Can biometrics plug the weakness of blockchain?
There's been a lot of interest in using blockchain, the distributed ledger technology developed for bitcoin, to modernize payments and banking systems. But as with any technology, blockchain is only secure if its users can be trusted.
In a blockchain, digital data is stored and monitored through a group of computers, with the data secured and bound through cryptographic principles within the chain. The endpoints of that chain are potentially susceptible to bad actors, which is where biometric authentication can play a role.
"Blockchain provides a very secure transaction itself and everything that happens inside the blockchain is very secure and well-defined. But what happens at the beginning of the process or the end, in terms of making sure who made that transaction, is the vulnerable spot," said Franco Zaro, director of business development at Valid, a Brazilian firm providing identification/authorization technology globally.
In Valid's work in protecting government, corporate and retail transactions, the combining of biometrics and blockchain is drawing more attention. It also reinforces what security vendors and fraud experts have been saying for years — it takes layers of security measures to thwart fraud, especially in an advancing digital age.
"We are starting to see many of these technologies become part of our lives, so there were initially a lot of growing pains," Zaro said. "It is something we are continuing to learn about and we are going to fail at times, then we add other technologies to strengthen it."
Biometrics — often implemented as fingerprint, facial, voice or iris recognition — helps make sure the person initiating a transaction is the person they say they are at the authorization step. That said, storing biometric data information can become problematic because if that storage vault is breached, all of the biometric data would be compromised.
Thus, using blockchain helps store that data more securely. The two technologies help overcome the weaknesses of each other.
Many advancements in fraud-prevention technology are readily available, and the use of biometrics for payments security continues to grow. But many banks, corporations and retailers still pause before dipping their toes into blockchain or biometrics.
Recent blockchain research in Canada called Project Jasper prompted a message of caution to banks in terms of weighing the advantages of blockchain against the costs and time commitments of overhauling legacy systems.
At the same time, card networks continue to experiment with biometrics to expand upon what Apple's Touch ID does for mobile and online shopping, and others have focused on device authorization.
Many different initiatives are taking place in attempts to bolster identity proofing, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"There are experiments around identity federation, both at the time of relationship inception as well as the time of the transaction," Conroy said. "Layers of security are essential on this front, but the industry is still progressing somewhat incrementally, rather than by leaps and bounds."
Much of the hesitation in advancing more layers of security is the fear of creating consumer or client friction as part of the process. In addition, Conroy said, data privacy mandates such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) add a compliance burden.
"Biometrics adds a further wrinkle, since there are a number of local requirements for express consumer opt-ins where biometric data is stored centrally," Conroy added.
No matter how far biometric authentication advances, the best strategy remains layered authentication.
"Normally, when you are working with biometrics, it is not telling you with 100% certainty that this is the person," Varo said. "It is giving you a score that can be 90% on the probability that it is the person based on a fingerprint or eye scan matching, and combining that score with a password or other level of security."
Valid secures government transactions as well as those for corporations or retailers and has worked with five states in the U.S. in developing the Real ID driver's licenses technology for global travel.
"In the U.S., we are a couple of steps back and we have a long ride to get to where some others are with blockchain, especially for government transactions," Zaro said.