By Chris Burt
Many companies in the biometrics, digital identity, and cybersecurity space have shared predictions for 2020 with Biometric Update, touching on many of the key themes of the past year, and reflecting the wealth of opportunity, as well as the anxieties at play in the industry. Those predictions most closely thematically related to biometrics and our top news stories are collected below.
Biometrics market growth
“The global market for mobile biometrics is forecast to grow at an impressive 31.14 percent CAGR, adding $28.45 billion per year in incremental growth between 2018 and 2023, despite the CAGR decelerating by 22 percent in the period,” points out Robert Prigge, CEO of Jumio. “The growth forecasts in the latest set of market analyst reports that indicate widespread adoption of biometrics technology: 22 percent for mobile biometrics, 22 percent for 3D sensors, and 19 percent for healthcare biometrics Facial authentication is impacting the physical security market, cloud-based subscription services are becoming more popular for security, and the Pentagon is expected to remain a source of opportunity for companies offering advanced authentication technologies. Although we are still in the early stages of biometric-based identity proofing and authentication, its development will serve as a viable solution for the growing fraud epidemic.”
This optimism extends to facial recognition for Vanessa Pegueros, chief trust and security officer at OneLogin.
“With the convenience of what the iPhone has brought to the masses with facial recognition, end users will continue to expect similar offerings from most if not all applications in 2020,” Pegueros predicts. “Although facial recognition has its flaws, the convenience outweighs the concerns for users.”
Oliver Smith of Shufti Pro notes that a recent Spiceworks poll shows 90 percent of businesses will use biometrics by 2020, and predicts multimodal biometric systems will reach the mainstream in the year ahead.
“As the threat of digital fraud and phishing scams increase, biometric technology itself continues to evolve to match growing security needs. In order to mitigate frauds, scams, and hacks, there is a pronounced need for more robust biometric authentication systems,” he says. “Although unimodal biometric systems provide a good security layer, security measures are often found to be susceptible to fraud and theft. This has given rise to multimodal biometric systems that utilize at least two or more biometric modalities to verify the identity of the user.”
The password, however, will make it to the end of the year, and perhaps beyond.
“2020 will see biometrics continue to tread water as a secondary authentication factor, with the base authentication mechanism continuing to be the password,” Enzoic CTO Mike Wilson writes in an email. “It will not make any real headway into meaningfully displacing passwords or passcodes as the primary means of authentication. At the end of 2020, if your Face ID fails to recognize you for the umpteenth time, you’ll still be entering in a passcode to unlock your phone.”
New cybersecurity threats
BioCatch CEO Chief Cyber Officer Uri Rivner says among predicts in a blog post that selfie biometric data will be a money-maker on the dark web.
“There’s already a vibrant dark web trade in personalized biometric data, and that will continue to grow in 2020. More websites and applications are turning to selfie-based verification and more online account opening flows are moving from obsolete controls, such as Knowledge Based Authentication, to more modern controls, like selfie-document matching,”
Rivner explains. “Some criminals will focus on collecting data from open sources and social media. Others will target – and already have targeted – users in phishing campaigns designed to steal not just static credentials, but also selfies and videos of the user’s face. Another threat is that advanced malware capabilities, which are currently in the hands of state sponsored actors and other high-end players, will find their way to criminal hands and be used to break into mobile device authentication.”
Corey Nachreiner, CTO at WatchGuard Technologies predicts multi-factor authentication will finally reach general adoption among enterprises in the coming year.
“The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors,” he says. “That’s why we believe enterprise-wide MFA will become a de facto standard among all midsized companies next year.”
Changing demographics will drive adoption of AI in the finance industry, Labhesh Patel, Jumio CTO and chief scientist predicts.
“Customer experience and fraud detection will go hand in hand in the finance industry, especially as Millennials are 2.5 times more likely than Baby Boomers and 1.5 times more likely than Gen Xers to switch banks. Machine Learning and AI will serve a dual function in financial services and banking. Not only will AI help speed up and improve the verification and accuracy of new customer onboarding, it will also provide a reliable means of continued identity authentication for each subsequent customer login in order to thwart sophisticated attacks.”
He sees dramatic improvements in fraud prevention based on the change.
With adoption comes the potential for dangerous complacence, however, according to CyberArk Labs Group Research Manager Lavi Lazarovitz.
“Australia’s Digital Transformation Agency (DTA) recently announced that it will integrate biometric authentication with its myGov citizen services. As biometric authentication becomes increasingly popular, we’ll begin to see a level of unfounded complacency when it comes to security,” he says.
“While it’s true that biometric authentication is more secure than traditional, key-based authentication methods, attackers typically aren’t after fingerprints, facial data or retinal scans,” Lazarovitz adds. “Today, they want the access that lies behind secure authentication methods. So, while biometric authentication is a very good way to authenticate a user to a device, organisations must be aware that every time that happens, that biometric data must be encrypted and the assets behind the authentication are secure.
Even more importantly, the network authentication token that’s generated must be protected. That token, if compromised by attackers, can allow them to blaze a trail across the network, potentially gaining administrative access and privileged credentials to accomplish their goals – all while masquerading as a legitimate, authenticated employee.”
The changing cybersecurity landscape will also impact the industry’s makeup, according to Enzoic’s Wilson, with acquisitions of startups increasing.
“For years, the security ecosystem has been viewed as a top area for startup innovation but in 2020, expect the tide to turn,” he observes. “Fearful of a data breach resulting from a third-party vulnerability, many organizations are implementing rigorous security requirements for their vendors and the average startup will find compliance onerous at best. As this trend continues, we’ll see many small enterprise security companies be acquired, fold, or pivot to a different industry.”
Synthetic identity is also a threat for the year ahead identified by many insiders.
“Reports of synthetic identity fraud, one of the most challenging fraud types to spot, will continue to grow and companies (especially those in financial services) will increasingly employ identity corroboration/orchestration hubs to thwart this,” says Acuant’s President and CEO, Yossi Zekri. “Organizations will also seek robust biometric screening that cannot be easily fooled by deep fakes and image spoofing.”
Mitek VP and GM of Corporate Development Sanjay Gupta likewise predicts deepfakes and synthetic identities will present a new wave of identity fraud, requiring companies to invest in more sophisticated customer verification technologies.
Deepfake attacks and responses evolve
“While an attacker can use deepfake techniques to convincingly emulate the likeness of an individual, it still difficult to digitally impersonate ones voice without fairly obvious imperfections,” according to Robert Capps, VP of Market Innovation for NuData Security, a Mastercard company.
“Deepfake audio or video cannot currently be rendered in real time, without an attacker having a large volume of computing resources and a lot of high-quality audio and video source material to train computer machine learning algorithms. While Deepfakes can be convincing to other humans, they are unable to pass physical or passive biometric verification, so coupling strong liveness detection, along with the collection of passive and physical biometric signals to verify a user’s identity, largely mitigate the current risks presented in banking transactions.”
The roots of deepfake technology are murky, but show how even rudimentary attempts can fool people in high-stakes situations.
“In 2013 while working for the NCA I witnessed first-hand just how compelling deepfake technology can be when a virtual 10-year-old Filipino girl, ‘Sweetie’, created by a Dutch NGO was used to identify thousands of child sex abusers worldwide,” recounts Callsign Chief Security Officer Ian Cruxton, former director of the UK’s National Crime Agency.
“On this occasion it was used by those with good intentions to identify and prosecute serious sex offenders, but it is no surprise that the opportunities presented by deepfake has now attracted the interest of those who would commit crime and in particular fraud. In many ways, this is a response from the fraudsters to the steps taken by businesses to thwart more traditional phishing and spear phishing attacks.”
Kathryn Harrison, founder and CEO of the Deeptrust Alliance, which is dedicated to the problem, sees video content that is difficult to prove as genuine or fake being disseminated in a way that has a material impact on the U.S. election in October. There are reasons for hope as well, however.
“Industries ranging from technology to media to financial services plus academia, government and NGOs will systematically and publicly begin to collaborate on technology and best practices to fight deepfakes,” she predicts.
Decentralized ID profile to rise
Decentralized and self-sovereign identity came across the radar of Biometric Update much more in 2019 than previously, and the principles seem to be gaining traction with a variety of stakeholders.
“As with previous years, consumers will continue to demand power over their PII and the right to share information, how and where they chose to,” Acuant’s Zekri says. “The ‘billionaire boys club’ will continue to bring this reality to light. But who will ‘win?’ The company that figures out how to protect sovereign identity but can also guarantee who and where that data is being shared with. 2020 will be focused on consumers evaluating who they are actually doing business with.”
“Enterprises around the world will increasingly look to self-sovereign identity as a solution for personal data privacy and ownership,” says Stephen Ritter, Mitek CTO. “With data breaches making headlines on a regular basis, consumers are demanding more control over their personal information, and this is especially true as biometric data becomes a potential new target.
Businesses will therefore need to invest in technologies which provide users with ownership of their own data, potentially through new blockchain networks which can be shared between banks, credit unions and other major financial institutions. When sensitive information is stored on a decentralized blockchain network, that data becomes far more difficult for hackers to obtain, and empowers users to act as the gatekeepers of their information rather than sharing data with each financial institution separately for any transactions – giving the consumer control of their digital identity.”
Rich Chetwynd, product manager at OneLogin, identifies the same trend.
“Decentralization will become the new buzzword in 2020,” he predicts. “We are centralized now with large tech companies having control over a lot of the data. This next year we’ll see companies begin to position themselves as decentralized in one way or another. The control of data will begin to shift back to the consumer and end-user. People will stop becoming the product.”
Contrasting with an above opinion, Zekri even sees the potential for a solution to the aging password dilemma from advanced a similar direction.
“The rapid rise and fall of blockchain has some technologists doubting its adoption and importance in 2020 and beyond. But blockchain has brought forth the use of cryptography. This technology will be used to replace the username/password as a method of user verification. Instead, passwords, PINs, SMS codes, and other authentication technologies are replaced with public-key cryptography. Biometric authentication will become the new norm in this brave, new ‘passwordless world.’”