The views expressed by contributors are their own and not the view of The Hill

Securing government infrastructure with biometrics

The incoming administration — just like the prior one — has signaled it is serious about auditing and retooling the federal government’s cyber infrastructure. 

The Trump administration has made in no uncertain terms a requirement for government agencies to work with the private sector on cyber initiatives. This is great for innovators in the nation’s burgeoning information security industry, which has seen rapid growth of biometric security.

{mosads}Biometric authentication has been around for a long time but never before deployed at this scale. One can look at the industry in two distinct periods — before and after the biometric smartphone era. Just a decade ago most people would go through life and never come across a fingerprint scanner or facial recognition camera unless they were in a high-security environment. Today any given iPhone owner uses Touch ID an average of 84 times a day. Something has changed significantly in the past few years.

Today’s biometric security differs markedly from yesterday’s. Forget all you know about biometrics in use at central booking and border access. These legacy systems in use mainly by government won’t answer the day-to-day challenges our nation’s self-examination of information security will reveal. The expansion of legacy systems like those intimidating, bulky palm and face scanners you see at the airport is not likely to inspire trust in civilians. Furthermore, forcing the centralized storage of face and fingerprint data is unlikely to accelerate user adoption of biometric security. Americans who remember the catastrophic OPM data breach are not going to feel comfortable handing over their biometrics to the government or a bank no matter the guidance coming out of Washington.

So how do our InfoSec leaders secure our nation with decentralized biometric authentication, by deploying millions of bulky cameras and scanners to the civilian population? No, and they don’t have to. Most Americans already carry a mobile device with a built-in authenticator, and government infrastructure can and should interface with these. There are almost 2 billion devices out there with some type of sensor including cameras, microphones, and fingerprint readers. These devices are sophisticated enough to guarantee that large-scale deployment of biometric authentication can be rolled out without the need for expensive new hardware.

Another catalyst for mass adoption is advances in industry governance. These include open specifications like those first promulgated by the FIDO Alliance. Open standards such as FIDO authentication govern how biometrics should be used at scale — with biometric templates never centrally stored on a server, and with verification occurring on-device.

Military-grade encryption and the flexibility to layer on more security, as well as multimodal offerings, also make today’s decentralized biometric authentication approach one that the federal government should adopt.

In a report to the former president, an appointed body of cybersecurity experts even threw a bouquet to the FIDO Alliance. This was just a short time after the Department of Commerce’s National Institute of Standards and Technology (NIST) deprecated some two-factor authentication patches that failed to enhance security, and degraded the user experience. 

Biometric tokenization and similar protocols in use across all kinds of modern smart devices — remember to include Intel RealSense cameras and Windows Hello — also make a decentralized approach well suited at least to civilian government cyber defense. Virtually all Americans can access the kinds of mobile devices that make government and civilian use of biometric authentication a secure, pristine experience. And, the laptops and desktops with similar features are also being shipped.

The devices are commonplace. Local-matched biometrics has matured. Hard lessons about privacy have been learned. Much of what is needed for the federal government to secure its infrastructure is in place. Decision-makers need only the will to keep pace with private-sector innovators in order to make operating and interfacing the government a secure — and pleasurable — experience. Now that sounds like reform.

George Avetisov is co-founder and CEO of HYPR.


The views expressed by this author are their own and are not the views of The Hill.