Rethinking physical biometrics: what you don’t know can hurt you
This is a guest post by Ryan Wilk, vice president of customer success at NuData Security.
Biometrics seems to be all the rage right now. It seems like almost every day another financial institution or other organization is announcing their adoption of some sort of biometric technology.
First it was all about fingerprints, then iris prints and voice recognition. Analyst firm Technavio recently released a report forecasting the growth of palm vein biometrics. Other organizations are looking to “selfie”-based facial recognition, even the human heartbeat and brain waves. In fact, the term biometrics has become an industry buzzword.
With the number of data breaches continuing to rise, it’s no wonder that organizations are increasingly looking to human biometric characteristics as a supplement to standard, but weak, single-factor authentication schemes that have historically relied on a password to validate rightful owners.
The attractions of this individualized authentication data are clear – both to organizations and to cyber criminals. As such technology is increasingly proposed and used in online and offline transactions, it is rapidly becoming an area of concern from a data privacy and security perspective. While the use of physical biometric factors has been a boon for physical security— where the person to be authenticated is physically presenting themselves for enrollment and subsequent authentication—many factors quickly lose effectiveness in an online world.
The first consideration for companies thinking of using this type of data is that using only one physical biometric data point to authenticate a user is essentially the same as adding a static second password – albeit one that can never be changed if compromised. The second and more significant consideration is that these data points can be captured and, in some cases, reused.
At first blush, it would seem like only a positive thing that a person’s physical biometric attributes could never be changed. However, privacy and identity concerns arise around the scenario of a high-quality reproduction of a biometric element being obtained by a malicious actor. Case in point: just this past September, 22 million people had their personal information compromised in a massive data breach, included in that breach, 5.6 million fingerprints were stolen from the office of Personnel Management. At that time, OPM downplayed the importance of stolen fingerprints. “However, this probability could change over time as technology evolves.”
Now, there is a cheap and easy way to print out an image of a fingerprint with enough accuracy to fool commercially available fingerprint readers—using just a standard inkjet printer.
Compromised biometric data can be used in a number of ways to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.
There is a danger in the trend to include a physical biometric in multi-factor authentication – the real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of using physical biometrics.
Fortunately, not all types of biometrics used to authenticate online interactions are the same. A much less invasive, and more consumer-friendly, technique leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioral signals are highly effective at identifying repeat good users, are self-enrolling and are tolerant of changes in the patterns presented as a user’s behavior naturally changes over their lifetime.
An illustration is in order here. Think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?
Aggregating hundreds of these human and interaction signals creates a unique signature for each authentic user. This method is called behavioral biometrics. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.
Contrary to the physical biometric factors mentioned above, behavioral signals that make up a behavioral biometric profile cannot be stolen, duplicated or reused – so they have no value to criminals. In the event that a high-fidelity copy of an authentic user interaction was to be made, the mere attempt to replay the past interaction would in itself be an anomaly that is out of pattern for any human user.
In addition, this kind of data collection is frictionless for the user; they do not have to enter, enroll in or provide any additional information to a website or application to benefit from its protection. They simply keep doing what they are used to doing: interacting with the sites and services as they always have. A true seamless experience.
There’s no question that more secure authentication methods are needed today. Physical biometrics seem like a good idea – until you realize that they can be digitally stolen and re-used fraudulently, leaving the owner of that biometric with no recourse. Fortunately, behavioral biometrics has emerged as a reliable alternative for online user authentication. Data collection is non-invasive and the data cannot be faked, creating an authentication process that reduces risk for both the company and the user.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.
Article Topics
access control | behavioral biometrics | biometrics | data collection | online authentication | privacy | security
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/EPCR5dbnCt
Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/BWnNtnTAdk
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/jWyVb27Grf
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/DMTIvXqOln
RT @BiometricUpdate: Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/yLed3YM4Sq @NuDataSecurity
RT @BiometricUpdate: Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/qpcuw7bkmk @NuDataSecurity
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/lg5TDd4kGt
Rethinking physical biometrics: what you don’t know can hurt you | BiometricUpdate https://t.co/UQu59osT8I #biometrics
Rethinking physical #biometrics: what you don’t know can hurt you
https://t.co/6Wco1mm3jY
#DataProtection
#Authentication
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/hfnCZKKW7k
RT @BiometricUpdate: Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/LHHV0IrCHi @NuDataSecurity
@NuData end the “danger” of physical #biometrics spiel. The “Battle of #Biometrics” hurts whole industry https://t.co/qSjZzwtpIu #biometrics
RT @BiometricUpdate: Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/qo8vvMDZ7W @NuDataSecurity
Rethinking physical biometrics (finger, iris, voice recognition): what you don’t know can hurt you | https://t.co/VbK3P4QOFM #biometrics
RT @IDTheftSupport: Rethinking physical biometrics (finger, iris, voice recognition): what you don’t know can hurt you | https://t.co/VbK3…
Rethinking physical biometrics: what you don’t know can hurt you | BiometricUpdate https://t.co/tjHrEfLkVL #biometrics
Rethinking Physical #Biometrics: What You Don’t Know Can Hurt You https://t.co/tIk27w5F8p @BiometricUpdate https://t.co/x7cCPBjm3p
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/SuTnAzU7TZ
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/5IQ1RGoX6G
Biometric company VP warns against #biometrics ! @NuData_Ryan via @BiometricUpdate https://t.co/yrDQdvnbzl #privacy https://t.co/3qCAYS1xhn
Biometric company VP warns against #biometrics ! @NuData_Ryan via @BiometricUpdate https://t.co/AVkOMJqDZP #privacy https://t.co/1oPffl8w9c
RT @Ixquick: Biometric company VP warns against #biometrics ! @NuData_Ryan via @BiometricUpdate https://t.co/yrDQdvnbzl #privacy https://t.…
Biometric company VP warns against #biometrics ! @NuData_Ryan via @BiometricUpdate https://t.co/WxhvMPGSiV #privacy https://t.co/IRcrlbI5tg
Biometric company VP warns against #biometrics ! -@NuData_Ryan via @BiometricUpdate https://t.co/WBF2Yma811 #privacy https://t.co/7eKy4e4Zi4
RT @StartPageSearch: Biometric company VP warns against #biometrics ! @NuData_Ryan via @BiometricUpdate https://t.co/WxhvMPGSiV #privacy ht…
RT @Dr_K_Albrecht: Biometric company VP warns against #biometrics ! -@NuData_Ryan via @BiometricUpdate https://t.co/WBF2Yma811 #privacy htt…
Rethinking physical biometrics: what you don’t know can hurt you | https://t.co/3Z4iQAuadB via @BiometricUpdate
Rethinking #physical #biometrics: what you don’t know can hurt you https://t.co/J1mPnwvoXd #privacy
Rethinking #physical #biometrics: what you don’t know can hurt you https://t.co/0A8eD0MJ0t #privacy
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/GYI6pJiuou
Rethinking physical biometrics: what you don’t know can hurt you | BiometricUpdate https://t.co/P90wA6nxwu
RT @CenturyWestFndg: Rethinking physical biometrics: what you don’t know can hurt you https://t.co/GYI6pJiuou
Interesting blog post about the risks of physical biometrics out in the wild. At Callsign, we believe that physical…https://t.co/klZGx9nS01
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/aPvkjOeKVh via @Sec_Cyber
Rethinking physical biometrics: what you don’t know can hurt you | Biometric Update https://t.co/drXMvKryTg
Rethinking physical biometrics: what you don’t know can hurt you https://t.co/Cn4LQvmPZ6
ICYMI Rethinking physical #biometrics: what you don’t know can hurt you https://t.co/BWnNtnTAdk