In all areas of life ‘security' is a race. Even in the most serious of cases – the life or death of an entire species – groups survive and secure their place in the world by adapting and defending faster than their environment and neighbours turn hostile. Simply improving and adapting is not sufficient: you have to improve faster than your adversaries. Harden your shell and quicken your legs faster than they can sharpen their claws and hone their camouflage.
And so it is in the digital ecosystem, but the race here is frantic and the pace of change is phenomenal. It is undeniable that we have made huge improvements in computer security over recent years but the attackers are moving fast too and new kinds of threat appear with startling regularity. Whether financially-motivated hackers, activist groups or our own governments, the perceived state of e-commerce and mobile payments – despite all the many great improvements we have made – is that the EU security agency has advised banks to consider all computers and devices compromised. Clearly this is not where we want to be.
So where's the next great advancement that will shift the balance back to the defensive inhabitants of the information security jungle? One technology that is exerting some positive pressure right now is biometrics: using physical characteristics of a person to prove they are who they say they are.
Biometrics as identification technology are nothing new - they pre-date computers by centuries – but recently the technology has improved and complementary advances in the environment have been made. Consumer acceptance is also at an all-time high with a recent survey finding that 80 percent of UK citizens would opt for biometrics in place of passwords. In this new context biometrics have their chance to make an impact.
So what might this mean for the enterprise and retail sectors? When thinking about security it is always useful to consider systems from the perspective of someone who has something to lose, and these are the people whose assets and businesses will be protected – supposedly – by the biometric login. At this point nurture becomes more important than nature, as companies have to learn how to live in a new biometric world. Tricks that evolved to cope with passwords do not apply so cleanly here.
A fingerprint is not the same as a password – it's not secret! So the way the biometric is captured, analysed and delivered to relying parties is very important. Are replays possible? Do different fingers on the same person represent the same identity? What else is sent along with the biometric to guarantee the login is genuine? That convenience also plays both ways: what if a transaction is repudiated because the person claims they were asleep and someone else swiped their finger?
Fingerprint technology is not foolproof – Gummi Fingers still work. Whether this matters or not depends on the use case and needs to be consciously thought about and agreed by the whole ecosystem (and this goes just as much for other metrics): the biometric alone is not a magic answer to everything.
The point is that biometrics are only part of the solution, like the duck-bill without the platypus. These issues point to the need for security to be inherently embedded on devices for biometrics to work properly – at least something to vouch for the capture of the scan. Sensitive information, such as machine ID, legacy passwords and biometrics need to be handled in a protected environment to ensure their advantages can be relied upon.
The developments in biometrics, coupled with growing appetite, make it a plausible solution to the problem of security inconvenience. However, what will ensure the longevity of biometric systems is a mobile computer environment that properly supports them: devices with identity and trust built in from the ground up. Without this, it won't be long before the hacker-predators are back on top.
Contributed by Jon Geater, CTO of Trustonic
Also, listen to the new SC ID Management webinars