Touch ID and Face ID: Real biometrics or not?
By Mike Engle, Chief Strategy Officer at 1Kosmos
Every organization has been affected by cyber attacks. In fact, 2,200 organizations are attacked each day. Taking it a step further, 80 percent of companies and agencies have experienced employee identity fraud. One of the most prominent vulnerabilities that lead to cyber attacks is simple: poor password management. Whether a company has one very simple password to log into everything or employees constantly forget their password and keep having to reset it, poor password management is a leading cause of identity fraud.
Cyber security professionals constantly weigh the balance between strong and secure protection for their clients while not sacrificing convenience for employees. After all, spending minutes each time one logs into their email or internal network adds up to wasted time. Enterprises of all sizes are facing intense security vulnerabilities today, especially with the growing digital workforce. Fear not, there is a better way: biometric ID proofing.
This is not the Face ID or Touch ID most traditionally think of when they hear the term “biometric ID.” Face ID and Touch ID are sufficient layers of security at the consumer level, but for enterprises housing classified information or sensitive data, these methods of ID lack a critical backing: linking to real and verifiable identity. Face ID and Touch ID are only backed by the password a user provides at set up. If someone obtains the password and sets up their own Face ID or Touch ID, then both are rendered useless in protecting the original user’s information and organizations are back to square one with the same vulnerabilities. So, how can companies make sure they’re protected?
The Password Problem: Exposing Vulnerabilities with SSO & MFA Systems
To understand why using a proper biometric is the answer to cyber vulnerabilities, one must understand why passwords are a problem to begin with. Over 81 percent of data breaches are caused by poor password management. Many organizations believe that single sign-on systems and multi-factor authentication (MFA) is enough to protect themselves, but this is a misconception. Hackers can easily breach these systems by tricking end users (think phishing attempts) or deducing passwords with publicly available information. The SolarWinds breach for example, was the result of leveraging SSO’s then bypassing MFA systems.
In short, SolarWinds and other organizations are relying on “hope based” strategies. This means that organizations acknowledge the inherent vulnerabilities of passwords and usernames but hope that they don’t come to fruition. Password sharing and password reuse are two of the top causes of password compromises, and there’s not a system in the world that can ensure they won’t happen.
What can companies do to protect themselves given these obstacles? Biometric IDs that rely on passwords to begin with are, essentially, useless. Advances in biometric technology and the adoption of stringent industry standards have made passwordless biometric ID proofing a viable option for organizations of any size and is easier to incorporate than many believe.
“Real” Biometrics for Passwordless
There are several ways to mitigate the lack of identity for device-based biometrics. One increasingly common method is to utilize the camera on our smartphones to link someone to a real identity. In 2017, the U.S. government released an “identity proofing” standard called NIST 800-63-3, which defines how you trust someone remotely. The concept is straightforward — the user presents credentials (including a picture, such as a photo on a driver’s license), and it is matched to the user’s face by using the camera “selfie.” The documents are verified, and the images must match.
These documents are the key to accurate authentication. Rather than relying on a password to back up a Face ID or Touch ID, user’s faces are being compared against a real, verifiable document that enhances protection. A critical step in this process is to encrypt the user’s “selfie” (which can be a short video to prevent spoofing) with an encryption key that only the user has, and you can now ask them for this proof of identity every time the user logs in. The use of encryption keys is becoming increasingly popular due to the work of the FIDO alliance and uses similar principles. Anytime you need to truly prove who is authenticating, you simply ask them to look into the camera and match that image with the enrolled image. The end result is a process that is just as simple as traditional Face ID or Touch ID but is substantially more secure.
Playing Catch-Up: Where to Implement Biometrics Now
At the enterprise and consumer level, standards-based biometric ID proofing and passwordless authentication can solve a substantial amount of security issues. For example, many systems and apps utilize TOFU, an industry acronym that stands for “Trust on First Use.” Traditionally, when a new app is installed or a new computer is set up, it will ask for a username and password, then it will allow passwordless security methods to operate. However, FIDO-based passwordless authentication combined with the before-mentioned NIST 800-63-3 identity proofing standard fixes the password-based flaws of TOFU. This is typically done by having the user scan a QR code on the requesting system or web page. This starts a secure channel, the user presents their real biometrics, and they login, without even touching the keyboard. There are no “codes” to go fetch and it works on any system.
What Happens Next?
The challenge of implementing new technology like standards-based biometrics is undoing decades of belief that passwords and usernames can be continually improved, rather than acknowledging that they are inherently flawed. Cyber security professionals often grapple with the balance between strong protection and simple access. Many employees are well versed in having to provide a username and password, receiving an SMS code or other form of one-time password, and even security questions. It will take time for a full shift to biometrics to occur in this space, but it’s well on its way.
Gartner reports that 80 percent of organizations will have document and identity verification as a part of their onboarding process, 60 percent of large enterprises and 90 percent of midsize enterprises will implement passwordless methods in the near future. Even President Biden’s recent Executive Order is calling for stronger forms of authentication, encouraging the private sector to put this as their main priority for their own cybersecurity.
The time is now — having advanced biometric controls in place will set up a proper strategy to mitigate cyber attacks, identity fraud, and lack of security around usernames and passwords. Until then, organizations who fail to ramp up their security are prone to experience more cyber attacks and increased vulnerability.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.