Biometric Authentication John Bertoli's post
FinServ in the new age of identity: Addressing your biometric concerns
JUL 06, 2017
Peter: Good morning, good afternoon, or good evening, depending on where you are joining us from today. Welcome to today's webinar, FinServ in the new age of identity, addressing your biometric concerns. And this is a very hot global topic. In fact, at last week's Money 20/20 Show in Las Vegas, over 1,000 financial executives attended a session I was invited to moderate on biometrics and payments. Now, having been in the business for the past 15 years, I can tell you that this type of turnout for a biometrics session is not the norm. Heck, in the early days, we were happy if we could get 50 people out to hear a talk about biometrics. And by the way in Vegas, when I asked the attendees how many in the room were using biometrics on their mobile devices every single person raised their hands. A hundred percent of the audience was using biometrics.
My name is Peter O'Neill, and I am the President of FindBiometrics and Mobile ID World. And it's a very exciting time for us because of the amount of interest in biometrics globally. Not just financial and FinTech, but healthcare, law enforcement and justice, IoT, robotics, automotive, border control and national security, and watch out for enterprise-wide security especially now that we have physical, logical, digital, and mobile all converging in the enterprise. The global interest in biometrics has never been higher than right now, and we are in our 15th year and we cover the market like no one else with in-depth articles, insights, the largest yearly review of our industry, featured theme months, newsletters, interviews with the leaders, speaking engagements, and of course, our now famous webinar series. And we've got a lot to cover today, so I'm going to jump right in.
I would now like to introduce our panelists for today's discussion. Brett McDowell, Executive Director of the FIDO Alliance, Al Pascual, Senior VP, Research Director, head of fraud and security, Javelin Strategy and Research, Richard Lobovsky, VP, Enterprise Solutions, Samsung SDSA, and Shankar Saibabu, Director, Solutions Architecture, Samsung SDSA.
Now, I'd like to start off today with a quick survey and I'd asked you all to complete a launch in the second and the question is, how are you planning to convince your customers that biometrics are secure and easy to use? And we're very fortunate today to have with us one of the leading global analysts who will provide us with an industry overview to set the stage for our discussions today. So, take it away, Al.
Al: Thanks Peter. One of the industries and you had mentioned this right up front where there's a lot of excitement around biometrics is in financial services. So, I wanted to set the stage in talking about this space and how biometric adoption is progressing by actually starting with a conversation just a minute or two on mobile banking in particular. As the adoption of the mobile devices that are in our pockets, the tablets we use everyday has grown year over year. That has driven the current growth of mobile banking. What you'll notice is that, especially as Smartphone adoption has grown, mobile banking has grown in tandem. And in fact, over the last year, one of the things that Javelin has noticed in our data is that mobile banking has now exceeded branch banking. So, if you are in the financial services space, and you wrap your head around that, or even if you're not, but there are bank branches everywhere. Banks have invested immense amounts of money in bank branches and now, consumers are turning to mobile first. By going to that mobile device, each one of us does it, it's so easy, it's so convenient, it's right there in our pocket.
In fact, we leave home without our wallet to go to work, we'll borrow $5 to go get lunch, but if we leave our house without our phone, we will turn around in traffic, go home and get our phone, right? So, mobile is at the forefront of financial services. Now, what that means for biometrics is that we have introduced a device that has kind of lowered the bar in financial services when it comes to leveraging biometrics. You no longer need some kind of separate device like a USB dongle fingerprint scanner to leverage fingerprints, leverage biometrics in banking. Now, we have these devices, fingerprint scanners built into many, you have front facing cameras, so you can do things like facial recognition. You have the capabilities to do iris scanning, you know, every one of these devices has a microphone, which allows us to do voice recognition. In fact of the matter is, consumers are being made aware, their level of awareness is rising around these types of solutions, touch ID. I think Apple did a really great job and making it seamless, making it attractive and futuristic. And the fact of the matter is, you can see even the data, consumers are now placing these solutions, you know, higher than the traditional solutions that they've used for years. And you may think to yourself, well, of course, they're going to be more willing to use something like fingerprint scanning. It's just so much easier.
But fact of the matter is willingness to use a form of authentication is very much predicated on familiarity. We've noticed this for years, whenever a new type of authentication technology is introduced; one of the biggest inhibitors to willingness to use is how new it is. But again the fact of the matter, we are becoming more aware of these solutions, we're using them more and more every day. And so, consumers are in a position now that when you provide them with a biometric solution, whether that is in financial services, or you know, in another industry, that they are going to be very willing to use it now. We would love to get that number up for fingerprint scanning from 49% to 80%, right? Eye scanning from 47% to 75% or 80% or better. We're going to talk a little bit about how that's going to play out, how we're going to work in that direction, but we're already moving the right way and that's very exciting. And in fact, banks have become aware of this, right? And they've changed the way that they make authentication available to customers making biometrics more part of the everyday in mobile.
And so, what do we mean by that? Last year, there was this huge drive for something called pre-login balance viewing. So, you would go to your bank app, you pull down on the top of the screen, even before logging in, and you'd see your account balance. Now, there were a lot of concerns in the industry as to how they could navigate that, you know, function while also doing the type of authentication they needed to do to meet their regulatory requirements. What ended up happening was many of those banks that were kind of struggling with that question, they were, I guess, maybe almost saved from having to answer it, because biometrics has just gotten to be such a big thing that the answer was right before them. And what they did instead was enable fingerprint scanning more broadly, right? So, who needs pre-login balance viewing when all you have to do is swipe your finger? So, what we saw over the last year is that half of the top 30 FIs now enable fingerprint scanning. And that's a huge development and we expect that to be significantly higher when we conduct this survey again here in the coming months.
Now, there are some examples here, very specific bank by bank, it's not just fingerprint, right? So, you look at Wells Fargo, they're covering all their bases, fingerprint, voice, face, iris, now, USAA, fingerprint voice, face. I mean, even smaller institutions, Latin America credit union, right? And so, we expect there to be not only growing adoption as far as the number of institutions offering biometrics at all, but in fact, we expect to see broader adoption of a wider variety of different biometric solutions, including use of multi-modal biometrics, which I think we're going to talk about here in just a second. So, all in all, the banking industry is moving in the right direction. We think we're going to see continued growth in biometric adoption. Consumers are getting used to it. This is a space with a lot of security already imbued at consumer expectation of trust in their institutions. So, leveraging something like biometrics just makes a lot of sense here.
Peter: Are these numbers North American global? Which part of the world do these cover?
Al: So, Javelin covers America, we cover Canada through our corporate parent. We actually have offices in London and in Singapore. The data here though, is specific to America, to the United States.
Peter: Thank you very much.
Al: To kind of give a breakdown of what we mean when we talk about these different biometric modalities, and also the specific use cases that exist at least within financial services, and some of this actually carries over to other industries as well, so places like eCommerce. But thinking about those different solutions, you have fingerprints. I think all of us are very, very familiar with the fingerprint. In fact, the fingerprint has been used going back to ancient Chinese dynasties to identify who made a pot. So, this is something that we've been very familiar with. And in fact, in our research, we've always seen that when it comes to trust in a solution, fingerprint tends to be at the top, just because we're so familiar with it. Now, there's facial recognition, and this has gotten better over time. It's not just a static flat image. Now, it is certainly looking at the physiological features of your face. But many of these solutions now will leverage things like micro movements in the face, essentially looking at a 3D image of your face.
And so they have really raised the bar in identifying whether or not you're not only you, but whether or not you are in fact live. There's also been pattern recognition. This is not necessarily palm scanning like a fingerprint scan; this is actually looking at the veins within your hand, a vascular pattern. This is something that had quite a bit of adoption in the commercial space. Healthcare, defense. There’s an iris scanning, and other variation of eye scanning. Our eyes are unique, much like snowflakes, and we expect to see more and more of these solutions coming to market, especially in financial services, the adoption to grow around the eye. I know there's a lot of excitement there. Voice is one of those solutions that mobile helps to make very, very possible, but it's one that can be leveraged across any number of channels which makes it very exciting in financial services. And we don't need to use these in isolation. There's also the question of multimodal, so taking something like facial and voice. So, as you are verifying the physiological features on my face, you asked me to read something out loud. That way you get an additional likeness check, you get to verify the features of my voice, the pitch, the cadence, and then you're getting an additional level of assurance that you are dealing with Al Pascual. Rather than Peter O'Neill.
So, how do we use these in financial services? Quite a few different applications available. You have the online applications; I think that's not a huge surprise. How we're leaving this conversation is talking about mobile. But fact of the matter, we can leverage one solution, we can leverage multiple, you know, there are really high bars for authentication in financial services, and biometrics are just a natural fit. But there are also opportunities to use biometrics at the point of sale. If you are a retailer, you know that could involve biometrics at the terminal; it could involve biometrics on a card. There are providers in the space now that actually have, you know, fingerprint scanners baked in to physical plastic cards. So, biometrics are finding their way to the point of sale, reducing friction and improving on the pen and the signature. That was the big debate over the past couple years with BMV. I think the big debate going forward is going to be more around what do we replace pen and signature with and the fact of the matter, again, biometrics.
ATMs, we've seen some of these already, they're popular in places like Turkey and Poland, but biometrics baked into an ATM so that you have the combination of the card, the pin, and something like a palm or fingerprint raising the level of security and as we see things like skimming at ATMs continue to be a challenge not only in the United States, but around the world, bringing in that biometric component can do a lot to bring down that risk. There's also the question of the branch environment, much like retailers. Banks can benefit from leveraging biometrics within the branch and so, that could look like a completely unstaffed branch. So, think of something like a tablet or series of tablets installed within a grocery store, for example. It gives you an opportunity to reach a broader audience of customers, not have to build a branch network yourself. But at the same time, leveraging the biometrics to make sure that the person you're dealing with is, in fact, legitimate or supplementing within your branch. So, reducing the headcount, bringing in the video banking, and leveraging biometrics as well. Great opportunity to maintain a strong customer relationship, strong customer experience without giving up that identity proofing or authentication capability.
And then finally, there's fraud identification. So, by that we mean being able to say that we've heard this voice before, for example, and we know that it's been associated with a fraud, or financial crime or that it's some other form high risk and that you need to take action. There are innumerable benefits; it's not just stopping someone from getting in the front door, right? There are layers of intelligence that can be taken advantage of when it comes to biometrics, a wide variety of use cases and a number of different modalities that can make it all possible. So, I think that's enough of my yammering, Peter. I think I'll yammer a little more, but I'm going to pass it back to you for now.
Peter: Al, thank you very much. That's a tough thing to do, cover off an industry overview like that, with as much going on in biometric says there is. So, thank you very much for that. I really appreciate it. And before we move on to our panel, I'd like to get one more quick survey because it's very important that we hear your opinions. And so, the question now in accordance with FIDO standards, where is your encrypted biometric identity stored during a financial transaction? I'll launch the poll now and please pick one in this one. I'll just give you a chance to read through. The answers are coming in right now. In accordance with FIDO standards it'll close in five, four, three, two, one, close. Let's take a look at those results. And here we are, and by far 69% showing that it is stored on the device. And thank you very much for participating in that.
And now, I would like to move on to our panel discussion about some of the myths and misconceptions about biometrics. And the first misconception is biometrics is a hassle and are time-consuming. I don't have time to wait for an eye scan, whereas in reality biometrics take one to two seconds to complete and are much easier and quicker than entering a complex password. And Rich, I'm going to ask you to start off on addressing this one for us, please.
Rich: Sure. So, I would agree that in our experience using a biometric for authentication is typically a lot faster than using a password, and the processing time for authenticating using biometrics is consistently improving as the advancements in technology take place. While it does take a bit more time at the beginning when a user registers there biometrics, typically a username and password is required to do that initial registration. Once that user completes the process, they never have to use their username and password again and the actual time it takes for the user to authenticate is very fast in our experience utilizing most biometric engines out there.
Peter: Anybody else like to weigh in on this one?
Al: Even one to two seconds is being a bit conservative. These solutions now, they're doing in milliseconds and that's become the expectation. It's blink of an eye, consumers don't even notice in some instances that it's occurring. Some do take longer, but you know, some take considerably less time than a username and password. So, I think it's pretty spot on.
Peter: When you think about what the alternative is, I mean, a password, biometrics are a hassle. I would argue that passwords are actually the hassle, and boy, I hear so often that different venues when we're speaking that, you know, people really are just fed up, they cannot deal and I'm sure in our everyday lives we all face this that passwords are so unworkable now that they just, you know, there are needs to be a replacement out there. Move on to the second myth, if someone steals my biometric password, my identity is stolen. Whereas the reality one solution is to ensure that the biometric password is stored on the device used to enable authentication, so that no data is sent to the financial institution.
Brett: So, for example, the FIDO standards as the survey showed, most of you already know this, which is fantastic. And it's not just FIDO standards; there are other deployment schemes that are quite popular about how to use biometrics for authentication in a kind of one-to-one matching scenario like financial services. Where the biometric template never leaves the device, it's stored in the device, it's not just on the device and never sent to the website, the online service, but more than that, increasingly the new devices have different environments actually on that device. So, secure enclaves, trusted execution environments, secure elements. These are areas within a device separate from where you download software, so that even if somehow the user gets tricked into installing malicious software, that malicious software has no access to the biometric template. Or if you're using FIDO, the FIDO private key either both of those are increasingly integrated by default as an industry best practice in these trusted execution environments within the device and safe from any kind of malware.
So, not only does no one receive your biometric information, but not even applications running on your device can access that information leaving you entirely in control of the use of that information. And you can prove that you are the same user who registered your FIDO credentials with that service without needing to share that information because of the public-private key scenario. All you have to do is sign transactions to prove you're the right user. You don't have to give away your private key or give away your biometric information.
Peter: Thanks very much, Brett. Rich, is this something that you're hearing in the field? Is this one of these misconceptions that you get faced with fairly regularly?
Rich: I don't think we see it as much from enterprise professionals as we may see it from sort of the average consumer who may have concerns about how information is shared and where it's stored. And just to add to what Brett said, he mentioned a biometric template. So, when you register a biometric, we're not actually capturing your fingerprint, we're capturing a numerical representation of your fingerprint. It's captured during the registration process. And also to add what Brett said about the trusted areas of the device. We use the trusted execution environment on Android devices to actually encrypt the biometric template and the private key which then gets stored in the operating system of the device. With respect to Apple devices, with iPhones, we use the keychain security protocol that's resident within the Apple operating system and essentially leverage that for encryption and secure storage of that data. So, you know, so, the misconception is out there more in the consumer world, but I think we have a very clear and solid story to try to address those misconceptions.
Peter: I'm going to move on to our next misconception and that is, but then what if my device is stolen? And to your point, all biometric data is encrypted into a numerical code that can be stolen, but theoretically cannot be extracted from the device or recreated into your biometric.
Shankar: If the device was stolen the biometric data as Brett and Rich mentioned earlier, it's encrypted within the trusted execution environment on the Android devices. And you cannot really reverse engineer this data. And so, one would either have to, again, steal someone's actual fingerprint or face and voice, but even at that point, the user who has lost the device can quickly deregister the device from the server side. And so, the public key if it is deleted on the server, the server can no longer accept the message from the stolen device, even if it has signed by the private key. So, there are checks and balances, again, FIDO standard allows us to take care of all of these scenarios. So, it's not really a serious issue. And again, since we're only talking about one user's data as against if the data was stored on the server side and you lose all of the data, you have now compromised all the users' data.
Peter: Anybody else want to weigh in on this one?
Al: Just to kind of add to Shankar's point that if you have the data off of a device, you can't use it because it's a mathematical extraction or extrapolation. But, you know, the scenario he brings up if someone actually went and stole the real fingerprint, right? In order to commit fraud using your device, getting access to your account. If you have someone going around lifting your fingerprints, then you have bigger problems than the vast majority of fraud victims. We see big breaches at places like LinkedIn where researchers are taking entire files, their usernames and passwords and putting them online for free. We see big breaches at Yahoo. I mean, that's how criminals are going to go ahead and do what they do, right? It's low-hanging fruit. The fact of the matter is biometrics are so well-protected in this scheme that it basically puts them completely out of reach for criminal So,100% agree. I just also want to put it in context that while it may say, you know, things like theoretical here, the fact of the matter is, it's basically a non-issue.
Peter: Right. And it's really not, as you mentioned, the bad guys are after millions of records, not one and then another one. There's nothing in it for them. So, I would agree wholeheartedly with that. Okay, the next misconception, biometrics simply aren't secure. I hear about so many breaches in the news. The reality, although biometrics aren't full proof, they are more difficult to compromise than numerical passwords. And there are measures you can take to embed additional layers of security. And Al, now that we're talking about this, maybe you could just continue on in this vein, please.
Al: Yes, I did. I guess I got ahead of myself a little bit, but I was excited about the last misconception. So, maybe latching on to that last bit, what can you do to layer in those additional bits of security, right? So, there's certainly live testing. So, even if a criminal gets a hold of your biometric data, or your actual biometric, so they lift your fingerprint or they get an image of you off of Google, for example, and they want to use it to try to bypass facial recognition software on the fingerprint side has liveness testing built in. Some of these solutions are both optical and capacitive. So, they're looking for electrical current in your finger, for example, if its facial recognition, they're looking for micro-movements. There are other things you can do, such as layering in your voice to my earlier example. So, we can make up for the difference at the end of the day, even if someone happens to get hold of your biometric information in one way or another, but compared to how criminals are currently lining their pockets and we can play the, you know, the game with a focus at home today. I mean, how many of you reuse your passwords, right? You have a unique username and password for every site you're on, probably not. Criminals leverage that to again get paid. At the end of the day biometrics are just so much more secure for so many reasons, that it's not even remotely fair comparison. But we can make up for it go multimodal, you know, do the liveness testing and make it near impossible for criminals to reuse that biometric data.
Peter: Thanks. Brett, you and I have had many discussions about the multi-modal, the push these days. Can I get your take on this particular misconception?
Brett: Sure. Having to touch on multi-modal as well as some other aspects. So, the thing about biometrics that you'll hear, you'll hear biometrics are probabilistic they're not deterministic. You'll hear biometrics are not secrets because, you know, when you leave the glass behind when you leave lunch, you're leaving your fingerprints on the glass. But you have to consider the architecture. What's important to understand is the end-to-end solution. And why applying biometrics into an appropriate end-to-end solution is far superior to any other account credentialing system we have today. It's because biometrics is simply that local device in a FIDO architecture, it's the local device verifying that it's the same user that registered for the credential. So, as long as you know you've got the right user when you enroll them then you know you've got the right user when you collect that evidence. The only vulnerability that's viable is not financially viable for cybercrime. And that vulnerability is I have to steal the person's phone in order to attack their credential.
So, I have to have taken their biometric evidence, I need to get that from them somehow. I have to create a spoof, I have to steal their device, and I have to compromise their device which is not easy to do, by the way, when you do hear about this, you keep hearing about this one super researcher who does it, but it's not easy to do. I have to do all of that, I have to do it before that user reports a lost or stolen phone, so that the services can deprovision the public keys. So, like it is so impractical to attack that and that is so much harder and cost prohibitive to attack, then, you know, sending out 10 million phishing attacks and try to pick up passwords. On the multimodal side, you know, one way to have biometrics even harder and harder to spoof on that very narrow attack surface is by leveraging both camera and voice, camera and pin, camera and fingerprint, because now, it becomes harder and harder to build a spoof and the industry I think is ahead of the curve in terms of, you know, the arms race of security versus attacker when coming up with making biometrics harder and harder to spoof. And there is no scale in a FIDO architecture. So, you have to only go after this one highly valuable target, which, again, it's cost prohibitive in financial services.
Peter: Well, you've raised some very interesting points there, Brett, unfortunately, in the mainstream press, there's a lot of news whenever new fingerprint sensor is spoofed, but as you mentioned it, it's a very complex thing to do. And really the bad guys as Al was mentioning, they're after millions and millions of these records, not one and then one more, and then one more. So, thank you very much for answering that. And the next misconception, biometrics are so temperamental. I'm not in the correct lighting or there is too much background noise. I need to try to capture my login multiple times. Where the reality is there have been many technological advances around biometrics that are able to filter out noise now, recognize faces in the dark, or match facial structure based on bone structure curves around the eye socket, nose, and chin, etc. And actually, Rich, can I ask you to address this one for us, please?
Rich: Yeah, so certainly would agree with the comment that, you know, there have been a lot of technological advances, so this is continuing to improve over time. As a provider and a group that looks at a lot of different biometric engines because we essentially aggregate some of our own and some partner engines into our platform, we're seeing these things constantly and we're seeing consistent improvements over time in the ability to deal with outside noise, deal with shades and dark spaces. We've even seen one of the engines that we use you can hold the device as far away from you as possible in your hand, and it'll still recognize your face. And it will authenticate fairly quickly. So, you know, while things are not 100% and I wouldn't say that they're perfect, we're seeing an improved user experience when you compare to traditional passwords that can be easily forgotten.
Peter: And Al, yeah, I know you do a lot of work in this area with new technologies, advances constantly coming to this particular area. Can I get your comments on this, please?
Al: So not to be a knock on any one solution, but years ago we had a voice biometric provider come into the office and they gave a demo and one of my colleagues had a kind of like a mockup setup or demo setup, using his voice protecting his, you know, account at ABC bank and he challenged anyone else in the office to get into the account. And it just so happened that my other colleague was from a very similar place. I think it was just outside or they're both from just outside Chicago sounded very similar and ended up beating the system. Now, that being said, this was years ago, we've gotten quite a bit further ahead from technology perspective as you've already mentioned. But then on top of that we have flexibility in some of these solutions too, right? And so, I think that's an important thing to mention. Not only have we've gotten better at discerning the true user from another individual, but we can turn that dial up or down, right? And so, if you are in a situation where you are trying to authenticate a high-risk transaction. Well, in that case you may be willing to live with, you know, some additional, you know, some additional false positives, right?
You turn the dial up a bit. Whereas if you're dealing with a relatively low-risk situation, you turn the dial down. And you'll have some false negatives are basically some folks to get through and you catch it on the back end. But there is no kind of like absolute line in the sand that you can draw for that you should be drawing or be thinking about when you're talking about risk management. That isn't how risk management works, it isn't stopping everything. It's figuring out from a layering perspective how we manage the risk. So, at the end of the day, you know, a lot of different things to consider. It has gotten better, but, you know, you're not stuck in this trap where either it works or it doesn't, you have flexibility, you know, as a relying party and how you implement which can also make a huge difference.
Peter: Very interesting, Al, because in the panel at 20/20 last week, one of the things that came out loud and clear that users will have choice. And that, you know, you'll choose the biometric modality that best suits what you're doing and what you like. So, it's very interesting now. But what I'd like to do now is jump to questions from the attendees, and we have a lot. And what's very interesting to us as we were checking out the questions that are coming in, a lot of them have to do with things we have just covered off, and they came before we actually covered off, so spoofing was a major question in there. But I'm going to ask a specific one right now, is the panel going to discuss the registration process to ensure that the person is indeed who they say they are? Is there any form of identity proofing done? Who would like to take that?
Brett: Sure. This is Brett, I'm happy to jump in on that. So, there are two things I think are worth mentioning given everything we've already said today when it comes to registration. The first is around one of the myths that biometrics are, you know, difficult in some way. I mean, the whole point, the reason everyone is racing to biometrics is because it's such a better user-experience. But I will point out; it's a better user-experience after you've registered it. So, you do have to register and roll your biometric templates to your device. And that honestly does take a little bit longer, a little more effort than typing a password for the first time, let's say. But once you've done it one time for your device, you're now enrolled for the lifetime of that device, and you can reuse that registration on every application. And when you compare that level of effort to typing in a password on every other application, there's no comparison. So, I just wanted to acknowledge that, that on registration biometrics takes a little effort. But again, only once for the lifetime of device.
The second part is identity proofing and binding to the credential. So, what the FIDO standards do is they offer a new type of credential using public key cryptography. And that private key is in the device, the biometric is just giving authorization to sign challenges, to use that private key. How you identity proof the user is critical, but it's also something that all of these online services are already dealing with today. So, to the extent that a financial services company, they already have the best practices that they are deploying for identity proofing and recognizing that user before they let you log in from any device, create an online account for the first time. So they are putting you through that, they're basically leveraging all that identity proofing they've already done when you first opened your account with that financial services company and they are relying upon that when they let you register your FIDO device.
They do that by making you log into the system, and then they can identify whether that session is a trusted session. If you're in a well-trusted session from a recognized device, then that would be a good time to invite the user to register. If it's a login from a device you've never seen before, from a geography you've never seen before, you may not want to invite the user to register a FIDO authenticator at that point. So, all the control is in the right place. It's in the hands of the fraud management team and their advanced risk-based back end to make that decision. And if they do trust the session, then they're basically leveraging all the identity proofing they've already done when they invite you to register your authenticator.
Peter: Thanks very much, Brett. I'm going to move on to the next question. How is device-only biometrics going to be used to handle shared workstations or roaming users? And Richard, could I ask you to weigh in on this one, please? How are device-only biometrics going to be used to handles shared workstations or roaming users?
Richard: I think I might look to Shankar, to maybe chime in on this as well. But in terms of devices like this, so standard devices, laptops, things like that we can leverage let's say using biometrics to access web-based applications using biometrics and with the right type of biometric authenticator within let's say, static devices like a laptop, you can use push technology to authenticate using biometrics into applications that are running on those kinds of devices. And there are some organizations that are actually embedding biometric authenticators into chipsets that would enable you to use biometrics to access let's say applications running in a Windows Hello environment, for example.
Peter: Thank you, Richard. And Shankar, before you leap into that, we're getting a number of questions about the same general topic. Another one is what is the role of biometrics in the cloud? Similar kind of vein. Shankar, can you jump in on that one, please?
Shankar: Based on the FIDO standards, the basic assumption is biometric stays on the user's device. So, if the user is actually using a shared workstation or accessing a service in the Cloud, there are solutions out there where a message can be pushed to the user's device just like an OTP. But in this case, it wouldn't be an OTP, but the device wakes up and challenges the user for a biometric authentication and once they are authenticated, they then get access to either the Cloud service or to the shared workstation. So, it all comes down to accessing the same biometrics that they have registered on their own personal device.
Peter: And Al, do you find that you're dealing with this issue on a regular basis with the Cloud versus on device type of scenario?
Al: You know, one of the topics we've been talking to some of our clients about, I'll say over the past couple years has been leveraging geo fencing within the enterprise. So, I think with this type of solution, you are kind of bringing the best of both worlds together. So, given the example that Shankar shared, where you have an enterprise user who wants to get access to web application on a shared workstation, they get challenged, they authenticate through their own device where that biometric is directly connected to the device that they own, they get logged in to an out of band and so now, they're in, they're at the workstation had device is with them at the workstation and once they happen to either log out or, you know, step away from that station they are logged out. Because their device left as well leveraging that geo-fencing. So, it's a really complimentary way to manage for enterprise authentication, and this is a nice marriage of some of the things that our clients are already talking to us about.
Peter: Well, thank you very much. We do have a lot more questions, but I'm going to call it here. Thank you very much panel for the excellent answers. It was amazing as we looked at the questions coming in, how well they sort of dovetailed with the misconceptions and myths that we did deal with. So, thank you all for attending. This concludes our webinar today.
Whether you're looking for a specific business solution or just need some questions answered, we're here to help.