Ensuring that only those authorized to access a device or network can do so is at the center of effective cybersecurity. However, putting the appropriate controls in place can prove daunting. Authentication methods have remained largely mired in usernames, passwords—which keep getting longer and more intricate—and PINs. These carry-overs from the earliest days of computing pose steep challenges. . .and growing dangers.
“Online fraud is driving the need for biometric authentication,” observed Steve Cook, a U.K. based biometrics and financial-services tech consultant. “Consumers are also fed up with their personal data being compromised, whether it’s with passwords, account takeovers, or identity theft.”
Added Sean Duca, vice president and regional chief security officer, Palo Alto Networks Asia Pacific region (Palo Alto Networks is Security Roundtable’s parent company): “Thieves steal usernames and passwords from a range of different websites. Once they have harvested them, they have tools that automatically test them at thousands of different sites.”
Enter biometrics. Over the last few years, digital fingerprints, iris scans, voiceprints, facial recognition, and other methods have emerged as viable authentication tools. They’re accurate, they’re secure, and they’re convenient. What’s more, the technology is in the newly released iPhone X, which uses Facial Recognition, called FaceID, to authenticate device users. Meanwhile, banks are introducing biometric ATMs and airlines and others are experimenting with fingerprint and face scans.
“The field is advancing rapidly, but there are challenges related to biometrics, both from the perspective of an organization using it to protect their systems and also to build security into apps they offer to the public,” explained Anil Jain, a distinguished professor in the Department of Computer Science at Michigan State University. Added Duca: “Biometrics can significantly improve protection.”
The eyes have it
A starting point for any biometric program is to understand that every technology and approach represents risk, but biometric authentication is typically an improvement over a security scheme that relies on usernames and passwords. Employees too often use the same passwords for multiple sites, they create easy to hack passwords, and they write them down on paper, where they can easily be viewed. Most fraudsters can figure them out quickly. ” Every security mechanism has some weakness or fault. Biometrics offers many more advantages than disadvantages,” Jain said.
However, all the recent advances also deliver some caveats—and new risks. “Biometric technology is not 100 percent perfect. It relies on probabilities and confidence score. Therefore, it must work in conjunction with other security measures, such as device binding and behavioral patterns,” Cook explained. Moreover, “It is possible to sometimes spoof someone’s identity with a photo, for example.” This has occurred in a number of instances with Apple’s Face ID, and other systems have been spoofed, as well.
There are also practical concerns. These include the possibility that a business traveler, for example, using a phone equipped with facial biometrics could be forced to unlock his or her phone by simply holding it up to the face. Once opened, it would be possible to rummage through apps and data.
Voice of reason
Here are three ways to reduce risks and get the most out of biometric systems and devices:
Evaluate risks, develop policies, and establish a strategy. Line-of-business executives and security teams should review what data should be allowed on devices—particularly when an organization sends employees abroad. It’s also important to review how biometrics can potentially protect data and put it at risk. Of course, this extends to tablets and laptops as well. For example, MacBook Pros now include fingerprint readers.
Use multifactor authentication. A straightforward solution, Jain said, is to require multifactor authentication for any and all events–or for situations that represent the greatest risk, such as large financial transactions. A tiered policy might mean, for example, that low-risk transactions or processes require only a facial scan or fingerprint scan, but high-risk transactions require a secondary form of authentication. That way, even if a password or root biometric identify is stolen, it’s next to impossible to use it. Cook said that one way to achieve the highest level of protection with biometrics is to use a secondary form of biometrics. This could mean requiring a text -code or a rolling-code generated by an authenticator app. It could also include other digital tools. For instance, “Combining face and voice, like a selfie, with random tasks in real time makes it harder for fraudsters to circumvent or repeat. This doesn’t cause any additional friction because a selfie can be snapped in seconds,” he pointed out.
Lockdown data. It’s important to store root biometric data on smartphones, tablets, and other devices whenever possible. This reduces the odds of a massive data breach—and minimizes the repercussions of a breach. If the data must be stored on a server or in the cloud it’s critical to encrypt the data and enable multifactor authentication for anyone and everyone accessing the system, including network and system administrators. Yet, concerns about the root biometric data being exploited are generally out of proportion with the reality. “It is almost impossible to steal biometric data since it is a series of algorithmic and cryptographic numbers. It is completely useless to anyone trying to decode or replicate them,” Cook explains.
To be sure, biometrics represents the future of security. “Biometric technology is now being used in so many different verticals—from aviation and automation, to insurance, education, financial services, and gaming,” Cook concluded. “It is becoming more mainstream every day, and, one way or another, it will be part of everything we do. Fraud levels will continue rising, so we must protect ourselves better. Biometrics is an extra layer of protection.”