A conversation with Gal Steinberg, VP of Products at Keyless 

Advancements in biometrics are enabling us to transform how we authenticate people and verify their identities, enabling us to authenticate the actual person, instead of the device or the password they use to login.

To help unpack what this can mean for you, our VP of Products Gal Steinberg, shares his perspective on how biometrics are helping to drive a new era in online security and identity management.

Are people ready for biometrics?

It wasn’t so long ago that biometric solutions were seen as a contentious issue due to fears of surveillance or lack of privacy – but customer demands for frictionless online experiences have been rising steadily over the last decade. We're seeing more users every day demanding smoother online experiences and faster access to online accounts and platforms.

If there was any uncertainty around user attitudes towards biometrics, technologies like Apple's FaceID have proven without a doubt that consumers prefer biometric authentication experiences – with 42% of users already adopting device-based biometrics.

But are biometric authentication solutions secure?

“Yes, and no,” says Gal. “It depends on the underlying technology. With the sheer volume of leaked data available online, biometrics are undoubtedly more secure than a username and password – however since your unique attributes cannot be replaced if compromised, biometrics can wreak more havoc than passwords if not handled properly”. 

When a biometric data breach does happen, your sensitive data becomes irretrievable. And while the likes of Touch and Face ID deliver a good login experience, in their attempt to protect private biometric data, there are a number of security and interoperability drawbacks to these solutions.

The number one being, to protect customer privacy, biometrics are often stored on the device instead of online where they are more susceptible to security and privacy threats. "This creates new problems though", explains Gal. "Instead of authenticating the actual human being, you're authenticating the device,".

On every new device a user must enrol for biometrics again, which means businesses actually have low assurance that a user is who they claim to be – as unauthorised users with stolen credentials can register for biometric authentication on their own devices without anyone being able to tell the difference between the two sets of biometrics; on the other hand, not all devices have biometric capabilities, meaning some users don't have the option to use them at all.

“This is why we set out to develop a next-generation biometric solution that uniquely addresses the challenges that come with authenticating users with their biometrics” says Gal.

Keyless leverages privacy-preserving cryptography to protect biometric data from privacy and security threats, while also enabling businesses to verify the identity of the user they're authenticating.

Balancing biometrics with compliance concerns

"We've noticed a trend where highly regulated industries are apprehensive or even slow to adopt biometric solutions due to perceived privacy and security risks around biometric data", says Gal.

According to Gal, many businesses want to implement biometrics but think they can’t because of compliance and security risks. "We want to raise awareness about how privacy-preserving technologies can help businesses adopt biometrics while exceeding their compliance obligations under regulations like GDPR and PSD2-SCA. This means our customers can focus on delivering value through biometrics – not scrambling to stay on top of compliance."

Many financial institutions rushed to implement multi-factor authentication (MFA) solutions to meet PSD33-SCA compliance deadlines. However, the rush has proven to be detrimental to some businesses – with the financial services sector being targeted with an influx in advanced social engineering attacks and account takeover fraud despite having an MFA solution in place.

“There are so many ways to do passwordless, but only a subset of solutions are effective,” says Gal. “Many MFA solutions fail to mitigate account takeover fraud and account sharing effectively, so I’d recommend taking the time to understand your pain points and study the landscape to find the right passwordless solution for your needs.”

Humanizing authentication is a challenge, and we recognize that public confidence in biometrics will take time to mature.

“As confidence grows in the potential of biometrics to fight fraud and identity theft, I believe we’ll see it being embraced beyond the consumer space, into markets like the fintech and crypto industries.” Gal explains

Humanizing authentication in the real world 

Some industries, like education, are already experimenting with biometrics to help increase identity assurance in increasingly hybrid environments.

For example, Keyless is being used to help prevent students from cheating in exams. During the first wave of the pandemic, when higher education moved online, many students had to take classes and exams virtually.

Universities struggled to ensure students weren't cheating, having noticed some had shared usernames and passwords during the exam period.

“A university came to us after realizing some of its students were enrolling their friends to take their exams,” says Gal. “It needed a more advanced solution that wasn’t tied to students’ devices to prevent cheating – and so they turned to looking for a biometric solution that could enable this.”

In financial services, it’s not uncommon for users to endure frustrating authentication processes when accessing critical services and information. The same goes during customer onboarding while service agents are performing their Know-Your-Customer due diligence. But Keyless is helping deliver a more passive, friction-free alternative.

“Next-generation biometrics can help businesses transform how their workforce and customers interact with services and devices,” says Gal. “In financial services, where significant fraud and ATO attacks are common, Keyless is helping remove passwords without compromising security while enhancing the user experience.”

Emerging biometric solutions can allow financial institutions to identify every customer and employee during authentication – instead of the device.

“Many organizations we work with typically start by trialing biometrics as a proof of concept, trialing new solutions with a subset of users, before rolling the solution out further within their business."

Keyless is seeing groundbreaking examples of biometrics in the consumer space. “We’re confident that the consumer biometrics market – particularly in banking and payments – will see huge growth in the next five years as awareness continues to expand and more frictionless use-cases emerge in our day-to-day lives.”

A new era of authentication and identity management 

So, where are biometrics headed over the next decade? According to Gal, they’re expected to be increasingly used within the financial services, banking and fintech sectors as a layered security approach to help protect against rising cases of account takeover fraud and social engineering schemes. 

Secondly, next-generation biometrics will play a crucial role in modern personal identity management. 

“I see personal identity management becoming a big part of our lives,” says Gal. “This means everyone gets their own digital identity that only the individual can control. And you can share bits of it to, say, your university, employer, or hospital for them to personally identify and authenticate your unique biometric features.”

Simple, secure, private biometric authentication

These are just two examples of where biometrics may be headed. Right now, Keyless are pioneering the next generation of biometrics powered by privacy-first technology.

If you want to learn more about biometric authentication and how Keyless can help you enhance your security and compliance posture, while providing excellent user experiences  please visit our  website. keyless.io/go