Mira LaCous, Chief Technology Officer (CTO) of the biometrics-led identity access management provider, BIO-key International, talks to Security magazine about current trends in biometric security.
Security: What is your background and current role?
LaCous: I received a bachelor’s degree in Computer Science with Math and Physics in 1984. While working on my master’s degree, I became Director of Programming at a voice response company, and began my leadership roles in software/hardware integrations. I moved through building automation, scanning systems and other areas towards biometrics. My current role is Chief Technology Officer with BIO-key International, Inc., and I recently celebrated my 21st year with the company.
Security: Could you discuss some of the trends you’ve been observing in biometrics?
LaCous: In my 21 years as a leader in biometrics I have seen the industry shift a few times. Biometrics really started around law enforcement requirements, and it began to be adopted in commercial markets in the early 1990s While law enforcement is focused on building a list of ‘suspects’ for detectives to determine the right match, commercial biometrics need to authenticate a user with exacting precision. For years the focus was on high accuracy and security of the biometric data. Starting with Apple’s iPhone, the shift to device-based biometrics took the mainstream focus for years. Now as broader use of biometrics is significantly rising, there is greater demand for commercially viable biometric solutions that do not require continual re-enrollment and associations to accounts. The emerging key trend today is a biometric that can be bound to the individual, not just some device, so it has long term value for the person’s identity. This must also include security of the biometric data, as well as control of the biometric data by the user. This allows the individual to determine when to remove their biometric data, and their access to those accounts.
Security: What is behavioral biometrics? Provide examples.
LaCous: Behavioral biometrics are measures of a user’s “Behavior” versus their “Physical Features.” Behavior can including everything from how you type (speed between presses, and patterns of character to character input), to movement and orientation sensors in mobile phones that can match how you walk or how you pick up and hold the phone. The use of behavioral biometrics can be used to help determine the identity of an individual, as well as continually determine that the correct person is still in control of the device. If the behavioral biometric does not match, then additional authentication factors can be requested.
Security: How will this technology ramp up fraud detection efforts?
LaCous: Biometrics in general can reduce fraud through strong authentication of the user, versus other authentication methods that show you know some password or pin code, or simply have some token or device to grant access. Behavioral biometrics can help determine the continual identity of the user through the entire session.
Security: Are there ethical concerns related to behavioral biometrics? How can the industry mitigate these concerns?
LaCous: Today’s behavior biometrics cannot uniquely identify a user but can give an assurance that they are who they state they are. The behavioral elements are not anything that can identify an individual, or tell anything more of a person than how a motion sensor reacts to how the move or tilt a phone, or typing speed between keys and words. Ethically this is not a key concern, as its only application is when the user is known. The technology can make the users’ identity more secure, if they log in and say set their phone down or have it stolen from their hands.