This article can also be found in the Premium Editorial Download "CIO Decisions: Prescriptive analytics: Conquer the next business frontier."
Download it now to read this article plus other related content.
Our new Future State column focuses on an emerging technology and its potential impact on CIOs and their organizations. In this month's installment, SearchCIO's Senior News Writer Nicole Laskowski discusses the future of biometric authentication technology.
Google most common passwords 2013, and you'll find that 123456 has nudged out password for the No. 1 spot. Yep, those easy-to-remember and oh-so-easy-to-hack favorites are still in play. (Cue the collective CIO sigh.) But there's good news on the not-so-distant horizon.
Startup companies specializing in biometric authentication are popping up all over the place. Technology using biometric authentication recognizes our bodies for the living machines they are, sophisticated instruments made up of rare parts that give off bits of unique code. Our fingerprints are just the beginning. The iris, retina, facial patterns and voice patterns, even a person's gait or cardiac rhythm, can be used as the basis for a personalized pass code. These unique physical traits can then be used to verify a person's identity -- and limit access to and protect sensitive information.
Technology from EyeVerify LLC is an example of how the body can serve as IT security. The Kansas City startup uses blood vessel patterns found in the whites of the eye (which they call the eyeprint) as a way to, say, open up a mobile banking application.
The pass key of your eyes
If this all sounds a bit Minority Report, circa 2002, it kind of is. EyeVerify, founded in 2012 and a two-time 2014 Consumer Electronics Show award winner, doesn't require futuristic technology, said Toby Rush, the startup's CEO and co-founder. The camera on your smartphone is robust enough. That old technology works just fine, that is, when combined with a very clever algorithm built by Reza Derakhshani, associate professor at University Missouri-Kansas City and the startup's chief scientist, and finely tuned by a small group of engineers.
Skeptical? Yes, a person's eyes can become red from itchiness or dryness or alcohol use or (this is for you, Colorado) marijuana use -- but blood vessel patterns? "They don't change," Rush said. "They may look more visible, but the patterns themselves don't change."
The initial image capture is called the enrollment process, Rush said. The user moves his eyes from side to side so that the camera can capture the blood vessel patterns on each side of the iris -- a user's four eyeprints -- and establish a pass key. When a user unlocks a mobile application installed on an employee's smartphone or tablet, only the pass key is sent over the network for verification purposes and not the biometric itself.
So, what's the level of accuracy for something like this? According to Rush, a spectacular 99.99%. Outside reviewers are less convinced. An MIT Technology Review article from December 2013 reported the company needs to do additional testing to more thoroughly vet that number.
Stay a step ahead
So, here we have arrived at the proverbial other side of the coin. A password-less existence is indeed an exciting prospect, but many of the startups developing biometric authentication technology are just that -- startups. The technology is still emerging, which means glitches and bugs will need to be ironed out. And, at least for now, those bugs may be nasty enough to preclude any kind of an enterprise solution you'd want to bet your IT security or job security on, or, for that matter, your users' good will.
"That's the problem with all biometrics," said Dave Aitel, chief technology officer at Miami Beach, Fla.-based Immunity Inc., a security service provider. "There's always a little bar somewhere saying how hard do I want to be on this person. And usually the answer is not very hard, because nothing is more frustrating than someone [for example] holding their eye up to a machine and being denied access."
More on biometrics
Should devices use biometric authentication?
Mobile biometrics prompt security concerns
Aitel believes CIOs need to spend more time figuring out what data is top secret and compartmentalizing it appropriately. He understands that could be a hard sell -- especially given the growing infatuation to break down data silos and integrate data from across the enterprise -- "but, until you've [compartmentalized data], you can't talk about mobile security and cloud security in any real way," he said.
That doesn't mean CIOs should ignore biometric authentication technology. Instead, Aitel suggests they educate themselves on the limitations of those technologies: Fingerprints, for example, aren't exactly private. We leave them everywhere we go. And once a fingerprint authentication is hacked (have you heard the one about the gummy bear?), it's not as though the password can be reprogrammed. Still, he said, "it's better than nothing, and a lot of people are using nothing."
Extrapolate fingerprints out to iris and retina and, yes, blood vessel patterns in the whites of a user's eye, and it's apparent that these systems can be (and undoubtedly will be) spoofed. CIOs need to accept that as fact and, rather than building a security system that can't be hacked, figure out how to put up enough roadblocks to keep cybercriminals from disrupting service or reaching the most sensitive information. Biometrics can add another layer of protection.
"Biometrics are going to be important, and there is a need, as we saw with the recent credit card disaster from Target," J.P Gownder, analyst with Cambridge, Mass.-based Forrester Research, said. "We can't even secure traditional systems we have in place that are the baseline of our economy. So, for companies who want to be particular about securing their data, clearly something is missing."
And Gownder believes some biometric technology is robust enough for enterprise CIOs, and should be considered by those who, like Target's, have already experienced a breach. However, be cautious when choosing a provider, he adds. "You want to work with a player that's reached some level of scale or at least has partnerships with some level of scale, so that you know it's not just a flash-in-the-pan solution."
This was first published in February 2014