Using biometrics for effective identity management & to prevent impersonation : Mathew Chacko, Founder Director & CEO
By Mathew Chacko, Founder Director & CEO, Precision Group
Source: ET Edge - Insights, Economic Times, 19th Jan 2021.
There have been several articles published on information security and the threats and breaches caused by impersonation. Most authentication systems, such as those used on banking portals or apps and other enterprise applications still use passwords (‘what you know’) for user authentication. Password based systems, having served well over several decades, have now become the weakest link in authentication, owing to scenarios such as password theft, compromise through hacking and use of common passwords across several applications.
To counter this threat, two-factor authentication systems made their way into mainstream implementation. Two-factor authentication systems usually depend on a second factor, such as a PIN, an OTP or tokens being entered along with the password, in-order to gain access to the systems being used. However, these systems too, while being better than those using only a password, are not unbreakable, since the devices used to generate the second factor – such as the mobile phone or token device (‘what you have’) can also be stolen or misplaced, thereby compromising the second-factor too!
Protecting secret keys in software is done by using white-box security. However, software can’t protect software that well and hence implementing hardware in a trusted environment, would be a more robust implementation.
This is where the use of biometric technologies can come in of use. Biometrics (‘what you are’) cannot be lost or stolen. By the very virtue of their inherent characteristics, biometrics can prevent impersonation and/or proxy marking and also provide for non-repudiation.
Biometrics are of two main categories – physiological and behavioral. Physiological biometrics have been in use for quite a while and the most common ones are fingerprint, iris & face. These biometrics are easy to capture and the necessary systems are relatively easy to implement & use and have seen widespread acceptance across various use cases & scenarios, be it national ID systems or in the enterprise, banking and other vertical segments.
The Indian national ID program – UIDAI’s Aadhaar is the biggest biometric verification/authentication system in the world and has delivered significant benefits to the residents (the beneficiaries of various programs) and the government. Implementation of biometrics in the Indian banking space has led to fast and efficient eKYC systems and has also helped banks protect their own internal software systems (Core Banking Systems).
Similarly, deployment of biometrics in other segments such as Telecom, Insurance and others, has provided similar benefits in terms of improving efficiencies, enhancing customer experience, optimizing costs amongst others.
Enterprises have been implementing biometric systems for various purposes such as attendance, physical access control and logical access control (logging into PCs, accessing enterprise applications and so on). Once again, biometrics have helped in accurate identification of the users, preventing impersonation, establishing non-repudiation and creating clear and fool-proof audit trails.
If biometrics can be used in combination with a secure controller which provides features such as key pair generation & exchange, encrypted storage & communication and basically helps establish a trusted execution environment for the authentication challenge, this would help further enhance security and provide an authentication system which is fortified multifold. This is owing to the fact that that devices accessing each other (such as a server and the end-user device) can perform a secure handshake and identify each other as the authentic devices participating in the transaction, exchange keys and encrypt all communications with each other, the credentials (biometric) could be held securely without any risk of being hacked and the user authentication would be fool proof since biometrics are used for verification.
We, at Precision, have been investing heavily into R&D and have been focusing on creating our own intellectual property. We have developed several solutions in the biometric and IoT space and some of these innovations are in the process of getting patented. Some of these solutions are described below.
Precision’s InnaIT® Framework is a solution that has several modules that help prevent impersonation and to ward off issues related to password compromise. Precision has implemented this solution at various banks, financial services institutions, and other enterprises.
Precision has also seen a lot of interest being generated by a new and cutting-edge solution called InnaITKey, specifically in the banking and enterprise space. This solution ensures that digital transactions (such as a banking transaction over the internet) are completely protected (using robust encryption techniques) and impersonation, man-in-the-middle, phishing, and other such attacks are prevented.