Rethinking physical biometrics: what you don’t know can hurt you
This is a guest post by Ryan Wilk, vice president of customer success at NuData Security.
Biometrics seems to be all the rage right now. It seems like almost every day another financial institution or other organization is announcing their adoption of some sort of biometric technology.
First it was all about fingerprints, then iris prints and voice recognition. Analyst firm Technavio recently released a report forecasting the growth of palm vein biometrics. Other organizations are looking to “selfie”-based facial recognition, even the human heartbeat and brain waves. In fact, the term biometrics has become an industry buzzword.
With the number of data breaches continuing to rise, it’s no wonder that organizations are increasingly looking to human biometric characteristics as a supplement to standard, but weak, single-factor authentication schemes that have historically relied on a password to validate rightful owners.
The attractions of this individualized authentication data are clear – both to organizations and to cyber criminals. As such technology is increasingly proposed and used in online and offline transactions, it is rapidly becoming an area of concern from a data privacy and security perspective. While the use of physical biometric factors has been a boon for physical security— where the person to be authenticated is physically presenting themselves for enrollment and subsequent authentication—many factors quickly lose effectiveness in an online world.
The first consideration for companies thinking of using this type of data is that using only one physical biometric data point to authenticate a user is essentially the same as adding a static second password – albeit one that can never be changed if compromised. The second and more significant consideration is that these data points can be captured and, in some cases, reused.
At first blush, it would seem like only a positive thing that a person’s physical biometric attributes could never be changed. However, privacy and identity concerns arise around the scenario of a high-quality reproduction of a biometric element being obtained by a malicious actor. Case in point: just this past September, 22 million people had their personal information compromised in a massive data breach, included in that breach, 5.6 million fingerprints were stolen from the office of Personnel Management. At that time, OPM downplayed the importance of stolen fingerprints. “However, this probability could change over time as technology evolves.”
Now, there is a cheap and easy way to print out an image of a fingerprint with enough accuracy to fool commercially available fingerprint readers—using just a standard inkjet printer.
Compromised biometric data can be used in a number of ways to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.
There is a danger in the trend to include a physical biometric in multi-factor authentication – the real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of using physical biometrics.
Fortunately, not all types of biometrics used to authenticate online interactions are the same. A much less invasive, and more consumer-friendly, technique leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioral signals are highly effective at identifying repeat good users, are self-enrolling and are tolerant of changes in the patterns presented as a user’s behavior naturally changes over their lifetime.
An illustration is in order here. Think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?
Aggregating hundreds of these human and interaction signals creates a unique signature for each authentic user. This method is called behavioral biometrics. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.
Contrary to the physical biometric factors mentioned above, behavioral signals that make up a behavioral biometric profile cannot be stolen, duplicated or reused – so they have no value to criminals. In the event that a high-fidelity copy of an authentic user interaction was to be made, the mere attempt to replay the past interaction would in itself be an anomaly that is out of pattern for any human user.
In addition, this kind of data collection is frictionless for the user; they do not have to enter, enroll in or provide any additional information to a website or application to benefit from its protection. They simply keep doing what they are used to doing: interacting with the sites and services as they always have. A true seamless experience.
There’s no question that more secure authentication methods are needed today. Physical biometrics seem like a good idea – until you realize that they can be digitally stolen and re-used fraudulently, leaving the owner of that biometric with no recourse. Fortunately, behavioral biometrics has emerged as a reliable alternative for online user authentication. Data collection is non-invasive and the data cannot be faked, creating an authentication process that reduces risk for both the company and the user.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.