March 2014 - Biometric Technology Today - Token-less Tech Byline
1. 9
March 2014 Biometric Technology Today
feature
ning, remember that it is ‘social’ media, not just
a pulpit for company announcements.”
• Jason Hodge (SecurLinx): “Just do it. The
conversation going on out there will con-
tinue with or without your participation
and that conversation is important to the
future of your business. hile social media is
useful for communicating an organization’s
value proposition to the world, it can also
have some unforeseen positive effects inside
a company. It sparks conversations between
people in sales and marketing and research
and development. It instils discipline in con-
tinuously re-evaluating market conditions
and added to our corporate intelligence.”
• Terri Hartmann (Unisys): “There are a lot
of important conversations going on in social
media, and it’s changing the way people con-
sume content and do research. So if you aren’t
active on social media, you should be. Only
first make sure you understand the environ-
ment. Also, you have to buy-in from the
leaders of your company, and there have to be
thoughtful guidelines and policies governing
what content should be shared. Third, don’t
try to be all things to all people. Target your
audience, and understand your goals. Finally,
be patient. It takes time to succeed. So as you’re
beginning your journey, establish smaller, incre-
mental goals and try to achieve those first.”
• Amer Al Mahri (UAE Emirates ID): “Social
media is becoming an increasingly important
part of any business’s marketing and client
base development platform. It has become
a must for any business seeking to secure
a place in the digital marketplace. We use
social media to build a dedicated, loyal cus-
tomer base by offering the personal touch
that only a local business can provide.”
Conclusion
Social media has exploded into the mainstream
with a purpose and unique identity for just
about every industry on the planet.
Interest in biometric technology has seen
unprecedented growth in the past five years
as more governments and businesses explore
the opportunities that the technology offers to
help establish secure identities. Biometrics has a
reputation of being misunderstood, fraught with
rumours and unsubstantiated claims on how
it truly works. The time has never been riper
for companies operating within the biometrics
industry to influence the discussion and help
educate the masses that still remain uninformed
on the value of the technology.
The time to experiment with social media
is now.
References
1 Merriam Webster definition of social media.
http://www.merriam-webster.com/dictionary/
social%20media.
2 Conlin, B. ‘What Does the Modern
Marketing Funnel Look Like?’. 14 November
2013. http://www.vocus.com/blog/four-
different-views-of-the-modern-sales-funnel/.
Accessed March 2014.
3 Smith, C. ‘The Planet’s 24 Largest Social Media
Sites, And Where Their Next Wave Of Growth
Will Come From’. 29 November 2013.Business
Insider. http://www.businessinsider.com/a-global-
social-media-census-2013-10#ixzz2lmWb6utj.
Accessed March 2014.
4 ‘Social Media: Improve Your Signal to Noise
Ratio’. Signalifire. http://signalfire.tumblr.com/
post/131908747/social-media-improve-your-
signal-to-noise-ratio. Accessed March 2014.
5 Bennett, Shea. “How Brands Can Use Social
Media to Manage Their Online Reputation”.
22 May 2013. http://www.mediabistro.
com/alltwitter/online-reputation_b43198.
Accessed March 2014.
6 ‘Social Media in Online Reputation
Management’. http://socialmediatoday.com/
murtazav/1790366/social-media-online-
reputation-management. 3 October 2013.
Accessed March 2014.
7 Pick, T. ‘Need More B2B Sales Leads? Ignore
This Research’. http://socialmediatoday.com/
tompick/1894456/need-more-b2b-sales-
leads-research. 6 November 2013. Accessed
March 2014.
8 Emirates ID website. http://www.id.gov.ae/
en/ Accessed March 2014
About the author
John Trader is the director of communications for
M2SYS Technology, a global industry leader in
biometric identity management technology. He has
public relations and marketing experience working
in the financial, publishing, non-profit, entertain-
ment, sales training, and technology sectors.
Token or no token:
bringing sanity and order
to identity assertion Hector Hoyos
Back in 2010, the Bank of America
Headquarters in Charlotte, North Carolina,
deployed a completely iris-based access con-
trol system. It was based on the HBOX and
EyeLock, two original proprietary technology
products from Global Rainmakers, Inc, now
known as EyeLock Corp.
It was a true sight of beauty to see thousands
upon thousands of Bank of America team mem-
bers gain entry to their workplaces all around
the city of Charlotte with nothing more than a
glance of their irises. No tokens or access cards
of any kind were used. It took nearly three years
to achieve such a milestone. That deployment in
the summer of 2010 ultimately reshaped the face
of the access control and biometrics industries.
Today, however, much like the setback that
general aviation suffered when the Concorde
was removed from service, it appears that both
industries have forgotten the lessons that every-
one had learned from that BAC deployment.
Hector Hoyos, Hoyos ID
It is said that the definition of insanity is doing the same thing over and over
again, expecting a different result every time. Reviewing the development of
the biometrics and IT fields over the past three decades, it would seem that this
is the direction into which the identity assertion industry is headed – into the
realm of insanity – and there’s much to be done to reverse that fate.
2. feature
10
Biometric Technology Today March 2014
Convenience
One word defines all of those lessons: conveni-
ence. Back then, that was the single paradigm
that drove the success of that deployment and
every other successful deployment across the
world. Would you rather not have to carry
around an access card and just use your iris
biometrics if you knew that it would be just as
safe as using your access card?
Interestingly, a good portion of the folks at BAC
initially did not accept the iris system, voicing
concerns over privacy and data security. All of their
concerns, though, were quelled upon seeing their
co-workers waltz into the building right through
the access points, without having to dig into their
wallets or purses to pull out an access card.
“Is Microsoft going against
its own study, because it
doesn’t believe in the results,
or has the company lost faith
in biometrics at a time when
the overwhelming majority
of consumers are clamouring
for biometrics to replace
usernames and passwords?”
An employee at the bank headquarters was
holding a cup of coffee in her left hand and bag
and coat in her right hand and had files tucked
under her right arm. What did she think of the
iris-gate? Her response was that it was as ‘con-
venient as a fast food drive-through’. After all
of the years of R&D and the tens of millions of
dollars invested and after all of the science and
technology innovation that had been accom-
plished it was best summed up from a real
world user and her 20-second experience. What
the user wants, recognizes, cares about and
remembers is the ultimate convenience.
Identity authentication
landscape
Fast-forward three years, to a Forbes article
about Google1. At this point, Google is propos-
ing a two-factor authentication system (2FA)
using a username and pin, plus a Yubikey token
that connects to the USB port of a computer.
It seemed that we had gone back in time.
Google is a member of the FIDO (Fast Identity
Online) Alliance, which supports biometrics
in combination with a similar token. Yet, had
it now changed its mind and decided to drop
biometrics completely?
The proposition of the FIDO Alliance,
which requires carrying a physical token to
identify oneself, would seem to be inherently
flawed. Many have predicted that at some point
in the near future, we would have to drop
usernames, passwords and pins, and all of these
would be replaced with biometrics on smart-
phones. The main reason for the adoption of
smartphones as the biometrics acquisition tool
is because of their convenience for users. It’s
something that we always carry around.
Many folks over the years in both the private
and public sectors discounted this vision of a
world in which all identities would be asserted
by means of our biometrics, simply stating that
passwords would never go away.
Microsoft, like Google, had also joined the
FIDO Alliance; yet, FIDO’s standard identity
authentication protocol requires the use of a
Yubikey token. So, is the solution to use, or not
use, a token for security purposes? Is Microsoft
going against its own study, because it doesn’t
believe in the results, or has the company lost
faith in biometrics at a time when the over-
whelming majority of consumers are clamour-
ing for biometrics to replace usernames and
passwords?
“Periocular biometrics is a
subset of facial biometrics;
the core information in
the face comes from the
periocular, or suborbital, eye
area. Unlike voice recognition
or fingerprints, periocular
biometrics can be subject to
liveness detection”
Today, studies from Ericson, PayPal, IBM,
Microsoft and the Ponemon Institute all reflect
this sentiment. According to Ericson’s study
entitled The 10 Hot Consumer Trends of
20132, 52% of smartphone users want to use
fingerprints instead of passwords, 61% want to
use fingerprints to unlock phones and 48% are
interested in using eye recognition.
Another study by PayPal3 shows that con-
sumers ‘are OK’ with biometrics and that 53%
of those surveyed are comfortable replacing
passwords with fingerprints, and 45% would
opt for a retinal (iris) scan.
What’s more, IBM Fellow and Speech CTO
David Nahamoo said that over the next five
years, people’s unique biological identity and
biometric data – including facial definitions,
iris scans, voice files and even DNA – will
become the key to safeguarding personal iden-
tity and information to replace the current user
ID and password system.
Microsoft Research funded another study
entitled ‘The Quest to Replace Passwords: A
Framework for Comparative Evaluation of Web
Authentication Schemes’4, and one of its main
conclusions is that the replacement for pass-
words should conform to the following criteria:
it should be easy to carry, efficient to use and
have easy recovery from loss. It even goes as far
as to say that these criteria are achieved mostly
by biometric schemes and that tokens are not
enough to achieve this.
The future of the industry
What makes a company and product successful
is the adoption and continued support by con-
sumers of their offerings. Again, consumers are
focused on convenience; of course, they want to
be secure but surprisingly not at the cost of their
convenience. Any proposed scheme by any com-
pany or alliance that intends to go against the
grain of consumers in this sense will fail.
HoyosID uses smartphones as the biometrics
acquisition device through using an app that
runs on iPhones and Androids. Instead of using
usernames and passwords, users can login with
biometrics. Users click on a webpage’s log-in,
which awakens the HoyosID app on your
smartphone. After acquiring iris biometrics, the
app logs in the user, and if someone other than
the authorized user tries to access the phone’s
information, the HoyosID intrusion detection
system blocks the attempt.
In order to be hacked, someone must first
appropriate the smartphone and then attempt to
hack it; the HoyosID architecture forces hackers
to attempt hacking one user at a time. Gone will
be the days of massive attacks that affect multi-
tudes of consumers from a single breach.
Success factors
The key elements that differentiate this tech-
nology, and any other biometrics-based product
that will be successful in the future, are:
• Anti-spoofing measures – “Spoofing” means
passing an authentication on a digital system
using a false credential that seems to be valid
Periocular biometrics is a subset of facial
biometrics.
3. feature
11
March 2014 Biometric Technology Today
A SUBSCRIPTION INCLUDES:
• Online access for 5 users
• An archive of back issues
www.biometrics-today.com
8
of an actual user that’s registered in the sys-
tem, such as a high-resolution photograph of
a person. These measures will include liveness
detection counter measures—how mobile
applications recognize a live person from a
decoy image. They will prevent replay attacks,
which is when someone attempts to “inject”
a recording of you into the system as some-
one else. And they will implement back-end
encryption—using a two-way SSL to connect
to the server that uses IDS and proprietary
algorithms for encryption. The IDS identifies
the attempts to replicate, along with a times-
tamp, and blacklists the offending devices
quickly and permanently.
• Biometrics Open Protocol Standard (BOPS)
– This is an open-source API that enables
the integration into HoyosID of any third-
party biometrics solution in the market
(such as if you want to use fingerprints
through the iPhone 5S or iris identifica-
tion with the Samsung, when available).
The BOPS enables the interconnection of
any device that opens, closes and turns on
or off to be controlled with any biometrics
device(s) that communicates through it.
• Data storing – It is key that there are no
biometrics stored anywhere, except in the
smartphone, in an encrypted mode. When
the SSL private key is generated, it needs
to be done by the server and not by the
device, and not stored anywhere since its
lifetime is limited to a few seconds. The
back-end will then detect the real user from
someone who tries to impersonate you
over the network. HoyosID, for example,
currently runs on Amazon Web Services,
which uses proven cryptographic methods
to secure its infrastructure.
To date, biometrics haven’t become as wide-
spread as they will be in the future, because tech-
nology hasn’t been advanced enough to eliminate
spoofing efforts (for example, the iPhone 5S and
its fingerprint technology were hacked less than
48 hours5 after its release). Additionally, using
biometrics with various technologies has never
been convenient or easy to use, and up until
now, people have always been required to have
additional hardware or tokens to secure material.
With iris and periocular biometrics, people
can perform many different tasks on their
smartphones, including the ability to make
financial transactions quickly, seamlessly and
securely. Periocular biometrics is a subset of
facial biometrics; the core information in the
face comes from the periocular, or suborbital,
eye area. Unlike voice recognition or finger-
prints, periocular biometrics can be subject to
liveness detection through a series of propri-
etary computer vision techniques. Voice, on
the other hand, can be affected by background
noise and is easily spoofed like fingerprints.
It’s important to note, though, that biometrics
are only as good as their back-end – as stan-
dalone hardware, they won’t get us very far –
which is why it is critical to have an end-to-end
solution. The future of identity assertion is in
the biometrics, and if the biometrics and smart-
phone sectors keep this in mind in the years
to come, we can steer away from the realm of
insanity and move forward on the path of tech-
nological progress.
Conclusion
During Christmas 2013, 40m people in the
US had their credit card numbers stolen from
Target stores. It is clearer than ever that user-
names and passwords are not the only prob-
lem: we need a more secure infrastructure as a
whole. It is time to replace all usernames, pass-
words, PIN numbers and credit card numbers
with biometrics.
References
1 Daillo, A. ‘Google Wants To Make Your
Passwords Obsolete’. http://www.forbes.
com/sites/amadoudiallo/2013/11/30/
google-wants-to-make-your-pass-
words-obsolete/. November 2013.
Accessed March 2014.
2 10 hot consumer trends. Ericsson. 2012.
http://www.ericsson.com/res/docs/2012/
consumerlab/10-hot-consumer-
trends-2013.pdf. Accessed March 2014.
3 Tsukayama, H. ‘PayPal study finds con-
sumers okay with biometrics’. Washington
Post. http://www.washingtonpost.
com/business/technology/paypal-
study-finds-consumers-okay-with-
biometrics/2013/10/09/54eb5132-
3095-11e3-9ccc-2252bdb14df5_story.
html. October 2013. Accessed March 2014.
4 ‘The Quest to Replace Passwords: A
Framework for Comparative Evaluation of
Web Authentication Schemes’.
Bonneau, J, Herley, C, van Oorschot, PC,
and Stajano, F. http://research.microsoft.
com/apps/pubs/?id=161585. May 2012.
Accessed March 2014.
5 Chang, JM. ‘iPhone 5S Fingerprint
Sensor Fooled by German Hacker Group’.
http://abcnews.go.com/Technology/
iphone-5s-touch-id-hacked-star-bug/
story?id=20344234. September 2013.
Accessed March 2014.
About the author
Hector Hoyos has been in the biometrics and IT
fields since the mid-1980s as the founder and presi-
dent of various biometric companies. He co-founded
and presided over Biometrics Imagineering Inc,
creating fingerprint identification systems and inter-
active financial transaction systems. He also helped
incubate the Praetorian technology, a real-time
video surveillance technology, which, in February
2008, was awarded a training/video surveillance
contract by the US Marine Corps. Additionally,
Hoyos served as the founder and CEO of EyeLock
In., an iris-based identity authentication company,
previously named Global Rainmakers (GRI). He
also invented the HBOX, EyeSwipe and EyeLock
iris biometrics-based access control family of prod-
ucts. Currently, he manages a digital infrastructure
security company, Hoyos Labs, with a biometrics
R&D lab located at the Cambridge Innovation
Center on MIT’s campus.
HoyosID is an identity assertion platform—an
end-to-end solution that will serve as a replace-
ment for all usernames, passwords, log-ins and
IDs. On its front end, HoyosID is an app that can
be downloaded to any Android or Apple smart-
phone. Using various biometrics, including perio-
cular, iris and facial, as well as a liveness detector
that distinguishes living people from photographs
or videos, and pattern matching, the app will
verify that a person attempting to log-on to a sys-
tem or complete a transaction is, in fact, the true
identity. The back-end of the system will match
the image to unlock data and conduct transactions
from one’s computer. The HoyosID identity asser-
tion platform is ‘biometric-agnostic’, meaning that
it can plug in and use any other company’s propri-
etary biometrics solution in the front-end device.