Kiosk Authentication Is Getting Trickier
As kiosks are handling more sensitive and compliance-controlled data–as well as literally giving users money and other high-value items–robust authentication is critical. But robust in the kiosk realm cannot mean time-consuming or in any other way deliver friction. Done properly, biometrics can address both, but there are significant tradeoffs between the various biometric forms and how their settings are handled.
One environment, for example, that requires extreme speed when authenticating a transaction are concession stands at a sports arena. “Businesses want to know and need to know who is in that facility,” said Frank Olea, the CEO of Olea Kiosks.
Just about every form of biometrics (finger scan, eye scan, vein placement, facial recognition, voiceprint, etc.) have their pros and cons. This involves accuracy as well as friction, in the sense of how easy is it for the system ro register correctly the first time.
Fingerprint is easy to implement and to perform. but a substantial number of people have skin issues (excessive use of detergent, prescription drugs that thin the skin, damaged or seriously calloused fingers, etc.) that prevent fingerprint scans from working for them. Facial recognition–which today stands as the most popular authentication on smartphones–can be finicky, requiring the user’s face to be a precise distance from the phone.
All of these methods can be fooled fairly easily depending on the settings selected–more on that in a moment–so the best theoretical route is to layer multiple authentication methods. But that would sharply add friction and time to the process, which can defeat the point of using biometrics in a kiosk.
The settings issue is sensitive. The choice is figuring out how strict or lenient you want the authentication system to be. An ultra-strict setting is more protective, but it runs the risk of incorrectly denying access to legitimate users. The reverse is true for the opposite: An ultra-lenient setting means fewer disgruntled users, but it also means that some thieves will get a greenlight. Note: It is virtually impossible to choose a setting that will allow in all authorized users and simultaneously block all bad guys. Hence. you choose your poison,
Some kiosks can piggyback on smartphone authentication. In other words, if a registered iPhone or Android device uses its biometrics to authenticate the user, the kiosk can simply take the phone’s word for it. That way, the authentication mechanism doesn’t have to be included in the kiosk.
Smartphone handset makers, though, tend to choose more lenient settings as they would rather let in a few thieves than block a legitimate user. Why risk alienating the people who paid for the device?
Another authentication decision–whether the kiosk authenticates directly or relies on a smartphone’s authentication–is what happens from an authentication fails? And when it fails, who gets to decide what happens next: the kiosk or the user?
Most smartphones, for example, talk a great game about how secure their biometrics are, which is generally true. But it that method fails, the device falls back to a simple PIN. That means that if a thief wants to break in and the thief can’t fake the user’s face, all that the thief needs to do is fail the biometric and the system will then allow access by the much less secure PIN. It’s akin to paying for a high-grade security door with an industrial-level deadbolt–but then adding an option for the thief to enter via a simple doorknob if the key doesn’t work. It obliterates the security of the door.
If a smartphone wants to brag about the power of its facial recognition, it is saying “If the thief doesn’t look exactly like you, they can’t get access.” But if the thief can simply use the PIN, then the PIN is the top level of security. Lowest common denominator.
Some kiosk authentication systems offer a wide range of authentication methods if the first fails. That’s fine, but the kiosk needs to choose–and vary–the method. If the thief is allowed to choose, what is the point?
One of the authentication devices that Olea uses is the iBar 600, which has small motors to move the unit to deliver the easiest authentication for the user. It also supports both Iris and facial scanning.
Olea points out that the price ROI decision is where a lot of kiosk conversations get complicated. “I look at the ROI and the security issue as critical. Many customers are overly focused on price. When I look at the ROI, I talk about how much more cost-effective these are when compared with a security guard,” he said.
- Iris ID iBar 600
- Height-adjustable patient check-in
- Passport and fingerprint scanner design tips by Olea
- Face Biometric News – Face Kiosks and Facial Kiosks in Self-Service(Opens in a new browser tab)
- NYPD HQ Ceases Use of Fingerprint Authentication to Slow Coronavirus(Opens in a new browser tab)
- Olea Kiosks 2023 – Why Olea Kiosks May Be Your Ideal Kiosk Partner
- Outdoor Kiosk Design – Frost & Sullivan Recognizes Olea Kiosks –
- Healthcare Kiosk – Olea Expands Epic Welcome Kiosk Solutions
- An old representation of biometric methods that still has value