AUTHENTICATION
Another advantage of using smart- phone-based biometrics for authenti- cation is that the scans never leave the device. Agencies can easily issue new passwords to employees if the old ones are compromised, but fingerprints and eyeballs are significantly more difficult to refresh.
“By storing those attributes on the device, you don’t have a honeypot of millions of records,” said Patrick Clanc- ey, senior director of federal programs at MorphoTrust USA.
Nok Nok Labs CEO Phillip Dunkel- berger agrees that putting trust in a purely software-based solution is risk- ier, and the hardware component that identification cards offer is a signifi- cant advantage. In addition, the latest smartphones have built-in hardware- based security features, Dunkelberger said, and that “secure element hard- ware...is the most secure way you can do it.”
Clancey said adoption of biometric security is likely to come first in the pri- vate sector. “Once it is proven and com- moditized, you’ll see adoption by state, federal and local agencies,” he added.
Yet although mobile-based biomet- rics are a great addition to security, they should not be the only component, Pre- scient Solutions CIO Jerry Irvine said. “There’s still a lot of concern about the security of mobile devices because they’re still consumer-grade devices,” he added.
CONTEXT-BASED AUTHENTICATION
With multiple forms of authentication to improve security, verification no longer has to be annoying and intru- sive for users.
Instead, “people are looking at con- textual-based indicators of authentica- tion or trust,” Clancey said.
Those indicators are passive, which means the user isn’t even aware the verification is happening. For example, an employee’s location when he or she logs in could factor into the authenti- cation process.
If an employee is at his or her work computer, for example, that’s one lev- el of authentication. Logging in from home is another. Logging in from, say, North Korea might lower the trust
level of that particular connection. Another type of passive authentica- tion verifies employees by the fact that they have their phones with them. Al- though by itself this is no guarantee of identity, it does make it more like- ly that individuals are who they say
they are.
A person’s walking gait or typing pat-
tern can also help verify users, without he or she having to jump through any additional hoops.
“The general trend that we see... is toward more passive, contextual au- thentication,” said Paul Madsen, prin- cipal technical architect at Ping Iden- tity. “Rather than having the user go through this overt, explicit login cer- emony, our systems get better at being able to recognize the user passively.”
Only when the risk profile requires it would employees be asked to take additional steps, such as a biometric scan of some kind, he added.
BEHAVIOR-BASED AUTHENTICATION
Even with context-based passive au- thentication backing up the biomet-
Can biometrics support better citizen services?
Experts say the answer is
to base the security credential on something that a person would be careful not to lose and would quickly replace if they did — such as a primary payment card, a mobile phone or a driver’s license, said Andre Boysen, chief identity officer at SecureKey Technologies.
And, in fact, smartphones and driver’s licenses are increasingly being used to authenticate people when they access government
websites. In Canada’s British Columbia, for example, driver’s licenses include an EMV chip, the same kind of secure technology found in the latest credit cards.
“EMV is global, and it’s proven, low-cost and very trustworthy,” Boysen said.
To log into a system that requires maximum proof
of identity, a user taps his driver’s license against his phone. The system checks that the license has not been
When it comes to issuing credentials to employees, government agencies
benefit from an additional authentication step that is not well appreciated: At some point in the hiring process,
a trusted human resources manager or supervisor physically meets with new hires and verifies their
identification documents. When providing online
services, however, that personal touch is not
always possible. And even
if a credential is issued via a reliable channel, if it’s only used once a year there’s a good chance an individual will lose it or not notice it was misplaced until months later.
32 GCN JUNE/JULY 2016 • GCN.COM