Understanding Biometric Security: The Growing Threats and How to Beat Them
Biometric authentication is convenient, but privacy advocates fear biometric security erodes your privacy.
People prefer biometric security authentication to passwords because PINS and passwords readily get hacked and are challenging to remember. While passwords are the current “what you know” method, your physical characteristics are "what you are."
And there's only one you. (Read New Advances in Biometrics: A More Secure Password.)
But, picture this: a four-year-old child noticed that Amazon dropped gifts on their doorstep after her mother swiped her pinkie on the iPad's touchpad. So, the child used her sleeping mother's pinkie to unlock the device and, going to Amazon.com, one-clicked that beautiful pink bike.
True story. Incidents like that happen all the time. (Read How Passive Biometrics Can Help in IT Data Security.)
Gartner, a leading research and advisory company, claims certain physical and behavioral characteristics, like your facial features or the way you type, are more secure than your password.
In contrast, critics count millions of data breaches and they're growing every day.
What is Biometric Security and How Is It Used?
Over the last decade, scientists unleashed various biometric verification identifiers to dramatically improve enterprise security.
The most common biometric identifiers are:
Used to unlock door panels, devices or computers of approved users, among other user cases.
More specifically the iris, sclera or retina, where devices equipped with cameras scan the unique patterns of your eyes.
For example, prompt server room doors to swing open automatically when cameras recognize the faces of trusted system administrators.
More recently, researchers at the University of Buffalo developed a way that you can use heartbeats for your new pass-code, while, at the same time, a $1,000 pocket-sized scanner hit the market for scanning DNA.
According to a recent Ping Identity survey, 92% of IT and security respondents rated biometric authentication as two of the top five most effective security controls, and 80% said it is effective for protecting data stored in a public cloud.
Around the same time, a Spiceworks survey reported that 62% of companies are already using biometric authentication, and another 24% plan to deploy it within the next two years.
How Reliable is Biometric Authentication?
The Amazon-grubbing child is one of scores of incidents that plays havoc with biometrics authentication. Two years ago, on a Qatar Airways flight a woman used her husband’s fingerprint to unlock his phone while he was asleep, to divulge his infidelity.
For well over a decade, I have been outspoken against the widespread use of fingerprints and most other forms of biometric authentication as a means for authenticating people – among the serious problems with such schemes are the fact that biometric information is not secret (you leave your fingerprints on everything that you touch, and often show them in pictures, for example).
You want to know the cheapest simplest fastest way to crack into your boss’ iPad? Use play-dough.
And look for high-definition photos where your boss high-fives, makes the Vulcan peace sign or raises his hand to ask a question — just like the hacker who recreated a German minister’s fingerprints using photos of her hands in 2014.
There are bundles of other tricks that include researchers using voice scanners to impersonate your voice, iris scanners that match your retinas and face scanners that trick facial recognition login with photos from, say, Facebook — even 3D-printed heads.
Aside from that, facial recognition devices can readily be fooled by false positives, such as if your voice is hoarse, you switch hair-styles, you wear sunglasses, or don a mask for Halloween.
So, fingerprints, voices and faces are out, but so, too, are heart-beats, DNA, body odors, and eyes. If they get compromised, you can't just roll out your eyeball and replace it with another…
How Secure is Biometric Authentication Data?
Biometric authentication is convenient, but privacy advocates fear biometric security erodes your privacy. Companies could easily collect and exploit your data on, say, where and when you typically use your phones.
Hackers could replicate and sell these biometrics for tracking and marketing your behavior and movements. As Robert Capps, VP of Business Development at NuData Security warns, “Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user’s accounts and identity will persist for that person’s lifetime.”
Had you been interested, you could have bought the personal data of more than one million citizens of India on WhatsApp for less than $10.
So How Can Your Business Make Biometrics Authentication More Secure?
Susan Rebner, CEO of Cyleron, national security company, said she believes that's the next step and something her company's working on.
For example: devices analyze the way typists slide their fingers across desktops while sliding doors discern the person's stride; computers kick up at a person's finger impact on the keyboard, while mobiles recognize a user's hand tremor when punching numbers, among other items.
Other methods include speech recognition (used, for example, by USAA’s mobile app) , well as signature verification (used, for instance, by banks on letterheads and other documents).
Any user behavior that veers from their norms and the device or system locks those users out.
You can protect passwords by hashing them into chains of digits and letters. Scientists say you can do the same with biometrics, encrypting them on a secure server.
In an interview for Biometric Update, Infinity’s CEO Alfred Chan said their company's Quantum-Crypt technology developed hashed solutions for iris, fingerprints, and 2D face modalities, and is now exploring 3D modalities.
You can combine biometrics authentication with blockchain technology, or the decentralized ledger, where platforms are open-ended and shared by other participants. (Read Can the Blockchain Be Hacked?)
This means, any attempt to modify the data is detected by other users who subscribe to the platform.
While behavioral biometrics seems the most secure by far, analysts warn that the system needs to be regulated for data privacy and security and that the method needs broader testing to screen out false positives or false negatives.
On blockchain technology and hashed biometrics, MIT researchers recently showed how hackers could breach the allegedly "unhackable" blockchains.
Certainly, the same goes for cracking your hashed password to retrieve those biometrics.
What About Regulations for Data Privacy?
Europeans have the General Data Protection Regulation (GDPR) that gives consumers protection over their personal data — including biometrics. (Read How Cybercriminals Use GDPR as Leverage to Extort Companies.)
The U.S., to date, only has a hodgepodge of overlapping and contradictory laws from industry groups and federal as well as local government agencies - and that's despite its June 2015 hack of the US Office of Personnel Management where cybercriminals pilfered more than 5.6 million fingerprints of government officials.
The Best Solution for a Foolproof Biometrics System
If you're a business that wants to use biometrics authentication to shield your data, you're likely to benefit from this 1-2-3 proactive approach.
Fix #1: Practice simple workplace security
Regularly educate your staff on the biometrics security system you use and on how to ensure data privacy. You would also want to use strong passwords and store your biometrics in three places at best. Further, keep your operating system and Internet security software current so hackers can't crack it.
Fix #2: Use multi-factor security
For greater security, use a combo of identifiers, so, for example, add fingerprints to facial recognition, like the new LG V30 smartphone that combines facial and voice recognition with fingerprint scanning. Some security systems also include additional features, such as age, gender, and height, in biometric data to thwart hackers.
Fix #3: Put a human in the loop.
Humans can dupe facial scanners by wearing a mask or makeup. Add a human to your security checkpoint for ultimate security.
Oh, and by the way...
You may want to observe the Illinois 2008 Biometric Information Privacy Act, where a company that collects its employees’ data must notify them on how the data will be used and stored and get their consent. Doing so saves you from privacy lawsuits from employees and customers whose biometric data you store.
Hackers are always going to be one step ahead of you.
Beat them to the trick by combining passwords with biometrics authentication systems and putting humans in the loop to improve security.
Also remember those privacy concerns.
While biometrics authentication technology is not foolproof, you may find it gives you less problems than passwords - as long as you keep on top of the system.