? You can change a password but you cannot change a fingerprint…
Biometric technology and comprehensive identity verification platforms essentially work very together in establishing that the initial verification of the fingerprint actually belongs to the appropriate individual. Robust identity proofing processes and the ability to escalate to knowledge-based authentication/out-of-wallet questions when needed is the best way for organizations to make sure that fingerprint from Jane Smith is truly Jane Smith and not a mischievous fraudster.
Knowledge-based authentication allows users to validate an identity through a series of out of wallet questions that only Jane Smith would know the answers to and that cannot be easily socially constructed. This leads to faster approvals as well as a better, more secure customer experience that is proven to deter fraud.
While this new feature on the Apple iPhone has made a bit of a splash – the use of biometric technology alone to validate an identity will not be the end of KBA. A fingerprint alone is not sufficient to validate an identity. Organizations need to employ robust IDV and KBA processes to accomplish this goal.
As Redditor, iZeeHunter, posted last week, “The new iPhone 5S provides unmatched security with its new Fingerprint lock, which makes your personal data even harder to reach!”