Why We Keep Getting Biometrics Wrong

CDOs note: biometrics weakness lies in its strength.

With the rise of cyberattacks, global spending on cybersecurity has been forecasted by Gartner to exceed USD 124 billion this year. By 2020, the estimated number of passwords used by humans and machines worldwide is predicted to reach 300 billion.

Not surprisingly, more organizations, including governments, are turning to biometrics to support multi-authentication logins to replace passwords and more.

As Shay Nahari, head of Red-Team services at CyberArk, pointed out, “Traditional authentication methods like credentials and passwords can get compromised. In biometrics, you can't change your fingerprints, your facial features - this is an underlying strength of biometrics."

Indeed, biometrics is basically a “high-level term” to cover multiple types of unique authentication based on the physical characteristics of a human. They include facial recognition, retinal scans, or any set of characteristics that cannot be forged or separated easily.

“The skill sets required for a hacker to get these levels of access is much higher than simply hacking passwords,” added Nahari.

However, Nahari was quick to highlight that the strength in biometrics as unchangeable passwords is also its weakness. “Because once those characteristics are compromised, there is not really any way to change them. Hence, it is of paramount importance to control access to them.”

The Shift

To this end, on the consumer front, technology has quickly evolved in consumer devices with biometric authentication, such as mobile phones. In first-generation scans on mobile phones, it was possible to use a photograph to bypass facial recognition to obtain a false positive. 

Very quickly, different types of scanners were incorporated to recognize an actual human being, characteristics specific to humans such as pulse rates, facial movements, etc.

The heavy dependence on mobile phones has resulted in commercial applications relying on these devices to do authentication. For example, in the U.S. and Asia, when a bank application on the mobile phone requires authentication, it will actually rely on the mobile phone hardware to authenticate the individual.

Mobile phones have specific hardware, separate from the rest of the device, where biometric information is stored and which controls access to this data. Only the device has access to that information, and any application or service that requires authentication does that through the device.

Hence, biometric information does not need to be submitted to every single commercial entity requiring authentication. This is an ideal consumer authentication solution in that it prevents the biometric data from actually leaving the consumer device, creating an interesting shift of commercial authentication and authorization to the consumers.

The Government Play

The adoption of biometrics authentication is different between regions. In the U.S. and Europe, it is driven more by consumer devices and less by government entities, a result of regulations and privacy laws. In the Asia Pacific, we see more biometrics adoption on both the commercial and government fronts.

The most prevalent uses of biometric authentication in government and the public sector are when crossing borders. Unfortunately, there is no way around saving biometric information to external entities here. When an individual crosses a border, his or her fingerprints and facial data are being monitored and compared to previous sets of information stored in government repositories by that entity.

For nation-level access, there is obviously a need to store that information safely. Here, different countries take different approaches. One of the most common approaches is to have a dedicated data repository, a separate infrastructure, and use best practices for storing and encrypting data, both at rest and in transit. It is also imperative to treat biometrics as a different type of data - data that is irreversible once it is stolen.

Staying Ahead

Currently, 94% of cyberattacks in the U.S. involve some credential theft. There is a huge need to look at how credentials are being used every day across enterprises.

Once identity theft happens, the level of risk and damage could be anywhere from financial loss to having your identity forged to commit crimes.

Nahari emphasized that at CyberArk, privileged accounts are managed and rotated, with a powerful authentication gatekeeper placed in front of those credentials in one heavily secured location. This is in contrast to traditional organizations where you have hundreds or thousands of privileged accounts on user workstations.

"We've now mitigated the risk and limited the attack surface to a single very 'strong' location, which is very much easier to protect, secure and monitor usage since everything done using that privileged access is recorded," stressed Nahari.

He also saw human DNA information leaks at commercial companies dealing with ancestry as potentially worrisome. If security is breached and DNA samples and information are stolen, the impact could be huge as there would be no other way for individuals to control how that information is being used.

With biometric authentication becoming increasingly popular, shrewd management of these privileges and credentials that can give access will become increasingly crucial.