Mercator Blog

Biometrics Today and Tomorrow
Date: January 13, 2017
Tim Sloane
Vice President, Payments Innovation

Before diving into the tactical reality of how biometrics, and specifically behavioral biometrics, will impact identity solutions, let’s step back and establish the larger picture of the future.

The “Internet of things” (IoT), or as denoted by the Future of Identity in the Information Society (FIDIS), “Ambient Intelligence” (AmI), will seamlessly integrate smart devices into the environment. In the future, the entire environment will have the ability to “think” on its own and to make “smart” decisions on behalf of human beings. The ultimate aim of Alexa, Google Home, and their ilk is to establish a context-aware system that will improve pour lives by recognizing our needs, requirements, and preferences and then taking action on our behalf. In this environment our actions, both intentional and unintentional, are monitored by the devices we carry and by the devices that surround us. How these signals will be collected and used should of course be a pressing issue for society and law, but our focus on the now and the inability to coalesce our activities to shape the future we want (global warming anyone?) suggests that practical people will simply find ways to leverage new technology to the problems we have now. So let’s dive into biometrics as it relates to authenticating an account holder trying to make a financial transaction.

Three facts, when combined, focus our attention on biometrics and authentication technologies. First, as security professionals recognize, passwords are no longer viable despite being the only well-accepted mass market solution available today. Second, as technologists recognize, the cost of hardware and software needed to collect and analyze a wide range of biometric information is now sufficiently low that it can be widely deployed in mass market smartphones and other consumer devices. This cost equation is in large part driven by the broad availability of low-cost smartphones and the cloud technology to which those phones are connected. This combination of facts—passwords no longer viable, low-cost biometric data being broadly available, and the new mobile-centric computing model enabled in every smartphone—is rapidly changing our customer authentication methods.

Over the next 4–6 years, the storage of biometric data will move out of the enterprise and into either the device or the cloud, or perhaps to a combination of both. But regardless where the biometric data resides, or where the calculation of identity is made, that proof will be in the control of the consumer and provided to identity requestors as a zero-knowledge proof. The term “zero-knowledge proof” in this context simply means that the user will be authenticated by the smartphone and the smartphone will send an acknowledgment to the requester that the person is the user who was provisioned with the initialization of the smartphone.

This shift to a reliance on the consumer device for identity confirmation indicates that financial institutions should start to alter the security architecture they employ in order to eliminate the storage of all personal biometric information. While this transition will take 4–6 years to complete before it can address the highest-level security needs within the institution, the trend is sufficiently clear that it should be recognized that any authentication mechanism that stores biometric data on-site is a short-lived solution that will attract criminals and shortly be obsolete.

It is also likely that this shift to authentication executed in the user’s device will have an additional impact on financial institutions and accelerate the effort to establish a risk rating associated with each transaction. The added computing power of the handset, combined with the cloud, is being used by Google today to evolve the simple yes/no zero-knowledge proof response with a response that provides a more refined confidence rating, one that reflects a more finely calibrated confidence level that the user is the right person. To utilize the extra information, the financial institution as the requestor must establish different risk levels for each interaction. Providing balance information can be performed even in a low-trust situation, whereas conducting a high-value person-to-person (P2P) payment transaction in a low-trust situation would certainly be worth interrupting the user for a real-time challenge.

Over the longer term, it is unknown how much identity-specific information will shift from the business to the consumer. This is a decision that will be shaped by consumers, society, and the technologists involved in developing and deploying what is known as “self-sovereign identity.” Some banks have already decided that customers should be in control of their own individual identifying information and are updating their internal systems to accommodate the implementation of self-sovereign identity.

The report, Biometrics: A New Wrinkle Changes the Authentication Landscape, provides data to support the contention that the financial services industry is already well into the transition from passwords to biometrics. The content presented answers all of the following questions:

  • How quickly will this transition to biometrics occur?
  • Which suppliers will control the collection of the consumer’s biometric information?
  • What is the relationship between a person’s identity and that person’s biometric data?
  • Where will the biometric data reside?
  • How will the technology evolve?

A companion Mercator Advisory Group research report titled Biometrics: A Market Forecast for Consumer Adoption identifies and analyzes the issues associated with consumer adoption of the biometric technologies discussed here and offers Mercator’s forecast for consumer adoption of mobile biometrics from the present to 2025.