Two-factor and multi-factor authentication – the latest trend in identity and access management (IAM). The answer to all our cybersecurity prayers. The newest, hottest trend.
Or is it?
Actually, some would say it’s been around for centuries. After all, what methods have humans been using to recognize each other since the dawn of time? Not by typing in and recognizing arbitrary passwords, that’s for sure. And not merely by the sounds of their voices or the patterns of their gait or the shapes of their faces alone. On a daily basis, we recognize each other through a combination of all of these biometric characteristics.
But Is Johnny…Really Johnny?
And – as nefarious tricksters around the world well know – when you reduce the number of biometric ‘checklist’ down to only one factor, the error rates of the brain’s algorithms go up. This is why criminals posing as distant relative so easily fool Grandma. When long lost Johnny calls and claims he’s in trouble, needs money and would send a friend over to get it – Grandma worries and reaches for her purse. Except Johnny isn’t Johnny. Relying on voice alone, Grandma allowed unauthorized access. In terms of biometric access control, Johnny was a false positive.
This shows that if we measure any single- or multi-factor biometric access control system against the gold standard – the human ability to recognize a known fellow human – even the best of them will still have a substantial rate of false positives. And false negatives as well! Both of these false readings pose their own risks. While false positives – like our sneaky Johnny – permit the unauthorized access to sensitive data, false negatives seem relatively harmless at first sight. But upon closer inspection, they can be every bit as dangerous as false positives: They frustrate the user, thus driving them to find ways of circumventing the access control system altogether.
Born To Recognize
The question is – can machines beat the human mind in recognizing other humans? The human mind has, at any rate, been optimized by evolution to spot a familiar face even under the most chaotic and distracting of circumstances. Babies, scientists have found, start recognizing faces even when still in the womb! They turn their heads towards anything that is roughly face-shaped and which seems to have a nose and two eyes, while ignoring randomly shaped objects. We are born as facial recognition machines.
There are other skills that evolution has optimized us humans for – social interaction, speech production and processing, finding creative solutions to problems. And in none of these fields have algorithms – some impressive results nonwithstanding – surpassed the human so far. Except in (you guessed right) – facial recognition.
Edging Closer To 100%
Recent results have shown that a Chinese-developed facial recognition algorithm, Dragonfly Eye by Yitu, has surpassed human facial recognition abilities not only with regard to unfamiliar faces, but now familiar faces as well. Dragon Eye ranked first in the Face Recognition Vendor Test by the National Institute of Standards and Technology (NIST), a notoriously hard benchmark to pass, in which real-world scenarios are provided by the Department of Homeland Security. Not only was the algorithm more accurate, with an accuracy rating of 99.5 percent – it was faster than recognition by humans as well.
What does that mean for the future of biometric authentication and access management? It is easy to see how a method that achieves an accuracy of 99.5% using a single factor (facial shape) only can easily be pushed to near 100% accuracy by including a second factor. For example, simply adding voice pattern. Now imagine what adding three or more factors might do. In just a couple of years, false positives and false negatives may be a thing of the past. However, human expertise will still be required to select the right system for the right use case – and to harden the system against attacks from the outside and inside.
Simeio’s own VP, Abhimanyu Yadav, has these insights to add about biometrics: “There’s a lot of interesting things happening in the biometrics space, especially with recent advancements in “deep learning”. Simeio is actually working on an app that uses Apple FaceID to biometrically authenticate users into our Identity Vault app, thus providing a password-less solution for web single sign on.
Face recognition will also be used to help validate proof of physical identity documents by comparing a selfie with a photo on their ID documents. There are also some practical uses of biometrics embedded into devices today. For instance, Alexa voice recognition that uses natural language processing to identity a user with a certain confidence score. If the confidence score is “low”, only transactions that require a lower level of assurance will be allowed. Biometric, at the end of the day, is a probabilistic measure, not deterministic. So it cannot be used on its own. But using our proofing solution can help bridge this gap by elevating uses to a higher level of assurance so they can use biometrics to assist transactions.”
Dr Christina Czeschik is a writer and consultant specialized in information security, digital privacy, and Blockchain. Originally a doctor, she has slipped into the infosec pool by way of cryptoparties, and never quite been able to climb out again.