Bio-whatrics? In the Identity Market, Biometrics Solutions are Gaining Traction, but With Too Narrow a Focus

I recently had the opportunity to attend Identity Week in Washington, D.C. While this is a smaller conference compared to RSA Conference or Black Hat, some of the conversations were just as powerful and much more focused on the identity market. I was at first encouraged by the large focus of biometrics at the conference, but quickly discouraged upon seeing the limited use cases many of the vendors were promoting.

Biometrics has the potential to make identities more secure while improving ease of access for users. Smart phone companies have caught on to this, and most major cell phones now allow unlock utilizing a fingerprint or even facial recognition. But one of the challenges, of course, is capturing those biometrics, securely storing a representation of them in digital format, then accurately comparing the biometrics on file to a user. So, I was very happy to see a large number of biometrics vendors at the conference featuring their capture and storage technologies. Unfortunately, many of these vendors seem unsure what to do with the biometrics once they’ve been captured.

The most common question I asked these vendors was, “What can I do with these biometrics after I’ve captured them?” In most cases, the response was focused on background checks or similar verification of identity, such as employee onboarding requirements for human resources. But that seems to be where most of these vendors stopped – no integration with identity access management, identity governance, or access control technologies. While there were several vendors present offering identity governance, none of these vendors seemed to have strong integration with any of the biometrics capture technologies.

Imagine an employee onboarding experience that goes something like this:

• An new employee utilizes a kiosk to scan his or her onboarding documents, such as drivers license and passport.
• The kiosk then captures the employee’s biometrics, including a photo of the employee and the employee’s fingerprints or palm prints.
• Utilizing optical character recognition, the kiosk identifies the employee’s name and personal information, then prompts the employee to review and verify.
• After the employee reviews and verifies the information is accurate, the employee submits the onboarding package through a single button push at the kiosk.
• The kiosk utilizes the employee’s information to retrieve the background check information, as well as compare fingerprints to national databases, if necessary.
• Once the background check is complete and the employee’s identity is verified, the kiosk creates the employee’s HR records, as well as the network login.
• A smart card badge prints and the employee is prompted to enter his or her PIN.
• The smart card badge is provided to the employee, as well as a record of the employee’s new login account, which is disabled by default. This information is then sent to the IT department to assign permissions to the new account and enable it.
• The smart card and any needed biometrics information is also sent to the physical security department, so that the proper physical access control permissions can be implemented.
• All of this information is tied directly to the login account of the new employee, so when HR indicates that they have left the organization, the employee’s login account and physical access are automatically disabled at the same time.

With biometrics and identity governance technology currently available, all of this should be possible. As an industry, though, we seem very siloed and unable to expand the scope of what our solutions can do, even if it’s through third-party integrations. Instead of developing smooth integrations for easy onboarding, we put the bulk of the work on the new employee, requiring them to fill out multiple forms with duplicate information and visit multiple departments, then employees perform duplicate working entering this same information into multiple, separate systems. While it’s great that these duties are separated, the usage of an integrated system should be the true goal of any identity governance efforts through the total management of a complete employee identity’s lifecycle.

I’m very encouraged by the advances being made in the realm of biometrics, identity access management, access control, and identity governance. Now, it’s time to bring it all together and operate as a single, unified system for enterprise identity governance.