9March 2014 Biometric Technology Today

fEATurE

ning, remember that it is ‘social’ media, not just a pulpit for company announcements.”

• JasonHodge(SecurLinx): “Just do it. The conversation going on out there will con-tinue with or without your participation and that conversation is important to the future of your business. hile social media is useful for communicating an organization’s value proposition to the world, it can also have some unforeseen positive effects inside a company. It sparks conversations between people in sales and marketing and research and development. It instils discipline in con-tinuously re-evaluating market conditions and added to our corporate intelligence.”

• TerriHartmann(Unisys): “There are a lot of important conversations going on in social media, and it’s changing the way people con-sume content and do research. So if you aren’t active on social media, you should be. Only first make sure you understand the environ-ment. Also, you have to buy-in from the leaders of your company, and there have to be thoughtful guidelines and policies governing what content should be shared. Third, don’t try to be all things to all people. Target your audience, and understand your goals. Finally, be patient. It takes time to succeed. So as you’re beginning your journey, establish smaller, incre-mental goals and try to achieve those first.”

• AmerAlMahri(UAEEmiratesID): “Social media is becoming an increasingly important part of any business’s marketing and client base development platform. It has become a must for any business seeking to secure

a place in the digital marketplace. We use social media to build a dedicated, loyal cus-tomer base by offering the personal touch that only a local business can provide.”

ConclusionSocial media has exploded into the mainstream with a purpose and unique identity for just about every industry on the planet.

Interest in biometric technology has seen unprecedented growth in the past five years as more governments and businesses explore the opportunities that the technology offers to help establish secure identities. Biometrics has a reputation of being misunderstood, fraught with rumours and unsubstantiated claims on how it truly works. The time has never been riper for companies operating within the biometrics industry to influence the discussion and help educate the masses that still remain uninformed on the value of the technology.

The time to experiment with social media is now.

References1 Merriam Webster definition of social media.

http://www.merriam-webster.com/dictionary/social%20media.

2 Conlin, B. ‘What Does the Modern Marketing Funnel Look Like?’. 14 November 2013. http://www.vocus.com/blog/four-different-views-of-the-modern-sales-funnel/. Accessed March 2014.

3 Smith, C. ‘The Planet’s 24 Largest Social Media

Sites, And Where Their Next Wave Of Growth Will Come From’. 29 November 2013.Business Insider. http://www.businessinsider.com/a-global-social-media-census-2013-10#ixzz2lmWb6utj. Accessed March 2014.

4 ‘Social Media: Improve Your Signal to Noise Ratio’. Signalifire. http://signalfire.tumblr.com/post/131908747/social-media-improve-your-signal-to-noise-ratio. Accessed March 2014.

5 Bennett, Shea. “How Brands Can Use Social Media to Manage Their Online Reputation”. 22 May 2013. http://www.mediabistro.com/alltwitter/online-reputation_b43198. Accessed March 2014.

6 ‘Social Media in Online Reputation Management’. http://socialmediatoday.com/murtazav/1790366/social-media-online-reputation-management. 3 October 2013. Accessed March 2014.

7 Pick, T. ‘Need More B2B Sales Leads? Ignore This Research’. http://socialmediatoday.com/tompick/1894456/need-more-b2b-sales-leads-research. 6 November 2013. Accessed March 2014.

8 Emirates ID website. http://www.id.gov.ae/en/ Accessed March 2014

About the author

John Trader is the director of communications for M2SYS Technology, a global industry leader in biometric identity management technology. He has public relations and marketing experience working in the financial, publishing, non-profit, entertain-ment, sales training, and technology sectors.

Token or no token: bringing sanity and order to identity assertion Hector Hoyos

Back in 2010, the Bank of America Headquarters in Charlotte, North Carolina, deployed a completely iris-based access con-trol system. It was based on the HBOX and EyeLock, two original proprietary technology

products from Global Rainmakers, Inc, now known as EyeLock Corp.

It was a true sight of beauty to see thousands upon thousands of Bank of America team mem-bers gain entry to their workplaces all around

the city of Charlotte with nothing more than a glance of their irises. No tokens or access cards of any kind were used. It took nearly three years to achieve such a milestone. That deployment in the summer of 2010 ultimately reshaped the face of the access control and biometrics industries.

Today, however, much like the setback that general aviation suffered when the Concorde was removed from service, it appears that both industries have forgotten the lessons that every-one had learned from that BAC deployment.

Hector Hoyos, Hoyos ID

It is said that the definition of insanity is doing the same thing over and over again, expecting a different result every time. Reviewing the development of the biometrics and IT fields over the past three decades, it would seem that this is the direction into which the identity assertion industry is headed – into the realm of insanity – and there’s much to be done to reverse that fate.

fEATurE

10Biometric Technology Today March 2014

ConvenienceOne word defines all of those lessons: conveni-ence. Back then, that was the single paradigm that drove the success of that deployment and every other successful deployment across the world. Would you rather not have to carry around an access card and just use your iris biometrics if you knew that it would be just as safe as using your access card?

Interestingly, a good portion of the folks at BAC initially did not accept the iris system, voicing concerns over privacy and data security. All of their concerns, though, were quelled upon seeing their co-workers waltz into the building right through the access points, without having to dig into their wallets or purses to pull out an access card.

“Is Microsoft going against its own study, because it doesn’t believe in the results, or has the company lost faith in biometrics at a time when the overwhelming majority of consumers are clamouring for biometrics to replace usernames and passwords?”

An employee at the bank headquarters was holding a cup of coffee in her left hand and bag and coat in her right hand and had files tucked under her right arm. What did she think of the iris-gate? Her response was that it was as ‘con-venient as a fast food drive-through’. After all of the years of R&D and the tens of millions of dollars invested and after all of the science and technology innovation that had been accom-plished it was best summed up from a real world user and her 20-second experience. What the user wants, recognizes, cares about and remembers is the ultimate convenience.

Identity authentication landscapeFast-forward three years, to a Forbes article about Google1. At this point, Google is propos-ing a two-factor authentication system (2FA) using a username and pin, plus a Yubikey token that connects to the USB port of a computer.

It seemed that we had gone back in time. Google is a member of the FIDO (Fast Identity Online) Alliance, which supports biometrics in combination with a similar token. Yet, had it now changed its mind and decided to drop biometrics completely?

The proposition of the FIDO Alliance, which requires carrying a physical token to

identify oneself, would seem to be inherently flawed. Many have predicted that at some point in the near future, we would have to drop usernames, passwords and pins, and all of these would be replaced with biometrics on smart-phones. The main reason for the adoption of smartphones as the biometrics acquisition tool is because of their convenience for users. It’s something that we always carry around.

Many folks over the years in both the private and public sectors discounted this vision of a world in which all identities would be asserted by means of our biometrics, simply stating that passwords would never go away.

Microsoft, like Google, had also joined the FIDO Alliance; yet, FIDO’s standard identity authentication protocol requires the use of a Yubikey token. So, is the solution to use, or not use, a token for security purposes? Is Microsoft going against its own study, because it doesn’t believe in the results, or has the company lost faith in biometrics at a time when the over-whelming majority of consumers are clamour-ing for biometrics to replace usernames and passwords?

“Periocular biometrics is a subset of facial biometrics; the core information in the face comes from the periocular, or suborbital, eye area. Unlike voice recognition or fingerprints, periocular biometrics can be subject to liveness detection”

Today, studies from Ericson, PayPal, IBM, Microsoft and the Ponemon Institute all reflect this sentiment. According to Ericson’s study entitled The 10 Hot Consumer Trends of 20132, 52% of smartphone users want to use fingerprints instead of passwords, 61% want to use fingerprints to unlock phones and 48% are interested in using eye recognition.

Another study by PayPal3 shows that con-sumers ‘are OK’ with biometrics and that 53% of those surveyed are comfortable replacing passwords with fingerprints, and 45% would opt for a retinal (iris) scan.

What’s more, IBM Fellow and Speech CTO David Nahamoo said that over the next five years, people’s unique biological identity and biometric data – including facial definitions, iris scans, voice files and even DNA – will become the key to safeguarding personal iden-tity and information to replace the current user ID and password system.

Microsoft Research funded another study entitled ‘The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes’4, and one of its main conclusions is that the replacement for pass-words should conform to the following criteria: it should be easy to carry, efficient to use and have easy recovery from loss. It even goes as far as to say that these criteria are achieved mostly by biometric schemes and that tokens are not enough to achieve this.

The future of the industryWhat makes a company and product successful is the adoption and continued support by con-sumers of their offerings. Again, consumers are focused on convenience; of course, they want to be secure but surprisingly not at the cost of their convenience. Any proposed scheme by any com-pany or alliance that intends to go against the grain of consumers in this sense will fail.

HoyosID uses smartphones as the biometrics acquisition device through using an app that runs on iPhones and Androids. Instead of using usernames and passwords, users can login with biometrics. Users click on a webpage’s log-in, which awakens the HoyosID app on your smartphone. After acquiring iris biometrics, the app logs in the user, and if someone other than the authorized user tries to access the phone’s information, the HoyosID intrusion detection system blocks the attempt.

In order to be hacked, someone must first appropriate the smartphone and then attempt to hack it; the HoyosID architecture forces hackers to attempt hacking one user at a time. Gone will be the days of massive attacks that affect multi-tudes of consumers from a single breach.

Success factorsThe key elements that differentiate this tech-nology, and any other biometrics-based product that will be successful in the future, are:• Anti-spoofingmeasures–“Spoofing”means

passing an authentication on a digital system using a false credential that seems to be valid

Periocular biometrics is a subset of facial biometrics.

fEATurE

11March 2014 Biometric Technology Today

A SuBSCrIPTION INCLuDES:• Onlineaccessfor5users• Anarchiveofbackissues

www.biometrics-today.com8

of an actual user that’s registered in the sys-tem, such as a high-resolution photograph of a person. These measures will include liveness detection counter measures—how mobile applications recognize a live person from a decoy image. They will prevent replay attacks, which is when someone attempts to “inject” a recording of you into the system as some-one else. And they will implement back-end encryption—using a two-way SSL to connect to the server that uses IDS and proprietary algorithms for encryption. The IDS identifies the attempts to replicate, along with a times-tamp, and blacklists the offending devices quickly and permanently.

• BiometricsOpenProtocolStandard(BOPS)– This is an open-source API that enables the integration into HoyosID of any third-party biometrics solution in the market (such as if you want to use fingerprints through the iPhone 5S or iris identifica-tion with the Samsung, when available). The BOPS enables the interconnection of any device that opens, closes and turns on or off to be controlled with any biometrics device(s) that communicates through it.

• Datastoring–Itiskeythattherearenobiometrics stored anywhere, except in the smartphone, in an encrypted mode. When the SSL private key is generated, it needs to be done by the server and not by the device, and not stored anywhere since its lifetime is limited to a few seconds. The back-end will then detect the real user from someone who tries to impersonate you over the network. HoyosID, for example, currently runs on Amazon Web Services, which uses proven cryptographic methods to secure its infrastructure.

To date, biometrics haven’t become as wide-spread as they will be in the future, because tech-nology hasn’t been advanced enough to eliminate spoofing efforts (for example, the iPhone 5S and its fingerprint technology were hacked less than 48 hours5 after its release). Additionally, using biometrics with various technologies has never been convenient or easy to use, and up until now, people have always been required to have additional hardware or tokens to secure material.

With iris and periocular biometrics, people can perform many different tasks on their smartphones, including the ability to make

financial transactions quickly, seamlessly and securely. Periocular biometrics is a subset of facial biometrics; the core information in the face comes from the periocular, or suborbital, eye area. Unlike voice recognition or finger-prints, periocular biometrics can be subject to liveness detection through a series of propri-etary computer vision techniques. Voice, on the other hand, can be affected by background noise and is easily spoofed like fingerprints.

It’s important to note, though, that biometrics are only as good as their back-end – as stan-dalone hardware, they won’t get us very far – which is why it is critical to have an end-to-end solution. The future of identity assertion is in the biometrics, and if the biometrics and smart-phone sectors keep this in mind in the years to come, we can steer away from the realm of insanity and move forward on the path of tech-nological progress.

ConclusionDuring Christmas 2013, 40m people in the US had their credit card numbers stolen from Target stores. It is clearer than ever that user-names and passwords are not the only prob-lem: we need a more secure infrastructure as a whole. It is time to replace all usernames, pass-words, PIN numbers and credit card numbers with biometrics.

References1 Daillo, A. ‘Google Wants To Make Your

Passwords Obsolete’. http://www.forbes.com/sites/amadoudiallo/2013/11/30/google-wants-to-make-your-pass-words-obsolete/. November 2013. Accessed March 2014.

2 10 hot consumer trends. Ericsson. 2012. http://www.ericsson.com/res/docs/2012/consumerlab/10-hot-consumer-trends-2013.pdf. Accessed March 2014.

3 Tsukayama, H. ‘PayPal study finds con-sumers okay with biometrics’. Washington Post. http://www.washingtonpost.com/business/technology/paypal-study-finds-consumers-okay-with-biometrics/2013/10/09/54eb5132-3095-11e3-9ccc-2252bdb14df5_story.html. October 2013. Accessed March 2014.

4 ‘The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes’.

Bonneau, J, Herley, C, van Oorschot, PC, and Stajano, F. http://research.microsoft.com/apps/pubs/?id=161585. May 2012. Accessed March 2014.

5 Chang, JM. ‘iPhone 5S Fingerprint Sensor Fooled by German Hacker Group’. http://abcnews.go.com/Technology/iphone-5s-touch-id-hacked-star-bug/story?id=20344234. September 2013. Accessed March 2014.

About the author

Hector Hoyos has been in the biometrics and IT fields since the mid-1980s as the founder and presi-dent of various biometric companies. He co-founded and presided over Biometrics Imagineering Inc, creating fingerprint identification systems and inter-active financial transaction systems. He also helped incubate the Praetorian technology, a real-time video surveillance technology, which, in February 2008, was awarded a training/video surveillance contract by the US Marine Corps. Additionally, Hoyos served as the founder and CEO of EyeLock In., an iris-based identity authentication company, previously named Global Rainmakers (GRI). He also invented the HBOX, EyeSwipe and EyeLock iris biometrics-based access control family of prod-ucts. Currently, he manages a digital infrastructure security company, Hoyos Labs, with a biometrics R&D lab located at the Cambridge Innovation Center on MIT’s campus.

HoyosID is an identity assertion platform—an end-to-end solution that will serve as a replace-ment for all usernames, passwords, log-ins and IDs. On its front end, HoyosID is an app that can be downloaded to any Android or Apple smart-phone. Using various biometrics, including perio-cular, iris and facial, as well as a liveness detector that distinguishes living people from photographs or videos, and pattern matching, the app will verify that a person attempting to log-on to a sys-tem or complete a transaction is, in fact, the true identity. The back-end of the system will match the image to unlock data and conduct transactions from one’s computer. The HoyosID identity asser-tion platform is ‘biometric-agnostic’, meaning that it can plug in and use any other company’s propri-etary biometrics solution in the front-end device.