Kaleido Insights’ Impact Analysis on Biometric Authentication

What happens when our eyes become our passwords, our voices validation for transactions, our emotions analyzed as barometers of intention?

By Jaimy Szymanski, Jessica Groopman, Rebecca Lieb and Jeremiah Owyangof Kaleido Insights.

Biometric authentication has been around for decades in enterprise IT and security contexts, but new platforms and cheaper, more sophisticated compute capabilities now power a range of new user experiences and the next wave of digital identity authentication.

Kaleido Insights’ methodology for analyzing emerging technology assesses the impacts on humans, on businesses, and on ecosystems at large. As part of our ongoing coverage, we’ll be analyzing a series of topics using our methodology to help business leaders first understand, and then see beyond the bright and shiny and cut right to what matters.

For each post, all Kaleido Insights analysts conduct a joint analysis session around a single topic (e.g. technology, event, announcement, etc.). In this post, we analyze the human impacts of biometric authentication.

Topic: Biometric Authentication

Examples: Android and Apple’s TouchID and FaceID, Sensory’s TrulySecure Voice and Vision Authentication, Clear for airport security scanning

Impact Analysis: Humans (end users, consumers and employees)

User Interface

Biometric authentication is a form of identification verification or access control based on both physiological or behavioral attributes that can’t be easily changed, as they are derived from biometrics. Techniques such as fingerprinting and facial recognition are familiar to most people, but many are unaware that biometric authentication as a category has a wide and growing range of interfaces.

• Fingerprint recognition
• Hand (geometry, veins recognition)
• Eye (retinal, iris) recognition
• Facial recognition
• Ear recognition
• Gait (walking) recognition
• Voice recognition
• Emotion recognition
• Signature recognition
• Heart rate / Electrocardiogram (ECG)
• DNA recognition
• Galvanic skin response (GSR)
• Implantables (microchipping)
• Brain activity (“brainprint”) recognition!

In many cases, biometric authentication actually requires more than one metric to authenticate — often called two or three-factor authentication — in which a combination of modalities is required.

Then there are interfaces in which biometrics account for the essential data inputs, but for which authentication is a secondary use case. For example, body scanners can be used in retail contexts to take precise measurements and overlay clothing onto a shopper’s body, without having to physically try on clothes. A consumer medical start-up called Forward seeks to use body scanners to automatically collect patients’ vitals and customize preventative regimens, treatment plans, and more. The F.D.A. recently approved the first digital pill, in which a sensor the size of a grain of sand tracks whether or not an individual takes their medication by triggering an electrical signal in response to contact with stomach acid.

User Behavior & Adoption

Biometric authentication has enjoyed a resurgence in recent years thanks to advancements in compute, more data, and decreased costs of hardware. Mobile giants have been shipping over a billion smartphones with at least one form of biometric authentication ‘baked-in,’ dating back as far as 2012.

Image: Apple’s iPhoneX FaceID allows users to authenticate Apple apps & 3rd party apps using their faces

Even with the ubiquity of smartphones, the wide range of biometric-based recognition techniques makes actual market adoption difficult to accurately quantify. A 2016 study by CTA found that less than half of American adults have adopted or used any biometric technology, while 29% have adopted digital fingerprinting and 13% used voice recognition. But the broader biometric authentication market is poised for significant growth as mobile (and IoT) devices incorporate more modalities for biometric authentication. Some 89% of the estimated 4.8 billion smartphones will be biometrically enabled by 2020, according to Acuity Market Intelligence, with the largest revenue segments being fingerprint, voice, iris, and facial recognition, according to Acuity Market Intelligence and Tractica, respectively.

Image source: TakShun Communication

Use Cases

Born in the eighties for “foolproof” security for government, military, and enterprise IT, biometric authentication was too costly and cumbersome for most businesses. But thanks to advancements outlined above, applications are diversifying across industries, including many consumer-facing.

• Identity verification: Verifying a specific individual is who they say they are is the most immediate use case for biometric authentication. Supplementary or alternative to passwords, physiological and behavioral attributes are measured in order to authenticate access and controls. The Royal Bank of Canada (RBC) is one of numerous financial institutions which offers customers two-factor authentication involving a bot-authenticated voice verification and/or fingerprint scan or PIN. Additional industry examples of biometrics used for identity authentication include:

- Consumer mobile authentication

- Pharmacy dispensary of medications

- Medical records access

- Airport security scanning (e.g. JetBlue, Delta or Clear)

• Multi-user authentication: Given the difficulty in sharing or transferring biometric information, such techniques also support multi-user authentication in which multiple users (and user experiences) can be distinguished and authenticated on the same device. Grandma may prefer a markedly different smart speaker experience than a teenage boy — both of which spell personalization opportunities for brands and OEMs. It also has implications for better regulatory compliance, particularly involving data generated by children.
• Asset access controls: ID verification is also the foundation for access controls associated with IoT applications in the physical world. Touch and facial ID are widely used in smartphones, but increasingly for in-home robots, car or home sharing, and even to facilitate access for in-home services such as caretaking or pet-sitting etc. Some auto OEMs, for example, are even aiming to associate ID biometrics with user preferences, so that cars can easily configure settings based on each individual.
• Purchase and transactions: Biometric authentication is also being applied to the payment space, wherein companies such Paypal, Visa, Apple, Google, and Samsung are using biometric recognition as part of multi-factor authentication to purchase. Using (or learning) an individual’s unique fingerprint to authenticate payment can increase security, reduce identity theft, and improve the user experience of digital payment. It is also not hard to imagine this capability rolling out into the brick-and-mortar retail environment either, given the rise of self-checkout kiosks and initiatives such as Amazon Go.
• Design Testing: Cameras equipped with computer vision can observe how users interact with web, device, or real-world interfaces. Facial, eye, and emotion recognition can be used to detect reactions, confusion, linger time, and many other responses relevant to interface design, usability, and product development.
• Emotion recognition-based marketing: Marketing has always been informed by consumer emotions, but using emotion recognition algorithms to codify and ‘learn’ how individuals’ emotions influence brand engagement introduces a new realm of marketing. Consumer research company Nielsen recently acquired Innerscope, a company which uses brain scans and GSR to measure emotional response to media. Meanwhile, Kellogg recently partnered with a company called Affectiva (and their massive 40 billion point emotion data repository) to test ad resonance for Crunchy Nut Cereal using facial recognition — aliens received the highest engagement.
• Virtual experiences: Another emerging role for biometric authentication, driven by the technology and adoption of virtual, augmented, and mixed reality (AR, VR, MR) platforms, is to facilitate experiences in virtual environments. Retailers likeLowes and Ikea are experimenting with VR-based shopping, where voice, facial, gender, and emotion recognition introduce all manner of opportunities for real-time product recommendations, agent support, social shopping, and so forth.

User Attitudes & Psychology

New interfaces, new experiences, new safeguards enabled by biometric authentication can empower users and foster trust, but also create new uncertainties. When personally identifiable and anatomically unique information shift from ‘shiny new feature’ to the required method of ID verification, broader questions emerge of surveillance, privacy, consent, and what constitutes digital identity.

In a climate of intense cyber-insecurity, frequent attacks, and low trust, improved security is compelling to consumers. Although biometric authentication can make hacks, theft, and/or identity fraud more challenging, it is not a panacea. Photos and masks have “fooled” facial recognition technology in the past, although better algorithms and multi-factor authentication are reducing errors.

In the US, some 40% of consumers say they are comfortable logging into mobile apps via biometric authentication, according to Gigya. But these numbers vary depending the type of recognition; a 2017 survey of consumer attitudes towards facial recognition used in personal devices found that 39% of respondents are unfavorable, while another 26% are unsure. Consumer attitudes also depend on context and use case. A study onconsumer attitudes towards in-store personalization tactics suggests voice and fingerprint recognition are viewed with relatively less reservation than facial recognition.

For consumers, so much depends on the format, interface, and context of recognition. As the chart above shows, consumers favor voice recognition in a context of shopping, but something like facial recognition for in-store personalization is met with significantly greater skepticism.

Impact on Experience

Transitioning from the interface of difficult-to-remember-and-secure passwords or challenge questions to simply being scanned eliminates friction, can augment security, and significantly improve the ‘login’ experience. Companies like Google and Apple are using machine and deep learning to supplement biometric authentication with ‘multi-modal’ verification, pulling in non-biometric data points like location, device history, behavior and so forth, to enable more ‘passive’ trust values associated with each individual.

Even if AI-based biometric recognition is seen as cutting edge, it is an evolutionary step in reducing friction associated with traditional passwords. Social sign-on gained prominence in the social media age; touchID in the smartphone age.

As technology moves more into the physical world, biometric authentication represents the analogous shift away from the screen-based experience.

Risks and Challenges

The risks and challenges surrounding biometric authentication are wide, and probably not fully understood. Chief among them, from the consumer perspective is the potential for misuse and abuse of personally identifiable information. This can take many forms, for example:

• Privacy: Consumers’ digital privacy concerns center around the collection of the data, how intimate such data are, unauthorized secondary sharing, use, or purpose of the data, improper access, and errors. Privacy risks associated with biometric data run the gamut, from coercive data collection to abuse of PII to identity theft and beyond. User data are often beholden to business [model] integrity, meaning personal data may be handled differently depending on the incentive (e.g. increased sales via personalization vs. infrastructure security).
• Anonymity: While contentious at times, anonymous (or semi-anonymous) web platforms such as Reddit, offer a forum for, among other things, radical transparency, secrecy, free speech, disenfranchised community building, and other protections. Even if biometric data such as images can be encrypted or obscured, the role of anonymity online remains at odds.
• Fraud or simulation: Even if the more sinister or outrageous “hacks” such as cutting off someone’s finger or 3-D printing a model of one’s face are possible, adjacent technologies may introduce a greater threat: simulation. For example, a start-up called Lyrebird offers the ability to simulate an individual’s voice, including tone, dialect, patterns in speech, and so forth.
• Machine error: Even if algorithms have drastically improved, they are far from perfect. Relatively trivial things like scars, burns, or lotion can derail finger or hand recognition. Even if such models perform with human-level recognition accuracy — 97.35% as Facebook’s facial recognition touts — the risk of machine error can ripple outwards with dire impacts. Imagine if the wrong person used biometric authentication to enter, change configuration, and lock down someone’s home.
• Increased friction: When supplementing or replacing passwords and screen-based logins, biometric authentication can indeed reduce friction, but when the technology falters, it can spoil the experience entirely. If users are forced to re-scan or chase verification back-ups from one device to another, companies risk even worse fatigue than passwords. Furthermore, in IoT contexts, the risk of failure expands, as failed biometric recognition could be traced to software, hardware, firmware, connectivity, or elsewhere in the tech stack.

Technology Proliferation

The current surge of biometric authentication techniques is due in no small part to advancements in algorithms, compute speed, access to data and adoption by smartphone giants. As is often the case, the technologies enabling biometric authentication do not live in a vacuum; nor are they being developed solely for biometric-based applications.

Computer vision, broadly defined by numerous technologies that enable computers to see [images, objects, and patterns], are core to the development of self-driving cars, drones, cameras, satellite imaging and beyond. AR/VR/MR are also instrumental for the development of computer vision in mobile, wearables, and hearables.

The shift from processing and analyzing data in the cloud to “the edge” — i.e. local to the device — is also influential, and can mitigate issues around security, privacy, and power requirements. On-device execution and credentialing, and an emerging ecosystem-driven industry standard called FIDO (Fast Identity Online) are working towards an architecture which improves UX, while distributing shared infrastructure costs, and eliminating single points of failure or cyberattack.

These are just some of the technologies which are influencing where, when, how, and why biometric recognition will proliferate.

Access & Mobility

Biometric-based recognition and authentication represent new narratives when it comes to broader user access and mobility. For certain modalities such as voice recognition unlock new market segments such as the elderly, disabled, or non tech-savvy. In the case of other modalities like fingerprint, hand, or facial recognition, such a technology could inadvertently exclude the disabled or a veteran injured by war.

Then there are the longer-term implications of digital identity. In highly developed countries, government-issued “identity” and PII are often interwoven, if still technically siloed from our online “digital footprints”. Meanwhile in less developed countries, or those with political or financial instability, a secure identity mechanism substantiated by biometric authentication could help individuals access services to which they are entitled, preserve their rights and assets, and increase economic mobility.

Identity Access in the Age of Ambient Computing

Although the technology remains in relative infancy in terms of commercial application, biometric authentication modalities introduce consumers to a fundamentally new interface. As sensor and software technologies continue to evolve into mainstream infrastructure, our physical selves may become “key” agents in digital services and transactions.