The Challenges of Implementing Biometrics for Authentication
Introduction
The use of biometrics for authentication is becoming increasingly mainstream, with many consumer devices now supporting this technology. However, organizations must carefully consider how to effectively implement biometrics within their environments. While biometrics offer convenience and efficiency, there are concerns about the security and potential risks associated with using this form of authentication. This article explores the arguments surrounding the use of biometrics, discusses potential security vulnerabilities, and offers advice on how organizations can implement biometrics effectively.
The Trade-Off between Convenience and Security
Biometrics have become a popular means of authentication due to their convenience and ease of use. Unlocking a phone or accessing a laptop with a fingerprint or facial recognition offers a seamless user experience. However, some experts argue that this convenience comes at a cost. Sailpoint CISO Rex Booth questions whether the convenience of using biometrics for low-stakes scenarios, like unlocking a phone, is worth the potential risks. He suggests that biometrics should be reserved for more meaningful and high-stakes situations.
Storing Biometric Data
One of the main concerns with using biometrics for authentication is how the biometric data is stored. In many cases, this responsibility falls on the third-party vendor providing the biometrics technology. However, if a breach occurs and the authentication data is stolen, the blame may eventually land on the Chief Information Security Officer (CISO). Even if the stolen data does not hold significant value for the thieves, there is always the possibility that, given enough time and access to powerful equipment, criminals will eventually be able to unlock authentication data.
The Argument Against Routine Biometric Authentication
Sailpoint’s Booth raises concerns about enterprises using biometrics as a routine authentication approach. He argues that such an approach could undermine the security of the enterprise and put all employees, contractors, and partners at risk. While Booth acknowledges that he has already lost control of his biometrics due to previous data breaches, he believes that further control should not be risked for low-reward use cases. Instead, he advocates for the reserved and meaningful use of biometrics.
Implementing Multifactor Authentication (MFA)
To address the security concerns surrounding biometrics, one common strategy is to combine biometrics with other high-security approaches, creating a multifactor authentication (MFA) system. The criticism against traditional MFA implementations is that they often rely on weak authentication methods, such as unencrypted SMS messages. By using continuous authentication (CA) and behavioral analytics (BA), organizations can enhance the security of their authentication processes.
Continuous Authentication
Continuous authentication focuses on monitoring the access to systems and the actions initiated by users. This approach does not end once authentication is confirmed but continues to monitor user behavior for any signs of misuse or insider attacks. By employing behavioral analytics and considering a wide range of factors, such as typing speed and device characteristics, continuous authentication provides a layered and robust security approach.
Behavioral Analytics
Behavioral analytics verifies user identity by analyzing various factors, such as keystroke errors, typing speed, and phone usage patterns. Constantly changing the attributes considered and the actions required from users to confirm their identity enhances the security of behavioral analytics. This dynamic approach makes it more challenging for fraudsters to predict and bypass authentication prompts.
MFA and Biometrics
Implementing MFA with a combination of secure approaches, such as continuous authentication, behavioral analytics, and physical tokens like FIDO tokens or authenticator apps, can enhance the overall security of the authentication process. By integrating biometrics as the first step in this layered approach, organizations can balance convenience and security. Utilizing lenient settings for biometrics in combination with other high-security factors ensures that the entire authentication does not solely rely on a single point of failure.
Piggybacking on Biometrics
Another approach to reduce authentication costs is through piggybacking on the biometrics already present in users’ smartphones. This allows organizations to leverage the convenience of biometrics without incurring additional expenses or requiring users to enroll in new systems. However, this approach comes with its own challenges, as IT and security have limited control over how the biometrics are administered and protected. Nonetheless, if a robust MFA system is in place, even lenient settings for piggybacked biometrics may not compromise security.
The Debate Surrounding Piggybacking
Some experts, such as Accenture’s Damon McDougald, view piggybacking as a great first step to leverage the familiarity of biometrics on users’ smartphones. McDougald emphasizes the importance of avoiding excessive friction with any form of authentication, as it may lead to users bypassing the process, inadvertently granting unauthorized access. While piggybacking limits control over the technology and its configuration, a well-designed MFA system can mitigate such concerns.
Conclusion
Implementing biometrics for authentication presents both benefits and challenges for organizations. While biometrics offer convenience, there are valid concerns about their security and potential risks. By combining biometrics with other high-security approaches within a multifactor authentication system, organizations can enhance the overall security of their authentication processes. The choice of which biometric technology to use and how to administer it requires careful consideration to strike the right balance between convenience and security. Ultimately, organizations should approach biometrics with caution and reserve their use for meaningful and high-stakes scenarios.
<< photo by Stebilex Systems >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The White House’s Dual Approach: Immigration Reform and National Collaboration to Empower the Cyber Workforce
- Striking a Balance: Safeguarding Intellectual Property in an Era of Collaboration
- The Hidden Threat: Targeted Malware Breaches Air-Gapped ICS Systems
- The Rise of the vCISO: Navigating the Growing Demand for Virtual Chief Information Security Officers
- Apple Strikes Back: New Rules to Combat Fingerprinting and Data Misuse
- Exploring the Optimal Biometrics Authentication Method for Your Unique Use Case
- China’s Volt Typhoon APT: Unearthing Deeper Threats to US Critical Infrastructure
- The Rise of Virtual Warfare: How a Self-Spreading Worm Threatens Call of Duty Player Lobbies
- Microsoft’s Response to Damaging Report on Chinese Hacking Raises Concerns
- Introducing Cyclops: A Powerful AI-driven Search Tool for the Digital Age
- Unleashing the Power of Red Zone Threat Intelligence: Safeguarding Organizations in the Digital Age
- Building a Secure Bridge: NineID Raises $2.6M to Strengthen Corporate Security in the Digital Age
- A Focus on Cybersecurity: US Government Implements National Strategy for Workforce and Education
