Earlier this year research shared by the University of Washington revealed a ground-breaking wireless technology that would allow additional security information to be sent through the human body. Derek Northrope, head of Biometrics at Fujitsu Americas, considers what the technology means for biometrics and identity management…
In its current form, the University of Washington (UW) research is no game changer for biometrics. While we are seeing a wide adoption of biometrics in consumer and financial services, the communication medium in use in these cases does not tend to be the weakest link in the chain and is unlikely to be the main attack vector for cyber criminals.
Issues with new payment methods, such as Apple Pay, instead stem from identity proofing and onboarding methods, and not necessarily the biometrics or transmission components of the solution.
Although the UW technology is capable of sending additional information to supplement an identity, it is really only practical for verification, where the system already ‘knows’ who it is dealing with, as opposed to a true identification process.
If in the future the transmission method is to become the weakest link in the chain, we may see a need to strengthen this aspect of the transaction. For now though, the research seems to be fixing a problem that does not actually exist. If current transmission methods are ‘secure enough’ and are fast and readily available, then this new system is going to face a hard road ahead.
However the UW solution could find a niche in solutions where both parties require a high level of trust in the other – where a combination of the user being present, the provider’s hardware, and the users’ device form a complete chain of trust to allow the transaction to occur. In this type of operation neither the provider nor the user has individual control over the transaction and cannot conduct it without the other, forming a two-way handshake.
In security terms, the more factors that are used – ‘something you have’, ‘something you know’, and ‘something you are’ – the more secure a solution is; but this can often reduce the convenience of a solution. By combining the ‘something you are’ and ‘something you have’ components of the solution can significantly increase usability, at the same time as increasing security.
From this perspective, the technology could provide a ‘killer application’ in some use cases, such as healthcare and high-level security. These sectors are likely to be filled with wearable biometric technology well before the UW system is ready for deployment.
As long they are not removed from the wearer, many wearable devices can be used as a “verify once and use many” system. For high-value or high-risk transactions, there still needs to be an additional security factor (‘something you know’), to prevent situations where transactions are conducted on behalf of the user without their knowledge.
However, looking at the current speeds of the UW system, the transfer rate is too small to create a large enough code, or one-time pin, to make the technology highly secure from a computing sense, although this may change as transmission speeds increase.
As for the inherent security of using the body as a transmission medium, the UW research states that the information can only be read by contact with the skin. As the entire body is acting as the transmission mechanism, there are likely to be ways that this information can be captured in a non-contact format; for instance we now have non-contact thermometers.
Another potential hack mechanism would be to place an eavesdropping device close to the intended reader and skim any information as it is collected by the receiving device. In theory, leakage distances would be small, however as we have seen with technology like BlueSniping even Bluetooth can be read at distances exceeding one mile, far beyond its intended range.
While this solution is not yet ready for commercial deployment, it is going to be interesting to see where this biometrics technology can be taken and the speeds they will be able to achieve.