X
Tech

Steps to success in biometric security app design

As we seek new security solutions, what should app developers working in the burgeoning field of biometric security keep in mind?
Written by Charlie Osborne, Contributing Writer
creditcnet.jpg
CNET

Biometrics is gaining pace as a technological field, but what should app developers consider when applying their talents to the fledgling industry?

A recent study conducted by ABI Research suggests that the biometrics market will generate revenue of $13.8 million in 2015. This may still an emerging market, but mobile device makers -- such as Apple and Samsung -- have introduced fingerprint scanning in their mobile devices.

While nothing is 100 percent secure, a fingerprint can provide an improvement in individual security beyond the standard four-digit PIN number.

Fingerprint recognition, for example, is currently one of the most widely-used biometric security systems -- and yet admittedly is not exactly secure. The inclusion of biometrics into today's mobile devices may not have improved verification and authentication systems greatly, but has encouraged app developers to look towards the use of biometric data to improve individual security.

screen-shot-2015-02-09-at-15-36-35.png

Sandeep Sood, founder of mobile and web application development firm RainFactory -- a Monsoon company -- offered his insights to ZDNet on what modern-day developers need to consider when designing for the biometrics industry.

Monsoon has conducted a number of tests and analyzed data in relation to various types of biometric security safeguards placed on users in the finance, education and retail sectors. Fingerprint scanning is not the only type of biometric technology currently being tested -- heart rate, voice and facial recognition are all in the pipeline, concepts which Sood says "works well if they are designed to guide and educate the user properly."

Within the firm's analysis, Monsoon said app developers must focus on simplifying the user experience. Sood says that simplicity is key -- as every additional step or choice can not only frustrate the user, but ultimately lead to a customer abandoning the system. However, this is not the case in every scenario. Sood commented:

"Sometimes over-simplifying a process confuses the user, especially if you simplify a process with set steps that users have already performed many times. Also, testing shows that for many users, authentication is not an annoying roadblock, but rather, a ritual that validates the financial institution or retailer's respect for user information."

As an example, while working with a bank to replace the traditional password, Sood says a seamless facial recognition system was implemented which alerted users that they had been authenticated after the fact. While convenient, "others felt that their security wasn't being taken seriously enough," according to the executive. After all, security is not just about software -- it is also about psychology.

Another important facet of biometric security application development is the ability of software to integrate well with existing systems. Bands which work as a seamless authentication system, for example, can promise a number of services including access to Wi-Fi networks, websites and hotel rooms without lifting a finger -- but have a long way to go before being truly useful. The purchase and procurement of such bands remains a hurdle, and without availability, friction increases rather than becomes reduced within the consumer experience.

Monsoon also discovered that in testing, users of biometric security applications want to feel seen or recognized. As a result, systems which use faces or voices "feel more personal," Sood says, and while at its worst can feel creepy, at its best, can personalize the experience in a positive manner.

For financial institutions requiring heightened security systems, Sood says multi-modal security systems -- which use several different forms of validation -- work best, especially in the face of random user data change such as beard growth or fingerprint change due to injury.

Sood also suggests that app developers focus their design on enrolment protocol. Biometric security requires data beyond addresses, emails and passwords -- you are asking a user to hand over personal data such as a fingerprint scan, facial and voice records. The user must feel that their security is being taken seriously because of this, and an "intuitive and disarming way" to get users to hand over this data is necessary. For example, asking a user to take a "selfie" proved to be successful as they generally knew what to do -- although some found the idea of selfies "repulsive," hardly surprising if you happen to gloss over Facebook feeds or Instagram from time to time.

If you're going to convince a business to invest in your biometric security system as an app developer, you must prove that your software is better than the traditional password. Just because iris scanning or fingerprint systems look flashy does not mean they are any more secure than a complex password -- a challenge app developers face. Password authentication has evolved, and it is up to developers to try, test and develop prototypes which add value to security.

The biometric security industry has a lot of potential, and developers have much to experiment with and learn from. However, a major lesson each developer has to take to heart is that nothing is 100 percent secure. Sood said:

"We're developers, after all, we know this better than anyone. When it comes down to it, security is just a never-ending war between good guys and bad guys, with each side stealthily inching ahead of the other by a few millimeters, before the other catches up and figures out a new trick. The optimist in me calls this a form of progress, but okay sure, that's a euphemism.

There are some solid security solutions that are relatively effective, like TouchID and various other compelling and secure ones that use iris scanning, but even these are pretty easy to hack. The reality is that none of them are foolproof."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards