By Todd Seeley
People have long used trusted identities on cards to enter buildings and access its resources and services. The user IDs that the access control system employs to grant or deny access are issued by a trusted source, giving organizations the confidence that card holders are who they say they are. The user IDs cannot be copied to another card or media, but this does not preclude someone from sharing a card. The card may also be lost or stolen, creating the additional opportunity for unauthorized access.
The use of mobile trusted identities and biometrics, along with the transition to managing trusted identities in the cloud, is solving these challenges while also creating the opportunity to make user experiences more convenient and enjoyable.
Mobile Access Opens Door to Cloud-Based Identity Management
Using mobile devices for access has two key security advantages. First, people do not generally share their mobile device with others, as they might do with an ID card. Second, before any transaction is initiated, both the system administrator and the mobile device user have the opportunity to require a successful device authorization.
In addition to these advantages, mobile access brings another important benefit: the cloud-based identity management systems to which they are connected.
In a cloud-based management system, a trusted identity is data that can represent anything from an employee ID, credit card or driver’s license to a loyalty card or ticket to an event or performance. Cloud-based systems are already used to load credit cards into people’s mobile wallets so they can make purchases. They allow data for these and other applications to be securely created, delegated, delivered and presented.
One of the first examples of cloud-based trusted identity management was the HID Seos® platform technology. At the heart of the platform is a cryptographically protected secure vault for storing identity data that is used to access buildings and their resources and services. The platform also enables the secure creation, delegation and delivery of this identity data by providing a secure connection between a system backend to a user device. Once the identity data has been securely transmitted to a user’s mobile device, they can conveniently open doors, be admitted into entertainment venues, interact with banks and other retail or financial systems, and more.
With trusted mobile IDs and a cloud-based identity management system in place, organizations can further improve convenience and security by adding biometrics such as fingerprint and facial recognition. These biometric technologies significantly improve the user experience when accessing buildings, venues, devices and services, while ensuring privacy is protected.
Biometric solutions improve the user experience and enhance security by eliminating the need to enter a username, password, or other information, such as a credit card number. The system knows definitively that users are who they say they are. It also knows the user’s intent, such as logging into a network, or executing a financial transaction.
User Privacy and Data Security
While some believe that biometrics jeopardizes privacy, these solutions actually improve privacy, especially when combined with cloud-based ID management. The software provider’s end-user license agreement (EULA), signed by customers during enrollment, not only defines what the application is but should also state that the biometric data is anonymized. It should also stipulate that, when users select the option in the application (e.g., banking application, loyalty account application, etc.) for their biometric template to be captured, the data is only used for that particular app. In other words, the camera will not be turned on unless the facial biometric option has been selected for that app. The EULA must also prohibit data sharing.
To further improve privacy protection, all personal information including photographs and biometric data, as well as all transaction information, should be encrypted. This information should also be stored in a separate location on the network.
The mobile-based access solution should also include the use of document scanning and authentication technology so it doesn’t just capture the image of a government-issued ID but can also read and validate that it is real. For many applications there also must be a secure way to perform biometric matching, which is the process of comparing the user’s actual finger or face to a digital representation, or template, of this data that is stored on the user’s phone. The template must first be transferred from a cloud-based ID management system to the phone and, later, from the phone to biometric readers. After approaching the biometric reader and having either a fingerprint or face captured, the user places the phone on the reader to securely transfer the template, and a comparison is made. An ID such as an anonymized loyalty account number can then be used to alert the backend system that the desired transaction can be executed.
The entertainment, banking and government sectors have been among the first places where cloud-based ID management and biometric solutions have been deployed. In the UK, the Birmingham City Football Club uses cloud-based ID management to give its fans more convenient ticketing and a better experience while at the stadium – leveraging the ease of technology upon entry and allowing for the use of digital vouchers during the game to purchase food and drinks. Venue owners and their event sponsors can reward fans through loyalty program experiences, and collect data from fan apps that provide insights into their interests, behaviors and demographics. This enables organizations to personalize future game, competition and giveaway experiences and design digital vouchers to optimize brand visibility and exposure. With the addition of biometrics, this engagement model will eliminate the need for fans to carry and manage money or identification while attending events.
In Brazil, biometrics has transformed the banking user experience. All major banks there are using fingerprints captured by Multispectral Imaging (MSI) technology to protect billions of ATM transactions annually. Customers simply present their card, place their finger on the sensor and receive their cash withdrawal in 20 seconds or less, virtually eliminating the vulnerabilities and inconvenience of PINs. Biometrics have also been implemented in several government identity and payment distribution systems across Central and South America.
Technologies like Ultra-Wideband (UWB) wireless connectivity are expected to become ubiquitous on mobile devices, and will be combined with biometrics to create even better user experiences. UWB makes it possible to measure distance and determine a target’s relative position with unprecedented accuracy and security, and is expected to co-exist with Near Field Communication (NFC), Bluetooth and other technologies to enable truly seamless experiences by providing device position with a much higher level of assurance, reliability and granularity.
When combined with biometrics, UWB will enable users to prepare their transaction on a mobile banking app ahead of time. When they arrive at the ATM or teller window, they will be able to authorize a transaction by simply “signing” with their face or finger. For transactions at the fast-food drive-through window, barcode scanners will be replaced with a simple, seamless, and convenient wireless transaction at or before the pickup window. In retail and grocery stores, adding UWB to biometrics solutions will enable a faster and more consistent biometric-matching process at a Point-of-Sale (POS) terminal (see Figure 2).
Figure 2: Know Your Customer (KYC) systems use biometrics to ensure customers are linked directly to the program. This is done by sending a combination of the customer’s loyalty account ID number as well as his or her biometric template so the two can be matched. This is done with end-to-end encryption, which increases security by distributing the biometric data to the device rather than to a centralized database.
These and other advances will enable many new experiences that can be accessed using only one’s face or finger for identification, without jeopardizing privacy and security. Biometrics solutions paired with a cloud-based identity management system will enable product and service providers to know who is using their systems, while delivering a more convenient brand experience that maximizes user satisfaction and loyalty.
Todd Seeley is the Senior Manager, Project Management in the Biometrics Business Unit, Extended Access Technologies with HID Global. He has more than 10 years of experience supporting application development for HID Global’s Extended Access Technologies (EAT) Business Area. As the innovation engine behind HID’s trusted identity deployment advances, the EAT organization works closely with a growing community of integration partners to embed its solutions into products that explore new and forward-looking user experiences.