Dual biometrics may just be the authentication answer we need

Credit to Author: Evan Schuman| Date: Wed, 31 May 2017 12:51:00 -0700

A major problem with biometric authentication is that, when it doesn’t work, there are few good options to proceed with the authentication. When the system says that’s not your eyeball, there’s no fallback akin to “Forgot your password?” You have to revert to some less discerning authentication method, such as a PIN. 

Some vendors are trying to deal with this by using a simultaneous, multi-biometric method. “Simultaneous” is important because using two methods consecutively would take more time, resulting in end users’ resistance and lower participation rates. 

One vendor, Sensory, is making serious headway in figuring out interesting ways to use dual biometrics.

First, it realized that layering one biometric on top of another would just increase the error rate. When you use two authentication methods and a problem with either one leads to a failure to authenticate, then a lot of people are going to be rejected. 

And the two methods it uses — voice and facial recognition — can fail for quite a few reasons. (It uses them, though, because they are highly compatible for simultaneous authentication. The nature of a retina scan, for example, pretty much excludes doing anything else at the same time.) Voice recognition can be flummoxed by background noise or laryngitis, for example. Facial recognition can be thrown off by poor lighting, a change in makeup, the use of contact lenses versus glasses, new beard growth, a deep tan or even an unexpected expression. 

This all makes Sensory’s sensitivity settings important. Sensory typically recommends allowing authentication from either — voice and facial recognition essentially act as each other’s backup, so if one says no, the other will still allow access. In theory, then, the user won’t have a problem unless he or she happens to be in a noisy room with really bad lighting. Not impossible, but the odds are in your favor. 

Such lenient settings won’t please all customers, of course, but they can tweak the level of sensitivity and even have them vary from one role to another. A bank, for instance, could use higher sensitivity for authentications to transfer money, but mid-level sensitivity for something such as looking at a balance. More simply, it could set higher authentication sensitivity for higher dollar amounts. 

Another interesting aspect of this is that those higher sensitivity levels can be used to thwart spoofing attempts. Video can fool facial recognition, and recordings can trick voice recognition. By using a dual-biometric approach with settings that require at least low-level recognition of both voice and face, spoofing is more difficult. 

This sort of combined recognition is where Sensory gets clever. According to Gordon Haupt, senior director of vision technologies at Sensory, his team is working on connecting the dots between the two methods. The idea is that instead of voice and facial recognition operating as separate streams toward authentication, both would factor in the concerns of the other. For example, the system would judge whether the lips appear to be saying the words that the mic is hearing. 

“We’re looking at the way your lips move when you say your passphrase,” Haupt said. Yes, Sensory is trying to make a biometric authentication system that can read lips. 

That certainly should make spoofing more difficult. And Sensory enables the use of passphrases that change from user to user and are randomly decided by an algorithm. If it’s impossible for a thief to know the passphrase beforehand, that makes spoofing exponentially harder. 

Think of the potential for ATM cash access. Could the software be trained to detect extreme fear (expressed by either the face or the voice) in someone who is not alone? That could alert law enforcement that someone is possibly being made to withdraw money at gunpoint. 

http://www.computerworld.com/category/security/index.rss