Get all the news you need about Smart Buildings with the Memoori newsletter
Passwords are old fashioned, impractical and insecure. Enter increasingly pervasive biometric technology and the promise to guarantee the identity of who is at the other end of a mobile device or reader, enabled by BOPS (Biometrics Open Protocol Standard).
This has lead to biometrics industry leaders, such as Hector Hoyos, CEO of Hoyos Labs, predicting that Smartphones will undergo a revolution in the coming years as a biometrics hardware device, not least for access control.
Memoori’s 2014 Security report showed that growth in the sales of Access Control has increased to 10% as it moved into IP Network systems and biometric and identity management systems. A 2015 update to our Security research will be published next month.
In September this year the Standards Association of the IEEE (the Institute of Electrical and Electronics Engineers) approved standard 2410-2015 or BOPS as the global standard for identity and authentication on the Internet and mobile devices.
The purpose of BOPS is to provide an open and biometrics-agnostic multilevel security protocol and platform. In other words it allows non-technical users to interact with a system using multi-factor authentication (for example, biometrics) that integrates with systems in a simple manner (from a technical point of view).
BOPS consists of a set of rules that governs and safeguards communications among a variety of client devices, including mobile phones, desktop computers and ATMs. It is a trusted server that manages the acquisition and manipulation of biometric data that’s captured by those devices. The BOPS guidelines make use of the U.S. Department of Defence’s Trusted Computer System Evaluation Criteria (TCSEC) and are biometric-neutral.
“Identity is the true currency in today’s world. Without proper standardisation in place to clearly secure and authenticate someone’s identity online in a comprehensive end-to-end manner, we will continue to see a plethora of hacks and cyber-attacks, which cost financial institutions billions and make consumers fear for their personal data”, said Hector Hoyos. “The IEEE has taken a very forward-looking stance in adopting BOPS as the global standard for digital identification and authentication”.
As a function of submitting BOPS to the IEEE for review, HOYOS Labs has made the BOPS protocol open to any organisation that desires to use it for digital authentication purposes. This development has drawn attention from a number of big industries and, perhaps unsurprisingly, the financial industry leads the line.
“BOPS represents a breakthrough in financial transactions. For the first time, financial brokers and customers are offered unique, repeatable assurance that every transaction can be tied to a person without question. The timing could not be better, as banks and financials are moving away from passwords and PINs, as we seek better vehicles to safeguard our data. This level of assurance stands head-and-shoulders above traditional authentication frameworks that suffer hacks on a daily basis”, explained Kevin McNamara, CEO of McNamara-Group and formally Vice President of R&D at JPMorgan Chase.
BOPS integrates its security protocol into a single layer in which certificates are automatically managed. This design reduces the number of fail points and mitigates risk of security poisoning by removing multiple vendors and reducing the attack surface. It instruments the binding of the person to the role, location and resources that the person is given access to and the device(s) that he or she is authorised to use, and all within the single layer.
It also uses a highly secure technique called visual cryptography to encrypt channel transmissions and certificate bindings. The biometrics vector is split into two “halves,” and each half is encrypted in such a way that no useful information can be extracted should either portion be compromised. This design allows an individual to link multiple devices to his or her identity without creating duplicate identities on the server, which has the added benefit of guaranteeing the security of the biometric vector itself.
“The IEEE defines what the most important and valuable components of technologies are via its standard-setting functions,” said Scott Streit, IEEE 2410-2015 Committee Chairman. “Creating the standard for online authentication of identity is vital to secure the future. Propagating this standard globally will help to defuse the ticking time bomb of cyber fraud and identity theft”.