Mobile Biometric Authenticators: The Smartphone as Key

I'm not putting the plugin, but I'm just telling you a deficiency that we found. You know, when we started many years ago with the creation of biometric or bios ID, what we did was we went to 21 universities in colleges and, and did our beta testing. But what we found out was that some of the first time users were using the, were verifying their identity more than what we had asked them to do.

We said, go and do it 10 days in a row once a day. Well, we'd get guys and girls in there that were doing it three times, 10 times a day. And the length of time that they were spending in each of the days was enormous. So we did an online survey and guess what? 48% of them said, this is entertaining. We thought what? It's like Colonel Saunder's secret recipe. Somehow we sort of lucked into this idea that, you know, these people thought it was gamish. And I thought we didn't even think of it that way. So it was a miss for us, but a, but a win for the users.

Because if you're having a highly secure technology, security technology and people are enjoying its use boy, that's a good recipe for success. So I think two things I've made notice there so that what we find a lot of people that sort of, if it's a high failure rate sort, they have to log in multiple times or it's just, it's not logging in for whatever reason, then that starts to affect the, the reputation. So it's of, we're not going to use that system, whether we're not gonna purchase that application, you know, we're not going to a new subscription.

We're not gonna continue as a student, this university that it's so hard to structure log into the, the learning environment log into the platform. But actually we're not going, we're not going to do it. We're just gotta, we were thinking of dropping anyway. So actually we'll continue. We'll drop out. Then we'll go to go to a different university.

So they, it sort of sometimes higher sort of false acceptance rate perhaps might slightly other low risk environments. So we not. So perhaps financial transaction say we're talking, logging into perhaps a learning event or accessing some digital subscription, but there's a degree of sensitivity. We need to make sure we've got the right level of risk.

Actually, something that's a higher acceptance rate perhaps is gonna work better for, for them. And obviously if it's a bank be different matter. The second one's kind of one that we find with quite lot of organizations, actually, how do, how are the users got to use it? They might enroll. They sat in the home. Then when they actually come to, to use the application, come to actually use their phone, to, to authenticate where they actually based. Are they have they just rule a marathon or something?

Are they, they've got a sweated fingerprints to can the phone or that they're wearing glove cells. Some other sort application that they're using is actually interfering with their face or interfering with their physical appearance so that the biometric nano actually works. So what we're found with quite a few places is actually having multiple ranges of authentications as an option. So one organization we're working with, they kind of out four different biometrics. So the pin and three others, so face, voice, and fingerprint.

So if you are in a situation where you don't want to speak on the train to access your bank, you can use a fingerprint, but other cases I've got gloves on, perhaps not work. I've got called some crop at work. I've got my sort medical bills or whatever on, I can still check it by speaking to the phone, I'm in a secure environment. So having a, I think not choosing just one biometric having a range of them, but Suitable. Yeah. I think that's really important to point out.

You shouldn't get into a situation where you have to rely on a single biometric modality and being able to let's say, write policies that can allow individual organizations to establish what they think the equivalents are so that you could swap out fingerprint for face in certain cases or, or voice, or maybe even using conjunctions of the two. If you have a higher risk item, you're trying to protect, going to think about our discussion today in terms of consumer identity management system. So I think even anecdotally, we can say pretty safely that we're all tired of using passwords.

And, and there's a lot of people who are eager to try biometrics as a way to authenticate without having to create more accounts, passwords, and things like that. But I think you guys, Andrew and, and Jeff have pointed out that you made an interesting statement about it's a physical thing for physical access.

What, how do you address, let's say, you know, consumer identity management systems, people who want to use biometrics as a way to get into that. Can I go for that? One of the key drivers in our business at the moment advise us from the fortuitous fact that the government not provides most people with a notarized root source of identity, which has one available biometric on it.

So in most parts of the world, now the government issues, photo ID, which is generally relied upon and on the, in Europe it's identity cards in the United States, you can't take a plane now without, or from April, 2018. You won't be able to take a plane without having a trusted driving license, which therefore day factor effective becomes an identity card in the UK. Generally speaking, people are using their driving licenses, which as photo ID, even though that's a fairly low integrity device.

And what we're seeing is that there are a large number of instances in which a consumer identity management system has to be fed through a KYC system. That is, there is a legal obligation for whoever is building that consumer identity management system to actually have actively checked the real physical identity of that person. And what we are able to do.

One of our, one of our leading products involves reading the identity card, but in a non, in a taboo way, normally contactless from through the Android, read the Android NFC reader, you can pull information off a passport or, or an E I D card and get the information in there. Certain that no, one's had some fun with Photoshop. And then we authenticate the person against their own ID document. And that's very important.

They have to be able to do that in an unsupervised environment using standard hardware, because you cannot rely upon millions of people having gone out and bought special hardware in them to authenticate themselves. This is a critical requirement at this moment, something for online purchases, for online onboarding of bank accounts and other financial relationships that require KYC. The failure rate is north of 70% when it gets to the onboarding phase. So everything's fine. You've spent your money. You've paid the affiliates, skiing. The person's gone all the way through the buying process.

It's all great. They get to the KYC process, which is really entry into your customer identity management system and 70% fall away. So your money has been completely wasted and your business growth is stunted. This ability to authenticate remote users, biometrically against a trusted source identity, a photo ID card in certain parts of the parts of the world. Online databases is game changer.

And it's, it's a fundamental part of that is the non reliance of on hardware. But I think as, as Jeff says, where you've got the ability to install specialist hardware, then for goodness sake, do it because it's a, he a great deal, easier to do cool things. If you've got control over the hardware as apple did than when you don't have control over the hardware as we've found solutions for and have had to work quite hard to do so.

Yes, some things that I wanted to, and basically to comment back on what you said in term of, is it better to have a system with the server or having something free on the IC that even if you have something on a, on a server and we'll see, I would say along the years, what is going to be the, the best, the best solution?

Cause I would say we are really at the very beginning of the, of the biometry, but indeed this is very important as well inside the device, you are getting the proper minimal circula because obviously if you don't cannot basically trust the source of information that you are getting in, you are there basically whatever, if you're going to do the matching locally on, on the server side, this is really critical that we get a safe source of information where the information is going to be upgrade. So this is definitely something that needs to be pay attention to any on the implementation.

And of course, if you can get solutions, which is going to be hardware based or request expressed before and what we're focusing global platform, whatever using technologies such as sexual element or trustee execution environment, this is really fundamental. I would say, this is today.

What is, I would say the most common implementations that you're going to find for instance, in smartphone that yes, there is a trustee execution environment, which is going to, to be used in order to, to get a central connection, to whatever sensors, to be able to do with matching directly this environment. But making sure that yes, non trusted, non trusted software, for instance, running on the side is not going basically either Topo to inject data or to this type of this type of thing. So definitely having the security on the devices already.

One of the piece, which is find for biome system, Remember how I told you that we had a lot of people loving the use of a gesture. Biometric. I forgot to add one more point. I'm offering you a $500 today because if you can go to our website, you'll see we have a web based contest. And basically we encourage you to go and try maybe some Christmas money, but basically what it shows is that it's mom and it's basically two letters and we encourage you to go and try and spoof it.

I think at this point, the contest has been running about three years and nobody's been able to do so after about 15,000 attempts at it, but just think of it, you know, as you write something like this, you can start this way. You can have four strokes, you can have one stroke, you can have start in the middle, just think of all the different comment permentations you can have as you create your unique sort of signature with that.

I wanted to just talk a little bit about, you know, as we branch into these sort of the IOT side of things, it's going to be very difficult and I call it the trust factor you have to trust your machine in this case might be your phone. And at the same time, let's just think that it's a living, breathing entity. It's gotta trust you. So how does that work? So you've gotta make sure that you are having the right kind of access to your cell phone because you're gonna trust it with all of your data. That's gonna access your garage door, your whatever else in your life it's gonna help manage you.

And you just don't wanna let that be given up to somebody who can manage you in that regard. On the other hand, you wanna be able to make sure that, you know, your machine, your, your phone has got the right stuff inside. So there's a couple of, of ways that's gonna happen, that it is happening already. We have basically a direct route, which is your phone will be tokenized and contain certain quotes so that you can imagine a use case would be you go to your hospital in the morning and you sign in so that you have an attendance and then you get a QR code or other onto your cell phone.

And this allows you access to all of the different things that you have access to throughout the day. And you have time limit and respects and so forth. That's just sort of the direct route.

The, the indirect route is sort of like using your phone as a conduit to Andrew's point. You know, you don't have to have everything on the phone. It can be a conduit for that. We like him also have a system where you have a ID check it's ID, proofing, and verification. How do you know who is whether that document is really a valid document or not? There's a lot of Photoshopping going on. So we have a way where you just go and you just take a, you use your phone and you take a front back on your government issued ID.

And if that's a match, then you move to a selfie and you're selfie then compares that photo ID to your new selfie. And if that's a match, then basically you move to verify your biometric signature in our case, and you then are created access. So I thought I just entertained that and open that up. Okay. I did want to point out the in thinking about the phone is a mobile authentication platform, including biometrics. There are two major approaches that you can take to doing authentication with it. And it sounds to me as if Jeff and Andrew's approaches are server based.

There's a, a standards body called phyto stands for fast identity online, and they are writing standards for mobile authentication, but it's device based. So that would be when you enroll your initial biometric sample, it it's pretty much localized to the phone itself. So every time you do, let's say a fingerprint to try to authenticate it's matching that it sends a standardized signal back to the relying party server saying, okay, he's successfully authenticated on this device.

But the other way is to send the sample, the real-time sample back to match the originally enrolled sample on the server for each each time. So there are some pluses and minuses to both approaches. And since we've got someone here that is doing the server side, don't you talk a little bit about that?

So our, our product line basically covers off both, both sides. We're both cloud based. Can we look upon that from client bases right now that we have, and it it's, there's a perception that it's a lot more scalable and that that's what a lot of our clients are looking at. Not everybody trusts the cloud.

And thus, we created a server based product as well, where everything is resident on your device. And so, you know, as you go in and you try to get into windows PC in the morning, and you're trying to use a password well, it's augmented by, you know, how you're signing in as well. And everything then is stored on, on the device locally. So I think it's all about choices.

I keep coming back to that as we go through with the use of biometrics, John, your work earlier yesterday showed that 66% of all people out there, consumers want to have a biometric to help navigate through the jungle out there in terms of everybody's scared, everybody's scared enough to pitch 10, 10, or $12, at least in the United States for credit card monitoring. And it's a huge three, 4 billion business. And people are, are looking to biometrics as a way of that.

So this, this, this, so the device debate is actually really interesting. What was interesting was that when the European banking authority went out to consult on the regulatory technical standard for PSD two, they said how please make us proposals for how we can come up with two factors that are generally independent. And don't talk to us about two different ways of verifying that, verifying that you own a phone, because all you've done is just, is just proved one factor twice, which is not very interesting.

So device based biometrics have their place as a way of providing some degree of confidence that you join possession of the phone, but they're not in, they're not. And there are really two reasons that one is we mustn't confuse evidence that you, the evidence that a phone says, oh yeah, yeah, yeah, yeah. John is here.

But what, what you're being told this by is a phone with authentication of fact that, that John is actually there. These are two very different things. And device based biometrics, don't biometrically authenticate you to the service. They biometrically authenticate you to the phone. And then the phone takes over and says, yes, and it's the phone that gives you the attestation. So it's not really a biometric Test of the user tool, The other issue. And I had a standup round many years ago with the founder of Fido about this.

And I talk a lot to the Fido people and we, we politely and respectfully agree to disagree on this. The Fido, the Fido standard is based upon the fact that, that your biometric is a really, really, really important secret, which must not be allowed under any circumstances to ever be revealed to anybody. And therefore the most important thing is that you keep it secret. And in order to keep it secret, you have to then run it on the device.

And if that means that you've exposed your genuineness test, that you put your genuineness test on the device for the attackers to have fun with until they've broken it and can then break it as often as they like without you even seeing it, that's a price worth paying. My, my opinion as you have guessed is that they've managed to get that completely upside down. They've paid the CRI they've compromised the critical security element, which is the genuineness test in order to keep secret something that is already public.

Now, to me, that makes no sense it's much more relevant when you're dealing with less public biometrics, like fingerprints, which have to be processed locally pretty much. So I have a lot of respect for what fighter have done and their security, their security or certification program that they're doing. It makes sense when you've got very special hardware and biometrics that maybe are not very public. It makes absolutely no sense at all. And in fact, it's positively destructive when you're dealing with faces. I also have a concern.

Look, I, I came from, I was formerly the chairman of the world's largest mobile payments business. About 10 years ago, we were doing jolly well. And then some people just hacked the system and millions of people lost money overnight. It's very unpleasant. I ended up on television, Mr.

Bud, they said, are you complicit or just recklessly incompetent in this matter? You know, people underestimate what the, how smart and determined attackers are going to be when there's a lot of money it's taken, but it's just having a bit of fun and just proving that some the, then that the Sam or idiots, that's one thing. But when you can make 10, 50 million million out of a hack, you're dealing with very smart people who will, who will do very smart things, very persistently and therefore putting in place measures, which sort of look like they work.

But actually, you know how they're going to be broken means that if there's a scalable way for them to be exploited, they will be broken. And the guy who was on the back end of that will end up on television being asked the same question, and that's actually been a driving force for us. The reason that we've put everything in the server is because that's the only way that we could think of to actually make it durably sustainably safe.

Now, I had a big disagreement with the senior executive of Samsung on a panel a little while ago, and they've obviously done some fantastic work, but he couldn't deny the fact that there was on YouTube, a video showing how his system had been broken. And once you've stopped, once you've stopped believing in fairies, you can't ever start believing in them.

Again, nobody can ever claim that an authentication coming from a Sampson S eight to a cloud was unequivocally and orderly originating with the user. It probably did. It might have done, but there's a video that shows that how it could have not been done.

And, you know, that's, once you've stopped, believing fair is you can't ever stop The client. The problem as well is it's a device base. So you've gotta you switch your phone. You've gotta, re-enroll, you've got to get the friction to transition over and also where you've got multiple devices to you. So I've got to phone a tablet and a laptop. I've got to enroll three times and I change the device and then move around. So I've been role three times and just becomes a bit more additional step and additional friction.

So in terms of usability, I think one of the motivators for wanting to use biometrics in conjunction with consumer identity systems is to improve that usability. And it may not be so much of a fear factor it's simply to get rid of the passwords. What do you see coming down the bike in terms of other developments in the mobile biometrics area that may improve usability?

So I think sort of what we're seeing lot of, sort of using the biometrics as the identification, but also using properties of the device, the risk based scoring the geolocation, actually, how you, the behavior analytics of the phone, sort of the concern with that people see as, as creepy as sort, this device is tracking everything I'm doing. It knows I'm in Paris. It knows I was in London on Monday. It knows what out for lunch. You can tell if the, the grease and the screen or whatever is a burger, and it's kind of, that's neat.

So it's kind of, if I'd add a salmon and it's sort of, it's suspicious. So tying that in as well, and sort of using the, the additional factors of the phone can bring with it. So complement the initial authentication and Just add on that real life.

We, last week, we presented to one of our clients at cheating ring. We, we do a lot of work in higher education in higher education is in the us is mandated that they need to know who the students are, who are taking the courses because they're giving 'em financial student aid and they're conferring degrees, and they have no idea who's doing the work. And it's a huge underground economy that people are paying other people to do their, get their degrees for them.

So last week we presented using, as Paul was saying some of the information in terms of geolocation, and we found a ring of 45 cheating students who were U using our system. And we're obviously cheating. And we could prove to them in terms of relocation, in terms of patterns, you know, someone who is going in and verifying their identity in five seconds for the last three weeks. And all of a sudden, it's taken them two minutes and they're asking for a password reset, and they're coming in from California one day and, and Maine the next day, physically impossible.

So a lot of these things are going to be addons to the use of Palm metrics. And I think that what is John, John is looking for, and there's no end to that. There's some companies out there that are looking at little bits of data that are going to be accretive in some fashion to understanding patterns of behavior. And these are things that, again, are features that will be getting better and better at, after we get consent, right. Wanted to say, you know, we've got a very, very small subset of all the different authenticator makers out there in the world today.

And that makes it such that we live in interesting times. There are literally hundreds of small companies making different kinds of authenticators and, and Jeff, I think it's interesting that you say, you know, and Paul too, about the, the behavioral aspect, I do hear more from the vendors who are beginning to make more and more use of the behavioral aspect to do the risk analysis, because there is an obvious tie in too, to PST two, the transactional risk analysis that best be perform per transaction.

So the same information that you can glean from a device in ordinary use could be used in, in those kinds of situations too, From perspective, what I can add as well, is that yeah. In the balance between security and user experience, for me, the biometric really focusing on further user experience and then on the, on the security is what really matters is that yeah. Something which is going to be easy for the user to be there might be as well different use cases, because sometimes you want to have a specific user consent.

So you need to make sure that whatever biometric things that you're going to use, you can make sure that basically yes, there is a user consent to a specific action. So this is for some type of use cases, some model case is this is not more long term type of things want to unlock a use case or things, but you don't necessarily to a user concern. So what is really important first is definitely a user experience.

And yes, today there are life, big life trials of different things like switching from fingerprint to face a aspect. So yes, we see over time, what is going to win, but what is very important is first user experience. And then if you want to increase in term of security, obviously yes, you are going to need multiple factor authentications. It could be multiple biometrics that you are going to to combine, like you said, with other type of aspect, but yes, really, if you want to get a very strong, you need to, to go back to the multifactor and yeah.

Can use the biometric as one of The factor out. Yeah.

I, I agree. I just give you one specific. We recently won a major contract with a large international organization against a very large and well reputable and reputable competitor, much more established than us on the simple basis that it, that in large scale trials, it took customers less than 1.1 attempt to successfully authenticate with us, whereas against this good, this great competitor, it took 2.6. And that was enough.

The use, the reason that one users biometrics is fundamentally because it makes security usable. The response. That is why we don't use biometrics. Cause it's fun technology. We use it because it's usable. That's why my fan of face recognition.

You know, you look at your device, it looks back at you. It doesn't get easier than that.

So then, and then from the back of that is a responsibility is a responsibility to make it secure against very high levels of threat. And the nice thing about behavioral solutions is how difficult they are to forge. And one has to that. I thought what Jeff said about, about looking at the behavioral aspects of location being was very strong. People often say, well, of course, you know, we, we check device signature and we check the location of the device. And at the beginning of IP, we used to do that as well until my guy said, what device would you like this to be?

Here's a, here's an, here's an open source program. We can make this device look like anything you want. Just tell us.

And we'll, we'll, we'll, we'll resemble somebody else's, it was trivial. Similarly with location, you can make a, you can make a malign device be anywhere that you want. So these are tests that catch idiots, but they're not real. They're not real defenses against somebody serious because their mode of operation is extremely obvious. And when the mode operation of a technology is obvious, it becomes very easy to forge. The nice thing about behavioral things is that they are highly non obvious algorithms.

The, the attacker can't see what they're doing, and therefore it becomes very difficult to forge and that makes them very much more secure than anything, which, which is, which is visibly deterministic to the, to the attacker. But I, whenever I hear people say, well, we use device signatures. We check whether the devices been has been rooted. We check whether what the, we look at the location that my guys can forge that an instant, what's the point in defending?

I mean, it's a useful thing to do defend against idiots, but it's actually enhance your real security against the real attackers who are gonna bring you down one IOT IOT. One, one last question specifically for Christo on global platform and se and te again, again, I think there are many, many different authenticator types out there and for the biometrics and mobile phone combination, I think it's really important to pursue those in a secure way, by making sure you develop it on the secure elements and T what are the, any new developments in that area?

Could you give us a real short update on what's going on with se andt? No, definitely. And the biometric something that the global platform organization is investing in. So because yes, like we have discussed basically whatever you want to do, some matching basically on the device or outside of the device, you make, we need to make sure that the initial source of information, whatever it's a device ID. So biometry basic biometric information needs to be really trusted informal tool.

So what global platform is doing in particular is investing in some certification program in order, and we're working as well with other organizations, such as such as fi that's not the only one, but making sure that indeed whatever is implemented in the device is going to, to reach a certain level of security in order any frameworks which are going to rely on that, we'll be able to, to rely on the specific security level on the, on the, on the device.

And we know that the devices are doing in better and better in order to implement security in order to protect and that you can trust basically a source of information coming from the device. Okay. Any questions from the audience I can yell for the facial recognition? Do you have that your eyes open? That's a really good question. The technology, the, the, the deep learning face match actually doesn't require you to have your face, your eyes open.

And at first we were quite happy to authenticate you with our eyes closed, but that, but there's a problem there that you can authenticate people who are asleep or dead. Exactly. So we've actually added in a requirement that people have their eyes open for exactly. That that's exactly reason Significant.

I mean, that really is true lies, detection Messages for you. We actually often do get asked about whether about whether we could, whether dead people who's, who've been decapitated can be used. And we've said, if you give us a statistically significant example of several heads, we'll do answer. Actually I have a follow up question to that. Yeah. I'm I don't need, I Don't think so. Yeah.

So curious about, about the, the eyes open requirement, because I've seen face detection systems in, in the past that have been trained on, you know, why purposes of phases and stuff like that, fail to detect eyes open of Asian people. So how racist is Your system? That's a very good question. The answer is that deep learn the dynamics of deep learning face. Recogni H I face matching is completely different to the dynamics of legacy systems, which are geometry based. The great thing is that until last year, our system was racist.

It thought all Asian people looked the same very much as my, as my children did when they were little. And when we realized there was this weakness, we then trained it on very, very large image sets of Asian people. And it's now extremely non-racist, it's now very, very accurate at dis a distinguishing between individuals, patient individuals. It's a serious point.

And in fact, we've had to go through a series of racial groups and make sure that we had trained the deep, the deep learning classifier on a large enough data set of different races to make sure that we haven't in inadvertently built in a built in a blind spot that is both unacceptable from user point of view and also socially, socially ly unacceptable. Okay.

Well, thank you. No, she's gonna be on a panel. So just come on, we'll trade places.