What are Identity-Bound Biometrics?
On this episode of IAM Pulse, BIO-key's SVP of Strategy and Compliance and Chief Legal Officer, Jim Sullivan, talks to us about Identity Bound Biometrics. What is IBB, and how does IBB differ from traditional device-based biometrics? When should organizations utilize IBB? Listen to the answers here.
Listen to the podcast:
William Papa
Hello, everyone. Welcome to another episode of IAM Pulse, a podcast dedicated to discussing IAM topics brought to you by BIO-key international. Today, we're going to have the, what is discussion about identity bound biometrics, or IBB. For our guest today, we have our senior vice president of strategy and compliance and chief legal officer Jim Sullivan. Jim, how are you doing today?
Jim Sullivan
I'm great. Will, thanks for having me.
William Papa
So Jim, today, we wanted to get into the basics around identity bound biometrics as all too often, we are asked about what they are and why are they better? So let's start off with the first part. So, what are identity about biometrics and why are they needed in addition to all the other MFA choices out there?
Jim Sullivan
Sure. So when we think of biometrics, really, you're down to the fundamental capability of translating a measurement of a physical factor about someone into a yes or no answer to whether or not it's a particular individual or in the case of searching to find it among the population of enrolled possibilities. And you can either apply that in the traditional phone authentication scenarios that we see with the iPhone and the Samsung galaxy and other phones, where essentially it's a built-in component of the phone. It's used to unlock the phone. The phone is internally capturing and making the decision of the fingerprint or face data depending on which technology, and then it is making the determination of, is it an enrolled user on that phone. And that's the extent of it. What identity bound biometrics does is takes that same concept and moves it to a higher position in the food chain, so, to speak. Getting it away from being tied purely to a device and making it available so that a relying party, a bank, a retail organization, a hospital can use it in order to be able to positively identify an individual independent of them having a particular device or token in order to do that. So there are advantages of that in the sense that you don't have to have that phone or token as an intermediary between you and the person you're trying to identify if you're the relying party.
And the other side of it is the convenience for the end user, because they can literally show up with nothing but the shirt on their back and still be able to prove who they are because there is securely stored an enrollment of those facts about them that they're able to match against and prove their identity without having to have carried and retain and not lose things like phones and tokens into their workplace or wherever they're trying to prove their identity.
Jim Sullivan
So it's a much more elegant solution. It's one that when you have a close relationship with an individual like an employer, who's relying on the confidence to know that even though that employee or contractor is across the world, working on a remote connection, that they haven't made an unauthorized delegation or sharing of that credential to another person, which happens unfortunately, a lot in the case of somebody who wants to have someone else take over their job, do it at a lower cost. They can job share and proxy essentially give someone else that credential and without having a true biometric, identity bound biometric, you can't be absolutely sure that you're not just seeing the token or the phone and not the particular individual that you're really trying to make sure is out there.
William Papa
Right. Right. I see. So what are the benefits then to using IBB?
Jim Sullivan
Well, first and foremost, if you think about the scenario of a roving user, someone that moves among workstations in a workplace, think of manufacturing as a shop floor and various kiosks located around that floor, healthcare where a nurse practitioner is moving amongst many different workstations, retail, we have a lot of different point of sale and manager, workstation override scenarios, those all call for the idea that an individual is not necessarily tied to a particular workstation. So if you look at the traditional mainstream MFA, answer to that, they're going to either push the idea of a user, having to use their phone with an application on it as their second factor, or they're going to have to have them carry one of the, you know, many varieties of tokens that you can either touch with a proxy approach, like smart proxy card, or use a actual FIDO token and inserted in, or touch it with NFC to prove that you're there, or at least the token is there. Those sorts of scenarios and a lot of fumble and Bumble friction to the process of trying to get something done when you get onto a workstation.
Jim Sullivan
They also introduced the possibility that you're going to leave that token in proof behind, and then the increasing amount of environments. The phone is an unwelcome distraction in the workplace. And in some cases it's data leakage and exfiltration. That's the concern. So call centers, for example, typically prohibit users from working with their phone they're at their workstation because they could be taking pictures of personal information. And in other cases, it's a distraction for a safety concern. So when you start relying on either the phone or a token as being the way you prove that an individuals who they say they are, the benefits start to become outweighed by the friction and the difficulty in maintaining safe workplace and a distraction-free workplace. So there's a great preference towards the idea that you would simply place a fingerprint scanner or another sort of biometric capture device at those workstations, that those retail point of sale locations, and then users simply walk up and touch their finger to sign in. And they don't have to have anything that they've carried with them and therefore could distract them or have something they could have forgotten, or as I've described before could have shared. So it gives you a lot more control, but it's also a much more elegant workflow because users simply walk up touch and they're able to sign in without having to go through the 'find the token', 'find the phone' process or that they may have to employ otherwise.
William Papa
Right. Right. So then following from that, so how are identity bound biometrics different and then better than device-based biometrics?
Jim Sullivan
Well, in a device-based scenario, you're really just verifying that the device is there and you've been inadvertently delegated the decision of who the user is that's there to the owner of that device. So as a concrete example, if I am using my device to authenticate as a phone, for example, then I, as the owner of that phone, I'm given freedom to be able to enroll additional users. I could remote my very smart son who's going to be able to do the work or I could enroll a third party contractor and give them the phone, which then allows me as the end user to start delegating and making decisions as to who has access. There's also an increasing discussion around bribery. There was a story that came out recently about one of the big telecom carriers who had, you know, users being bribed in their call centers to give access to hackers and you know, basically criminals who were going to use the access to unlock phones from that carrier.
Jim Sullivan
And that costs that carrier over $200 million of the unpaid phone payoffs, because once the phone was unlocked, the user didn't, they, the customer didn't have to use it. And all of that rooted out of the fact that a few of the end user call center employees gave over their credentials to people who use them to do those unlocking exercises. So it, it really is about the fact that if you're relying on a device of any kind, you're now placing too much control over who gets access into those end user's hands and not retaining it for yourself by using identity bound biometrics, which gives you the ability to determine who can come in and who, who they are, and not relying on the fact that a phone or a token tells you that it's the individual. So it's better control, better governance, and it comes out of this.
William Papa
So from a use case scenario, right where should IBB be used?
Jim Sullivan
Well, number one, you're looking for scenarios where you have to have absolute certainty of who's at the other end of a connection. So in thinking of the supply chain, which is a common vulnerability when you're thinking of third-parties coming into your systems and having access, using a biometric, let's you be absolutely confident that they don't let expediency and the need to get something done, override your desire to have strong security, policy, and governance. So for example, if you have someone that's in charge of being able to come in and maintain your point of sales systems remotely, or come in and maintain your servers remotely, to know that it's the individuals that might've passed your approval for what they know and their skillset versus that they might've handed off to another junior worker because they had too much else to do and sharing your credential allows them to get more done, but unfortunately, places your systems at risk that's one scenario.
Jim Sullivan
The other obvious ones are where you have roving users that move around among workstations because of that more elegant approach of having fingerprints, scanners, where the work takes place, instead of having all the users, carrying tokens and phones in order to prove where they are. So think of retail, healthcare, manufacturing, call center, field technicians who move around and share works tablets and other devices. Those are all scenarios where you're going to benefit from the idea that the device has the sensor and allows them to be able to positively identify that individual without having them carry something. The other scenario is if you're concerned about phishing the idea that someone has a biometric being verified as opposed to a phone is really much more resilient to any phishing attack because the phish can even succeed in getting the user's username and password, but the way that our platform is built, there is no way for someone to be able to capture the biometric.
Jim Sullivan
First of all. And second of all, even if they have it, our system maintains a high integrity pipeline that cannot allow individual biometric data to be injected into it. So it gives a higher assurance that you're dealing with, just the user you want and not someone that's even gotten them through social engineering or other compromise to give over their credentials as best they could. And we talked about the scenario where you have the possibility of someone either being bribed or socially engineered or giving over their credential. That again makes the credential very sticky to the individual because you're actually dealing with the intrinsic question of, you know, who is the user as opposed to what do they have or what are they now? So a biometric that is identity bound is really allowing you to be able to tightly bind that biometric to that individual. So even willfully, they couldn't break that connection and commit fraud or otherwise put your systems at risk.
William Papa
I see. All right. So thank you, Jim. And thank you for being our guest today and joining us to discussing identity bound biometrics compared to device-based biometrics. IBB is a much more secure and convenient option that maintains the highest level of integrity to prevent unauthorized delegation and other security vulnerabilities. So this concludes this episode of IAM Pulse. Thank you for listening to the show again, a big thank you to you, Jim, for joining me today. And for more information about BIO-key visit www.bio-key.com to learn more about identity bound biometrics, and to our listeners, we'll talk to you again soon.