February 11, 2014

Hector Hoyos, CEO of Hoyos Labs
Hector Hoyos, CEO of Hoyos Labs
The series of corporate security breaches that fill consumers with worry highlights the pressing need for more effective, secure identity authentication technologies. One technology stepping up to meet this need is biometrics, the identification of unique human traits (e.g. eyes, fingerprints), to protect both consumers and corporations. Biometric technology is one of the most sought-after means of data and identity protection – and rightly so. However, many corporations are looking toward biometric tokens to solve the problem, when in reality the answer lies somewhere else.

Existing technologies that aim to protect important data and personal information (usernames, passwords and PINS) lack convenience and these “safeguards” can be stolen by the millions or easily deduced by identity thieves. Financial information has been hacked and sold on the black market due to lapses in data storage and protection measures, and corporations lose billions annually on these types of issues.

But convenience – the factor that most influences continued use of a technology – is where today’s identity assertion technologies are lacking. Traditional log-ins are a common inconvenience due to the sheer number of passwords and usernames that one must remember. When a person forgets this information, a convoluted and less-than-secure process is required to regain access. Consumers and corporations alike are demanding an easier way to cut through all of the usernames and passwords that they face on a daily basis. As a result, the time is right for biometric identity assertion platforms, especially in the corporate financial world.

Token versus Token-less

In the current landscape of biometric technology, two types of identity assertion solutions exist: tokens and token-less methods. Tokens include any stand-alone gadget, piece of hardware or access key that is used for Two-factor Authentication (2FA), which – along with standard username and password entry –uses either a unique PIN or the user’s biometric information to complete the identity authentication process.

Token-less includes integrated biometric solutions that leverage existing acquisition devices, such as smartphone cameras and built-in fingerprints sensors (like TouchID on the iPhone 5S), to obtain the biometric information that’s needed to log-in to websites or power on devices.

Consumers have made it clear that they are ready to introduce biometric identity assertion platforms into their daily lives. Studies conducted by PayPal and Ericsson found that more than half of those surveyed would prefer to unlock their smartphones and replace passwords with biometrics. Almost half of those surveyed said that they would opt for iris scanning as the method used to acquire their biometric information.

To effectively tackle the issue of convenient security, biometric tokens come up lacking. These tokens require an extra piece of hardware or gadgetry to carry around, which, as mentioned, can be easily lost or stolen. These tokens can also be easily hacked and spoofed, detracting from their ability to protect the user’s information.

Most notably, RSA’s SecurID 2FA token was hacked on the back-end where it stores the algorithm used to generate the unique PINs. This resulted in the hackers generating secure PINs that they used to infiltrate Lockheed Martin and steal sensitive data. RSA’s tokens were also physically hacked into by a group of computer scientists who pried open the SecurID 800 – and other similar 2FA tokens – in less than 13 minutes. From there, they were able to extract the secure key codes that were stored and generated in the device. Tokens like these are merely a step backward in innovation when compared to an end-to-end, integrated biometrics identity assertion platform.

The clear solution for consumers and companies to improve security and convenience is to couple the ubiquity of smartphones with biometric technology into one integrated solution. Smartphones have become a near necessity in today’s society, which makes them the perfect acquisition device for a biometric identity assertion platform. People don’t want to carry another gadget with them; they want less hassle in their lives, and in this day and age, that means solely relying on one’s smartphone instead of another dongle or add-on.

In order to succeed where tokens have failed, it is essential to have an end-to-end biometric solution that possesses a secure back-end and liveness detection. It is also imperative to utilize iris biometrics, as they are the most secure biometrics available – no two irises are the same, even among identical twins.

Secure back-end software implements intrusion detection, as well as data encryption, which are features that most hardware biometric tokens lack. Liveness detection – how mobile applications recognize a live person from a decoy image – is crucial in preventing hacks such as the one on the Android 4.0’s facial recognition feature. Merely using a photograph of someone’s face to unlock the phone circumvented Google’s software for Android 4.0, known as “Face Unlock.”

Consumers now want biometrics built in to their smartphones, which mobile device companies have recognized. Three major companies have begun to add biometric acquisition to their smartphones – Apple’s TouchID, Android’s Face Unlock and Samsung’s rumored fingerprint or iris scanner – which signals a shift in trend toward the acceptance of biometrics as a means of convenient and secure identity assertion. For successful consumer and corporate adoption of biometric identity assertion, it is essential to integrate biometric platforms into smartphones that feature secure back-ends and iris capabilities, thus maximizing both security and convenience.

Hector Hoyos is chairman and CEO of Hoyos Labs. Hoyos has been in the biometrics and IT fields since the mid-1980s as the founder and president of various biometric companies. He co-founded and presided over Biometrics Imagineering Inc., creating state-of-the-art technologies, such as fingerprint identification systems and interactive financial transaction systems. He also helped incubate the Praetorian technology, a real-time video surveillance technology, which, in February 2008, was awarded a training/video surveillance contract by the U.S. Marine Corps. Additionally, Hoyos served as the founder and CEO of EyeLock Inc., an iris-based identity authentication company, previously named Global Rainmakers, Inc. (GRI). He also invented the highly acclaimed HBOX, Eyeswipe and Eyelock iris biometrics-based access control family of products. His inventions have been implemented in various verticals including border control, education, healthcare facilities, airports and financial institutions, among others, both in the U.S. and abroad. Currently, he manages a digital infrastructure security company, Hoyos Labs, with a biometrics R&D lab located at the Cambridge Innovation Center on MIT’s campus. Most recently, Hoyos Labs announced the debut of HoyosID, a free mobile app for Android and iPhone devices that will leverage biometrics to securely and accurately authenticate one’s identity and eradicate the need for usernames and passwords.