Kimberly Biddings, BIO-key: "since the switch to cyberspace, there is a need to have trust in who we are working with"
Working in a digital environment has not only opened new opportunities for efficiency but also created several challenges. One of them is the increasing number of frauds that appear when enterprises do not have appropriate solutions for identity verification.
Unfortunately, threat actors come up with various sophisticated techniques allowing them to pretend as someone else and steal valuable information, obtain illegal profits, or cause other damage.
Today, Kimberly Biddings, the VP of Product at BIO-key – a company that provides biometric fingerprint authentication solutions, explains how biometric identity solutions can help prevent cyberattacks and build the needed trust among companies when everything is going digital.
Can you introduce us to your Identity-Bound Biometrics? What are the main features?
The Identity-Bound Biometrics (IBB) platform is the most secure way to trust that the person behind the screen is who they claim to be. In this system, biometric data is enrolled and stored by the organization or a relying party and remains immutable. So, when a user logs into a system using a biometric measurement like a fingerprint, that data is encrypted and compared to the template held by the organization. What this means is that the power of enrollment stays with the organization rather than the owner of the device.
Apple’s TouchID, for example, also uses a biometric measurement. However, once a user has access to the device, they can enroll other users and that information is stored on the device rather than with the organization. This means that the company is confirming the device rather than the person using it.
Avoiding the limitations of being bound to a single device by utilizing IBB, organizations can support employees or contractors who need to have access across multiple devices and even locations without any additional enrollment or processes. IBB is also great for building trust between parties that are interacting remotely as they can work with confidence knowing exactly who it is they are dealing with.
In your opinion, which industries should be especially attentive to implementing biometric identity verification solutions?
Currently, IBB is being used by organizations in financial services, healthcare, education, manufacturing, communication, transportation, and government. We see this technology as having a wide range of uses – anywhere where there's a need for trust between parties working remotely or where employees need convenient access to a network from multiple devices.
Take an example of the roaming bank teller who needs to work with highly sensitive financial data from several different devices throughout the day. IBB allows them to work from many devices easily without the need to re-enroll them on each device or carry around a phone or an additional gadget.
You can also consider a remote contractor – a company can have confidence that the person they have hired, done background checks on, and given access to their systems is the person they say that they are.
These types of situations come up in nearly every industry. I would say that anyone who desires a high level of trust and convenience in their authentication process should be looking towards IBB as part of their authentication program.
How do you think the pandemic affected the authentication landscape? Were there any new challenges?
The pandemic accelerated the move towards remote options for essential tasks and services. As we are increasingly doing business behind a screen rather than in person, there is an increased need to have trust in who we are working with.
While the need to build trust in our authentication methods has always been there, we are now seeing more and more critical business being done remotely. Financial transactions, outsourcing employees, and even voting are looking to move online to make life safer and easier for everyone involved. However, this move also increases the need for trust between two parties.
Many of the methods currently being used, like passwords or phone-based authentication, cannot live up to the level of trust needed to perform such sensitive tasks in a digital landscape. The pandemic has driven the need for more trustworthy authentication methods to arrive now.
What are the most common methods threat actors use to bypass various identity verification measures?
There are several different methods used by threat actors to circumvent more traditional Multi-Factor Authorization (MFA) methods.
One of the more common tactics is phishing attacks – an email is sent to a user to click a link and provide their username and password. The website where the user enters their credentials is owned and operated by the hacker so they can capture all information the user enters. This quickly takes down any password-based methods.
When phone-based methods are used, hackers are getting much better at intercepting the One-Time Passwords (OTPs) or PINs that are being sent to the phone. One method is a SIM swap attack where the hacker gets the user’s SIM card details and then calls the cellular network provider to transfer it to a phone in their possession. Thus, tying the phone number to that phone and any messages that are sent to it. The hacker now receives all OTPs as though they are the end-user.
Besides multi-factor authentication, what other cybersecurity measures do you think every modern company should have in place?
Good data encryption is hugely important. Ensuring the safety of users' and employees' data to avoid any breaches in security is the hallmark of good business right now. Also, having a dedicated cybersecurity team who can monitor, assess, and respond to any attacks.
A startling number of organizations lack the visibility to monitor for threats like ransomware attacks, and they need to have not only a strategy for catching these attacks but a response plan in place for when they occur. A company’s reputation is very much on the line if they are subject to a data breach and end up in the news.
As for personal use, what actions can average individuals take to protect their identity online?
A lot of being safe online comes down to common sense. Here are some useful tips:
- Use strong passwords and don’t repeat them. Have a unique one for each service you use, especially important services like banking or business. Also, store your passwords securely if you don’t want to memorize them all.
- Don’t share information with anyone, even people you trust. Not to sound paranoid, but the more people who know how to access your information the less safe it becomes.
- Limit access to your devices. The fewer people who are enrolled on your devices, the lower the chance of that device being used as your identity in a transaction.
- Keep backups of any important data. This way if a file is lost, deleted or held for ransom you don’t lose access to key data.
- Don’t give out any personal information. Unless you are confident who it is you are working with. The anonymity of the internet allows people to hide behind false identities and that’s one thing we are trying to prevent with IBB.
What do you think the future of identity and access management is going to be like? Do you think the use of biometrics is going to become commonplace?
I believe that companies and even individuals will continue to adopt biometric, and more specifically IBB approaches with increasing frequency.
There are a couple of reasons for this, one is convenience. Biometric methods don’t require a user to remember a password or carry a physical token. They are fast and easy to use, making the user’s life easier. Another reason is that as traditional MFA approaches are implemented in more and more places, we will continue to see threat actors finding new and creative ways to circumvent the basic methods for verifying identity. Access based on what you know or what you have will become more susceptible to attackers as time goes on.
Having something that is enrolled with the organization, immutable, and based on the individual rather than the device will continue to build trust in online interactions between both consumers and organizations. This trust will be the cornerstone of moving our most important and sensitive tasks online, so as the world becomes more and more digital biometrics and specifically IBB methods will be relied on.
Would you like to share what’s next for BIO-key?
BIO-Key is looking forward to expanding internationally and into new markets, wherever trust in authentication needs to be built. We are also excited about the growth of our MobileAuth solution with our PalmPositive technology that will make a big impact with mobile devices in particular. Our focus is on continuing to grow and bring additional IBB methods to both businesses and their customers.