About a year ago I read news that researchers have devises how to make how we walk protect private information opens up an interesting use of biometric data. (https://techxplore.com/news/2018-08-artificial-neural-network-framework-gait.html)
The solution described in the article describes how a personal device with motion sensors are capable of securing communications for personal health sensors and data they generate.
The process seems to have some interesting side use cases that require both secure communication and end user identification. This process appears to deliver a solution capable of doing this without the need for the end user to provide information to validate their identity. The other interesting feature of using a ‘fuzzy algorithm’ should mean that the communication key protecting the data should change for each session. This potentially could provide a suitable level of protection from replay attacks where a recorded session of movements could be identified and blocked from authorising the session.
Coupled to this the ETSI standards for attribute-based encryption can help further secure these transactions over untrusted networks and protect the device ID protecting the communications. (https://www.theregister.co.uk/2018/08/22/etsi_cryptobased_standards/)
This could provide new and interesting approaches to consumer authentication. The vision is to create a consumer verification processes based on physical characteristics of how a person moves could provide authentication data more easily than remembering and entering a password or PIN.
These developments appear to provide two of the three factors of multifactor authentication. Something you have a mobile phone / application issues to an individual. Something you are which is the general movement of the body monitored and checked by a central system. This then just leaves something known between the parties.
This sparked of a memory of a presentation by Royal College of Art students in 2009 about the future of money and finance that covered some interesting ideas. One of which is if money is dematerialised fully why can it not be passed between people with physical actions. The idea if I remember correctly was to throw and catch value between two people. This at the time made me think about individuals using gestures as the biometric authentication. I investigated the capabilities of the mobile devices in 2009 but the Gyrosops were not accurate enough. In the 10 years since with the development of Virtual Reality hardware now appear capable of collecting enough data about movement to make this feasible.
Could a specific gesture known by the individual and the trusted party be used to authorise an action? Probably but this seems over kill with the rise on on-device biometrics for use cases such as authorising payments.
A gesture could be useful when the mobile user has not provided enough passive Gait based biometric data to secure the transaction. For example, when travelling on a train or sitting at work buying stuff online..
I foresee a transaction flow where the user receives notification that a biometric check is needed to their phone toauthorise a transaction. The movement unique to a user, the biometric is captured coupled with a second passive biometric ‘ the gait’ which is used to protect the authenticating biometric and transaction data over the current standard communication protection techniques.
The advantage of this type of protection is that over time that fuzzy logic algorithms accuracy will improve as more data is collected and processed to further increase the value of the protection offered.
Both the gait and gesture-based security technology provide personal data protection in ways that could be acceptable to general public. It appears to offer a solution that is easily accessed most of the population as all the individual needs to do is perform a repeated movement a with compliant mobile device.
The potential for this is clear and potentially be both disruptive and complementary to existing authentication methods. It could displace some use cases as it happens in the background and enhance others by providing additional protection for authentication data over insecure networks. Provides a way to both protect data over open networks – provides a way to derive a secure key and provide a degree of authentication.
In this type of solution, the biometric data can be held by either reliant party or by an identity provider. This means it offers either a simplified the technical and commercial models for adoption for organisations capable validating and verifying the user. For other organisations it could be used using a federated ID service where the reliant party uses a 3rd party to validate the credentials presented.
This could be the future with the continued developments in augmented reality one can see the possibility of adding a simple gesture to make the payment for the goods. Just a thought but was it not a gesture that people made at physical auctions – back in the day!.