As a digital technology, biometrics are almost always bound up in some way with cybersecurity. With that in mind, Biometric Update has reviewed predictions for the year ahead to present the most noteworthy, controversial, and troubling among them.
First major biometric hack
A single-factor biometric authentication system will be successfully hacked at scale in 2019, according to security firm Secplicity. This will drive increased adoption of multi-factor authentication, the company says.
Experian’s Data Breach Industry Forecast 2019 also predicts biometric hacking will increase next year, as attackers seek to exploit stolen or altered biometric data, spoofing methods, and deteriorated or manipulated fingerprint and facial recognition sensors. In the report, the company urges organizations to secure all layers of their biometric systems, and to encrypt and store all biometric data in secure servers.
New facial recognition vulnerabilities spur behavioral biometrics
Non-biometric two-factor authentication will be undermined by “SIM swaps” and persistent phishing, cybersecurity service provider Forcepoint says. Biometrics can provide the answer, the company predicts, but behavior analytics will be the preferred method of protection.
New laws and regulations
Acuant President and CEO Yossi Zekri told Biometric Update in an email that new laws or regulations are coming.
“The progress of GDPR will drive continued adoption of identity-related legislation across the world,” he writes. “The United States, currently a hotbed of frustration over the mismanagement of personally identifiable information (PII) and lack of protection for digital identity, will begin to adopt similar legislation in 2019. Recent revelations into questionable business practices and Congress’ increasing focus on technology behemoths Facebook, Amazon, Google and Netflix will drive the U.S. government to reign in the industry with compliance requirements (similar to Sarbanes-Oxley after the Enron and Worldcom debacles).”
Zekri also predicts that systems leveraging both AI and human judgement will outperform the accuracy of fully automated identity verification solutions, and that with an increasing consumer focus on self-sovereign identity, “organizations will start to adopt methods to verify individuals without using personal data. Identity scores – or a similar scoring mechanism – will emerge as a way to verify the individual and replace the need to share PII.”
Nok Nok Labs CEO Phil Dunkelberger also tells Biometric Update that companies should be prepared for a more challenging regulatory environment in the year ahead.
Blockchain hits a roadblock
Mitek CTO Steve Ritter thinks blockchain will be revealed to be unready for mainstream identity platform use in coming year.
“While blockchain continues to grow in popularity with varying use cases, for it to make a significant impact with identity platforms, it will need to considerably improve any existing solution,” Ritter says. “The biggest challenge with blockchain for identity verification is that a public distributed ledger would be accessible to anyone who needed it but owned by no one, which will likely create privacy and security concerns. The system would need buy-ins from both consumers and businesses to get traction and reach an acceptance “tipping point.” It would take time and money to promote the service, far more than what would be required to create and run it. Until businesses figure out how to monetize blockchain and where it can best be adopted in their businesses, we are unlikely to see this technology revolutionize identity management. As a result, expect that at least 30 percent of data management projects using blockchain will fail and more identity platforms will abandon development of blockchain.”
Account takeover fraud, which cost $5.1 billion in 2017 according to Javelin Research, will decrease, Ritter says, as new identity document verification technology turns the tide and prevents more than 40 percent of account takeover fraud attempts in 2019.
Businesses move away from KBA
TrustID’s 2018 State of Call Center Authentication report shows that a mere 10 percent of call center agents very confidently trust knowledge-based authentication (KBA) to accurately identify callers. This is with good reason, the company says, as there were 668 confirmed data breaches and 22.41 million records exposed in the first half of 2018, according to the Identity Theft Resource Center. TrustID says 2019 marks “the final countdown” for KBA, with the factor fading away within five years.
Ritter also predicts that digital identity verification will replace KBA for online marketplaces, as continuing growth in online transactions and data breaches drives a push for greater regulation.
Other predictions from TrustID include that fraud will continue to move to the fraud channel, that financial transactions will have a short window for accurate verification, and that hacks on health care organizations will increase.
Internet of Things devices scam users
“Your smart fridge will start scamming you,” BioCatch Chief Cyber Officer Uri Rivner tells Forbes. “IoT-connected appliances such as refrigerators and washing machines already produce unattended payments that the user cannot personally verify. Fraudsters see this vulnerability now and will begin to take advantage of it.”
It stands to reason that the challenges preventing fraud even when the payer is present would only increase when the device authorizes payments without the user.
All readers are invited to make cybersecurity predictions for 2019 in the comments below.