Biometric identifiers are currently used as part of the authentication process at 62 percent of organizations, and 70 percent of U.S. consumers would like to see biometric authentication expand into their places of work. Often used alone or as part of multi-factor authentication protocols, biometric data is seen as a more secure alternative to traditional passwords.
However, concerns about potential vulnerabilities are beginning to arise as the use of biometrics becomes more prevalent. What risks are businesses and organizations taking by adopting biometric authentication, and how does it impact customers and employees?
Unlike passwords and verification codes, biometrics are fundamental parts of users’ identities. The following common identifiers represent unique physical or personality traits:
• Fingerprint scan
• Iris scan
• Facial scan
• Voice recognition
• Handprint geometry
• Vein mapping
• Behavioral characteristics
Whether inherited or learned, these markers are core aspects of personally identifiable information (PII) and can’t be changed. Hacked passwords are easy to reset, but what can consumers and employees do if a hacker steals what’s essentially part of their biology?
The use of biometrics in authentication means every action taken is connected to the user to whom specific identifiers belong. Once a malicious third party manages to compromise a scan or fool an algorithm, it puts the real users’ reputation at risk. Technology for capturing images and information used in biometrics is becoming more powerful, which allows for more nuanced and detailed profiles of consumers and employees. However, just one vulnerability in the way the data is captured, stored or transmitted can expose private PII and allow hackers to not only access business networks but also take over every account associated with an individual’s biometric information.
Inaccuracy and Fraud
The tendency of users to assign similar or identical passwords to multiple accounts is often cited as a major problem for system security, but this becomes less of a concern when passwords are encrypted and hashed. Hashing assigns a completely unique identifier to every password, which is difficult or impossible for hackers to decode. This allows users to set passwords they can remember for easy access to systems.
By contrast, scanners used to capture and read biometric data aren’t accurate 100 percent of the time. Even slight variations in how a user touches a fingerprint scanner or looks at a camera during a facial scan will create different images. The resulting discrepancies can cause authentication to fail and lock legitimate users out of the system.
The irony of this situation lies in a hacker’s ability to reproduce a convincing fake of the original scan and use it for successful access. Information is vulnerable when it’s recorded, stored and transmitted, giving hackers multiple opportunities to lift identifying data.
Storage and Encryption
Once identifiers are collected, the data has to be stored somewhere. Because no form of storage can be considered completely safe, this creates the same problem as any other access management strategy in which businesses and organizations are responsible for securing users’ identities. Encrypting data during transfer only addresses part of the problem, since hackers can still access biometric information as it’s collected and when it’s being matched to previously captured data.
Businesses can improve security by adopting runtime encryption, which keeps sensitive data encrypted during use, or choosing not to store biometrics at all. Authentication apps utilizing biometric data stored locally on users’ devices minimizes the danger of compromise but still carries risks if a device is lost or stolen. Compromised applications on devices or networks create additional vulnerabilities, which much be considered when determining the best method to implement.
Predictions show almost 90 percent of business will use biometrics by 2020, and yet it still has the kind of mystical appeal often associated with science fiction. Business owners must beware of seeing biometric authentication as a cure-all or magic bullet for solving problems with access management.
Research conducted at Michigan State University showed just how dangerous this kind of thinking can be. Using machine learning, researchers created a set of incredibly accurate “MasterPrints,” synthetic fingerprints with the ability to match to numerous real fingerprints and undermine the security of biometric scanners. In another startling example, Vietnamese hackers were able to use a just a handful of materials and tools to create masks capable of fooling Apple’s FaceID. Without other security measures in place, biometrics are vulnerable to compromise and can leave business networks vulnerable to these types of attacks.
Businesses faced with the challenges of implementing biometric authentication need expert help to prevent the personal identifiers of their customers and employees from becoming compromised. With so much at risk, both an accurate understanding of potential vulnerabilities and a solid identity theft prevention plan are essential to preserve the privacy and integrity of personal data.