SINGAPORE (July 16): The use of biometric authentication, or identifying individual users via facial and thumbprint recognition, has helped alleviate organisations’ headache of verifying identities.

But it is important to note the context in which biometrics is used, according to Zulfikar Ramzan, chief technology officer of cyber security company RSA.

“For certain context, biometrics are reasonable, [such as when] the transaction or activity isn’t in a high-risk type of situation,” Ramzan tells The Edge Singapore. “[But] for other scenarios where it is high-risk or you’re accessing assets you want to protect, you want to use something beyond biometrics – something in conjunction with biometrics that is more appropriate for that situation.”

For example, Ramzan highlights that banks assume that the user’s password is not secure. Instead, they look at other aspects to verify the user’s identity. These include looking at the behaviour of a customer, such as his common transactions and transaction values.

“In those cases, the other mechanisms are there to provide some level of convenience and slightly added protection. The protection is from the behavioural attributes that they have been able to collect over many years,” says Ramzan.

This concept of verifying identities and authenticating users has become more important over the years, as more and more data is being put in digital form.

And data protection has been thrust into the spotlight, with legislations such as the European Union’s General Data Protection Regulations (GDPR) and Singapore’s Personal Data Protection Act (PDPA) coming to the fore.

Now, any breach or leak can be significant – and cause a massive impact to the business.

“All of a sudden, it’s not just the security department being held accountable for the breach; it’s the executives and the board being held accountable as well,” says Ramzan.

Further, Ramzan believes that governments play a critical role in providing the right economic incentives to protect data.

“Historically, the challenge has been that third-parties’ incentives to protect your data is not the same incentive as for you to protect your own data,” he explains. “When governments say that organisations have to protect your data, suddenly organisational interests and your interests become aligned.”

“It is really critical to make sure that organisations have the same incentives as you do to protect your data,” he adds. “There is an economic imbalance where [organisations] are not incentivised to behave correctly. We need an overlying force to correct these imbalances – that’s where regulation and legislation comes in place.”