How not to trust, the end of passwords and controlled illumination: biometrics at the EIC
The inadequacies of multi-factor authentication as people around the world mix home and office work, how to make zero trust achievable and the vulnerabilities of liveness detection with facial recognition were among the biometric and digital security topics discussed by speakers today at the European Identity and Cloud Conference 2021 being held this week in Munich.
The conference, brought by information security analysts KuppingerCole, spans blockchain best practice, digital transformation and artificial intelligence and machine learning in security. Biometric Update is bringing an overview of the topics covered via a selection of talks and panels.
Revelock: Standardized behavioral biometrics for continuous zero trust
Standardization for behavioral biometrics will make it an easier element for incorporating into a mix of sources for continuous verification of a user, according to Mateusz Chrobok, VP of Innovation at Revelock (formerly Bugaroo).
Chrobok states that many enterprises now see their customers only through data – phone, browser, device fingerprinting – and not in real life, meaning they rely on the unreliable data sources. Chrobok states that no single element, or engine, of data can be trusted on its own and that multiple engines must be used simultaneously and continuously. To keep apace with threats, they must also be continuously retrained to remain effective.
Behavioral biometrics on their own should not be trusted as they can be spoofed. They can be used alongside behavioral analytics (how a user navigates an interface), but overall analytics need to constantly monitor a range of sources or engines to determine how risky a current behavior or action is.
“To eliminate trust in any one engine, you need to connect them to see how they relate from the perspective of the time-series, of the data,” says Chrobok.
Simply having more data on an individual will not necessarily solve the problem, explains Chrobok, and can have further privacy implications such as device gyroscopes and accelerometers being used to determine a person’s PIN as they enter it, they could also be hacked and combined to work as a type of microphone, wireless earbuds being hacked to collect voice or even determine a wearer’s gait.
“There are no standardized datasets especially for behavioral biometrics. For biometrics there are ISO standards and so on. That’s quite easy to move from one vendor to another,” says Chrobok. Zero trust will require the constant analysis of multiple engines in real time, which are constantly shared and retrained against emerging threats.
Could COVID accelerate the end of ‘traditional MFA’?
A panel of identity experts discussed the future of ‘traditional’ multi-factor authentication (MFA) as people around the world blend home working with a partial return to the office.
The panel agreed that passwords were a distinct vulnerability, along with any other elements that had to be ‘known’ such an OTP to access a network or application. Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, said anything requiring knowledge is open to social engineering. Moving security beyond passwords will require the continued support of platforms to help shape user behavior.
Patrick McBride, CMO at Beyond Identity stated that end-user device biometrics, such as those on an iPhone, are now very strong, and a good component within MFA, but a critical issue is that enterprise are only requiring MFA to access a few applications that staff use, rather than overall access. He said that there can be no zero trust as long as there are passwords “otherwise zero trust will be a myth forever.”
Joni Brennan, president of the Digital ID & Authentication Council of Canada, believes that as technology incorporates biometrics, decentralized identity and ultimately verifiable credentials, user education is going to be key. She believes “MFA is the way to go” albeit with stronger and stronger factors.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) stands to receive $25 million in federal funding to help agencies incorporate MFA, while the CISA promotes the need to go beyond MFA to zero trust.
iProov: Controlled illumination to protect biometric verification
Liveness detection combined with facial recognition is no longer sufficient, according to Tom Whitney, Global Head of Solutions Consultancy at iProov.
The growing threat from ‘digital injected attacks’ which bypass the camera step of liveness detection and face matching, inserting an attack directly into the data stream require a third step for ‘right now’, real-time verification that the person is a real person and alive, matches with facial recognition and is there in front of the camera as the lighting profile caught on camera is the same as that being created by the iProov system.