The Limitations of FIDO and PKI: Should Enterprises Outsource Biometric Verification to Devices?
3 minutes min read
The recent announcement from Mastercard that it is providing a biometric verification services for logging into apps or websites to “replace the password with the person” appears to be an attempt to federate banks’ and other organizations’ authentication solutions for the benefit of Mastercard.
The weaknesses of passwords and other knowledge-based authentication solutions have long been recognized, as have the vulnerability of SMS-based One-time-Passcodes. Authentication based on the person rather than mere knowledge or possession of something, (i.e., true Identity Assurance) has been ValidSoft’s mantra for years. Many organizations have, of course, introduced biometrics of various modalities for these very reasons.
Biometric Verification: Control Issues in Outsourced Models
The difference between those organizations and Mastercard’s proposal is that the organizations themselves are in control of the biometric authentication solution and processes, rather than it being effectively outsourced to a handset or device manufacturer. Under the proposed model, the financial services institution or other enterprise never see the biometric authentication take place or receive its associated (probability) score, just a public key. For many organizations, relying on handsets and mobile operating systems never being compromised is not an option. They will want to see that the biometric authentication actually occurred.
Limitations of Federated Authentication and Device-Dependent Biometrics
The other issue with this federated authentication approach is it is limited in functionality and restrictive for omnichannel organizations. Only face and fingerprint are supported because that’s what the handset manufacturers presently provide (largely because those modalities provide a convenient balance between physical security and usability of a physical device).
However, some of the most common use cases for biometrics are voice-based authentication in contact centers, on IVRs and IVAs, and – increasingly – with generative AI-based chat bot agents. In fact, with the advent of intelligent assistants and voice-activated commands it is voice that is becoming the dominant User Interface and with it, voice biometrics is becoming a crucial biometric modality. Voice is already the only biometric modality that is truly omni-channel. You cannot feasibly authenticate yourself passively on a telephone call with a contact center agent in any other way.
Continuous Authentication: Beyond Point-in-Time Verification
A further restriction with PKI-based authentication, whether or not protected by a biometric at the point of key generation, is it is a point-in-time authentication. Once again, with voice increasingly being used as an easy user interface, given all browsers support audio acquisition, continuous authentication is possible, which offers the ability to know that the person who logged in is the same person making a payment.
The Need for Omni-Channel, Centralized Biometric Solutions
Organizations looking for truly omnichannel authentication solutions that can be used on all customer-facing channels, in a variety of modes, need flexible centralized biometric solutions that can be deployed as a single solution across their customer populations, whether they use their smartphone functionality or not. A solution that can be used actively or passively, from any device, anywhere in the world is the preferred method of true Identity Assurance.
Finally, we would ask the question. Should any institution, enterprise, or government organization outsource or federate its authentication/identity assurance function? In the light of the published global data breach stats for 2023, the number of reported major incidents was 2,813 whilst the number of corresponding breached records was reported as 8,214,886,660, we believe that the answer is a firm “NO”! Organizations MUST take back control of this most critical function, in-house, and the reputation of any entity should never be dependent on an outsourced function or federated model/device. The numbers, and the threat, speak volumes!