Let’s talk about digital identity with Andy Milton, Head of Channels at Hitachi Digital Security.
In episode 15, Oscar talks to Andy about Hitachi’s pioneering finger-vein biometrics – VeinID Five. Hear about its use cases (present and future), the evolution of the product to its current form, comparison with other biometric and non-biometric authentication methods and, importantly, the relevant privacy and security risk mitigations.
[Scroll down for transcript]
“I think it’s going to be an interesting time in the biometric world. I think we will start to see that one biometric is not necessarily the best at everything. So we are going to see lots of different applications of different technology and at different times. And what we will potentially start to see is also some of them start to become blended together as well.”
Andy Milton is Head of Channels and Marketing for Hitachi Security Business Group. He joined Hitachi in November 2018 to lead and develop the channel strategy for the Hitachi Security Business Group in EMEA and North America. With over 30 years in IT and 20 years in cybersecurity, Andy’s experience in working for both vendors and channel partners has given him a unique insight into the workings and drivers for aspects of the channel. He brings experience across a wide range of products and solutions including SIEM, device management, WAFs, network devices and a specific interest in identity management and biometrics.
Get in touch with Andy on LinkedIn.
Hitachi Europe Ltd., a wholly owned subsidiary of Hitachi, Ltd. (TSE: 6501, “Hitachi”) is headquartered in Maidenhead, UK. The company is focused on its Social Innovation Business – delivering innovations that answer society’s challenges. Hitachi Europe and its subsidiary companies offer a broad range of information & telecommunication systems; rail systems, power and industrial systems; industrial components & equipment; automotive systems, digital media & consumer products and others with operations and research & development laboratories across EMEA.
For more information, visit www.hitachi.eu.
To find out more about Hitachi’s Finger Vein products visit digitalsecurity.hitachi.eu.
Hitachi is a Ubisecure partner. Find out more about the partnership, including further resources on VeinID Five, here: www.ubisecure.com/partner-directory/hitachi.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Or subscribe with your favorite app by using the address below
Intro: Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello, and thanks for joining. Today, we will hear about a very novel authentication method, multi-factor authentication method based on biometrics that you might not have heard before. My guest today is Andy Milton from Hitachi.
Andy Milton is Head of Channels and Marketing for Hitachi Security Business Group. He has more than 20 years of experience in cybersecurity across many companies.
Andy Milton: Hello, Oscar. How are you?
Oscar: Very good and very happy to talk with you today about what Hitachi is doing with this very interesting new authentication method. So I would like to hear first from you how your career, how life led you to this world of digital identity.
Andy: OK. So just over 20 years ago now, I made a decision to move from engineering IT into security as it looked like it was becoming interesting and a hot market space, and that has proved to be very successful and a very good choice. So after working for several different vendors and partners and resellers, I’ve now found myself with the opportunity to join Hitachi with the addition of their new VeinID product, Five, which is very exciting for us all. I joined just over a year ago.
Oscar: OK. Fabulous. So you joined cybersecurity really many years ago and you have been in this industry since then. And very recently as you said, you are in Hitachi with this very interesting product and technology that we are going to hear about today. So that’s the next thing that I would like to hear actually. What is Hitachi hand gesture technology?
Andy: OK. Hitachi has been using technology to read the Vein pattern within the centre section of someone’s finger for just over 20 years. Originally, it was developed to be used in cash points in Japan rather than having to type in a PIN number or if you were going to perform a higher-value transaction, they would want to really make sure that the person standing there wasn’t just the person with the card and a PIN, it was actually the person that is the owner of the account. So they started developing this technology to be used in cash points. We’ve deployed it in Japan, Poland, Turkey, and many other European countries.
The technology then evolved and we were able to put into more desktop type devices which enable us to do – operate payments with people like Barclays and other large banks, SocGen, and others. And what that then created is more of an interest in this type of technology. The accuracy of it, the speed at which it can read someone’s finger vein and the level we were able to manage so we then moved to doing some projects around things like pay by finger. Currently, we have an ongoing project with Copenhagen Business School where all the students can use their finger by inserting it into one of our readers to make a payment, which is very innovative and has been very well-accepted. And we are seeing several more of those start across Europe.
Now, one of our customers came to us. He moved from one of our existing customers to a new one and he approached us and said, “I cannot give somebody a device to carry around, so if you can find a way of enabling the accuracy and the speed of what you do with using a standard webcam on a normal laptop or a mobile device that then I would be really extremely interested”. And that process started about two years ago in Japan and we are now at the point where we are launching the product.
So all you need to do to authenticate yourself is simply raise your hand in a high-five like gesture to your laptop camera and it will log you into the system, so replacing your Windows password and removing the need for a password there. Also, as we continue to an iteration of this, and this is where we are working with Ubisecure is enabling someone to access a website or a third-party service simply by raising their hand to the camera.
And what this provides, as a differentiator I think, is the ability to uniquely identify someone with something that is part of them and can’t be borrowed or lent or given to somebody else.
Oscar: So this evolution of around 20 years, there was already some first product with this hand recognition. And now, this is a newer product based on as you said, some customer requirements to make things simpler, getting rid of the special reader.
Andy: Yes. Yes, and reducing costs. The physical readers were quite an expensive device that you certainly wouldn’t use them as something that was disposable. But now, we can use the standard camera technology within a laptop or a mobile. This is something that everybody already has so it’s simply a software license. So it becomes much more flexible and much easier to use. The real strength in our product is the user experience. It’s really much more pleasant than typing passwords, trying to remember passwords, especially if you are accessing a service or website that is not used for a couple of months, maybe when you come back to it, it becomes very difficult to remember for most people what password they’ve used.
Oscar: Exactly. Could you explain this a bit more – how it works, this hand gesture recognition? What is the pattern that is taken, how, and why this is better than other biometric methods?
Andy: OK. The vein pattern within your finger as a human is totally unique, more unique than several of the other biometrics that people have used. But always with biometrics, there is a process that we are going to take, that capture is going to go through. So Hitachi, with the banking background, have developed a very secure method of capturing, processing, and storing that so that what we capture on the way out is a mathematical representation of the vein structure within your finger.
Now, we can detect that with a standard camera, with the normal light that’s around. We then take that capture because we can see the blood in someone’s finger, that that gives us proof of life which is always a challenge with some of the biometric solutions. We’ve probably all seen the films of Mission Impossible or some of the others, people taking fingerprints that have been left behind or wearing masks to fool facial identity, or an even more horrible one, they removed someone’s eye to do retina or iris scanning. It’s never particularly great and it’s quite a horrible thing to see.
But that for us is one of our benefits. What we are capturing on someone is actually hidden within their body. We are able to see that with the camera. We are able to take out that image and process it. Convert that into a mathematical template, store that somewhere safe. And what we take out to store as our template is not what is replayed when someone tries to authenticate. So the two templates are different. So that helps us ensure that we are not seeing a replay of someone’s enrolment template back to us as an attempt to spoof our system.
So you asked as part of the question, why are we better than other biometrics? I think it’s going to be an interesting time in the biometric world. I think we will start to see that one biometric is not necessarily the best at everything. So we are going to see lots of different applications of different technology and at different times. And what we will potentially start to see is also some of them start to become blended together as well. So maybe using facial with voice or other things because I think this is all about proving someone’s identity. So making sure that the person that you’re capturing that information from is really that person who is there. It becomes more important. And how we are going to do that, becomes the key to our success.
Now, our particular solution that we are doing now for laptops and mobile for password replacement is extremely secure and extremely fast. As I said before, really easy experience for the user. They’re simply just raising their hand to the camera, positioning it in our template and it’s authenticating them in less than a couple of seconds. So for a user, that’s so, so much easier than typing in complex passwords that they probably potentially forget.
But also, when we look at from a business point of view, on the receiving end of that template or managing that customer interaction, what companies are seeing is if they can look after a customer and keep them within their digital channels – so website, mobile phone apps, these types of things – then the cost to the company is very small on looking after that customer and giving them a good experience. But once that customer moves to other channels like phone or web help or other things, the cost of looking after that customer increases quite substantially.
So finding a way that they don’t have to constantly be resetting and managing people’s passwords, and also dealing with the frustration of customers in having to manage and look after and maintain their passwords, is also a huge benefit as well. Because customer frustration with a password, even though it’s the customer’s responsibility to look after and maintain and remember, their frustration is always directed at the website they are trying to authenticate to and ultimately the service they are trying to access.
Oscar: Yeah, it’s pretty impressive the way that this– you don’t need any special device, just a webcam or the camera from the mobile phone can recognise this pattern. It’s definitely pretty impressive and looking forward to seeing this in more and more applications. Well, now that I talk about applications, could you tell us– you mentioned already one example in Denmark but do you have other examples where this is being used today or where it’s– what is coming next?
Andy: Yes. So the applications for us are going to be very similar to the ones we’ve done with our physical readers. Time and attendance management for employees. We’ve seen quite a lot of interest in doing – working hours management in Spain, they’ve been introduced a law where they specifically specify that an employee needs to track and the company needs to track the hours the employees worked, so we’ve seen quite a lot of interest in places like that.
Access to hospitality venues. We’ve got projects going with Wembley Stadium, Lord’s Cricket Ground, Ascot Racecourse, Henley-on-Thames for the rowing – so some very prestigious venues in the UK already working with us.
But I think specifically for this VeinID Five product, I think we’re going to see more applications around online services and around payments and banking and accessing certain services for users. So we are working with a mobile telco operator that has recognised they have a big problem with people forgetting and not remembering their passwords, as most of the time they access their services on their mobile device and if they then have to move to the website to do something more complicated, invariably, they don’t remember their password.
We also have seen in insurance and financial services, where companies have multiple different portals for different solutions and products that they’ve either bought or developed over time, combining that with the solution that Ubisecure’s has enabled us to do a single sign-on process for them simply by raising their hand and then they get access to all the services.
Oscar: Exactly. Well, there are definitely – as you say, there are many possibilities of where to apply this technology. It’s mostly a second factor authentication, right? There will be always or most of the time one – let’s say, username-password or some method and the hand gesture the second.
Andy: Yeah. We would envisage that someone would enter a username and that then enables them to pull the template for that person to the machine and then they’re authenticating against that template. That is how we see this working most efficiently and effectively for both the customer and for the supplier.
Oscar: Yes. And I’m sure someone listening to this might start thinking of the privacy about getting this – the pattern, where it is stored, etc. So, what would you say about privacy? This pattern that you are– there is an enrolment as a first process when you enrolled your hand. I think you have to do both hands? You enrol the both hands. Where are these patterns stored and how are they processed after that?
Andy: Yeah. So we often get the common misconception that we are capturing a picture of someone’s hand and that might be able to– we’ve captured a picture of the hand, then people can steal that and use it in other places. But that’s absolutely not the case. No point in our capture process do we capture an image of the hand. What we are doing is – the data from the camera we analyse in real time, create a mathematical representation or a template, however you want to describe that, of what we’ve done that looks like someone’s vein pattern. And that we then encrypt and is stored in an encrypted database as well.
And what we capture is not what we then replay back to the device. So we actually run a sophisticated process where we mix the template with some other information that means that the template going out is not the same as the template coming back. So the solution is very, very secure. And it has been built this way because of the projects we’ve had working in the banking industry. We’ve approached this market from, as I said, 20 years’ experience in working with banking, banks don’t use insecure solutions.
Oscar: Yes. The fact that you just explained that this pattern or templates or however you call it, when you enrol, when you capture for the first time the vein pattern that it’s never the photo so it’s just a set of data points, mathematical pattern of that. Well, that’s already a security measure for not being able to copy that and use it later.
And then where is this pattern stored? Is it locally on the mobile phone or laptop or is it on your servers? Where is that stored?
Andy: There are a couple of different solutions depending on how we do this. We’re either storing it in a cloud-based server or we can store it locally on the machine. So the user is in control of where their template is. Typically with most of the services we are talking with you, we are going to be storing them in the cloud and then deliver it at the time that the user authenticates, because we envisage that we may see occasions where somebody has lost their mobile phone and needs to go on a laptop that they’ve never used before so we need to be able to deliver the template to that device at the time they are trying to get access.
Oscar: So there is a possibility of both, stored locally or stored in the servers, in the cloud.
Oscar: And that leads to another question that comes from there – is that Hitachi provides this as a service or as their customer, let’s say the bank, the bank will install your hand gesture system in their server. So which one – or both?
Andy: It actually could be both. The customer would need to install a small application on their laptop or on their phone but that would actually only be triggered by an external service making the call to start the process. So for example, you were trying to access your bank website. The bank website, type in your username, it says, “Yup, this is Andy. OK. Here’s Andy’s template.” Send it to the machine and the machine then loads that for you to match against within our application.
Oscar: OK. Yes. So both are possible. Also, that makes a very flexible solution of course for any organisation that is considering doing this.
Andy: Yes. So the bank or the finance company or the service provider also has control of the identities that are on their system. So helping them reduce that risk.
A couple of other things we’ve seen that start to help with this is a substantial reduction in the risk of someone being subjected to a phishing attack because if you are no longer entering a username and a password, these emails that you get asking you to click on here and enter your username and your password, still is accounting for a huge amount of the issues we see. So removing the password typing in piece and it’s literally, raise your hand. That removes that problem and that saves that issue for the user.
As well, the other problem we see this really addressing is password stuffing where it might not be the website that you’ve got this password on but that you’ve used the same password on another website. You see a hacker find that password and that username and then they try that username and password on lots of different associated websites. We are seeing this take place a lot. And the removal of passwords will really slow that process down and remove it and provide a much greater level of security for both the end user and the supplier.
And obviously, the suppliers to the customers, more and more they are going to– under things like GDPR, they have to prove that they’re doing everything they can to protect the users.
Oscar: You said that the technology was using – some time ago when it was created, this hand gesture technology was using physical readers and it moved to this method without readers, just using a webcam. So this new portfolio of products that we are talking about is only about using the webcam, correct?
Andy: Yeah, it’s only about using the webcam- or the webcam solution is pretty well-finished and ready and commercially available. The mobile phone version comes within the next few months as well. So we will see more and more applications of this.
Oscar: And how compatible let’s say with all devices, all computers, all laptops or even all mobile phones?
Andy: Yup. OK. That’s a lot of questions in one go. A laptop, we are looking at a Windows-based device, Windows 10 and newer. We expect to see at least a 720p camera which is most reasonable business spec laptops of the last two, three years, and then a few other sort of bits and pieces after that. But predominantly, we expect this to be available on most standard laptops for people to use. We don’t need an extremely high-resolution camera and we certainly don’t need an infrared camera or anything else. We are able to read the vein pattern just with the ambient light that reflects through people’s skin. Your skin is actually much more transparent than you realise and we are able to capture enough information from that.
The mobile devices – they are still in testing at the moment. We are expecting it to be Android from the last but one version so I can’t remember the names of all the Android ones off the top of my head. But we were talking Samsung Galaxy S8, we’ve done testing on an S9 and then obviously the newer ones. When we look at Apple phones, we were iPhone X and onwards, that there is some parameters we are working on with some of the devices. But actually, the great thing about all the modern cameras is they have a flash in the back so they actually enable us to create a very stable lighting environment. The cameras on mobiles are actually higher quality than they are in your laptop.
Oscar: Yeah, that’s true. Yeah, interesting. So yeah, actually it means that it’s going to fit most of the laptops and webcams that exist today. Of course, I will always say, if someone wants to use any system in a let’s say unsupported version of Windows, that’s already making their system unsecure no matter what is the authentication method they plan to use. So it makes sense that it’s compatible with Windows 10 which is available already for many years.
Oscar: So how do you foresee more in the future this technology that is now being deployed in these last two years and then this year as there are many projects coming? How do you see a bit more in the future of how this technology will be used?
Andy: I have to be careful. I’ll get told off here if I talk too much about futures. But we will see it used across a lot more different platforms. So at the moment, we talk about laptops and mobiles, but actually as we start to move forward, we think about televisions – and can a television have a webcam on it these days? Absolutely. Could that track enable you to authenticate to your TV service? This is all potential.
And then we talk about boxes that are attached to TVs, gaming consoles, just about anything that would have a camera attached to it that there is potential.
We’ve had someone approached us about asking whether we would be interested in doing something for access control on domestic property. We’ve had somebody else approach us just asking if we’re interested in looking at automotive applications of the technology. And all the things that we are doing, we will look at. There’s going to be lots of other different applications of our technology that we’re going to see over the next few years I think.
Oscar: Yeah, right. I haven’t thought that but yeah, TV certainly and game consoles already are some of the next candidates of course for this as they already have some cameras on it, good enough camera, more than good enough cameras for this technology for sure.
Andy: Yeah. And it’s interesting, your car today has cameras on it. And actually it’s about how we could potentially use those to do things – to remove the need for keys and other stuff.
Oscar: Andy, could you now give us a tip for anybody, how we can protect our digital identities?
Andy: As not everybody will have a VeinID Five today and it’s not rolled out to everywhere yet, the tip I always used to use was try to build something that’s not a dictionary word to use as a password. So we typically use a specific phrase, so it would be something like “England won the World Cup in 1966”. And then we would take the first letters of all of those and that would be what would make the foundation of the password. And then to add some uniqueness, I would always then add a couple of letters from the website from the first few letters of the website into the string at some point so that it creates something that’s truly unique and can’t be- as I said one of the issues with passwords is not only to keep making them very complex is hard, but also making them not be able to be reused across lots of different websites.
So yeah, think of a particular phrase that means something specific to you and then insert some letters out of the name of the website that you’re accessing into that string, and that then lets you create a unique password each time.
Oscar: Yeah, it sounds like that’s a good method because even though things like- thanks to technologies like Hitachi hand gesture, we still need a few passwords for the next years so I think we don’t get rid of them completely, in the short term at least. So yeah, that’s a good method. Thanks for sharing that.
And if you have something else to tell us about the Hitachi hand gesture technology that we haven’t covered…?
Andy: I think we pretty well-covered everything that someone would need to know. We are currently as I said, working with you guys [Ubisecure] to integrate into your platform and several other applications. So I guess if people are keen and interested to learn more, they can contact us through the Hitachi Digital Security, so it’s www.digitalsecurity.hitachi.eu. Through that website if they’d like to find out more information or contact me directly and we will happily find a way talk about what we are doing and how we might be able to help them and work with them.
Oscar: Yeah, excellent. Thanks a lot for this very interesting conversation and learning more about this unique technology that I really hope to see in the next months and be able to try myself in some application. Hopefully, services will start enabling that.
Andy: Good. Yup. I’m looking forward to it, Oscar. I’m excited about the partnership with you guys [Ubisecure] because I think it makes the application or the technology much more effective than we’ve been doing just on Windows passwords.
Oscar: Yes. Yes, we are. Absolutely. And yeah, all the best on this endeavour for you, Andy, and Hitachi. And let’s keep in touch. So have a nice day.
Andy: Excellent. Thank you very much. Thanks, Oscar.
Outro: Thanks for listening to this episode of Let’s Talk About Digital Identity, produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the hashtag, #LTADI. Until next time.
[End of transcript]