We’ve been talking about the death of the password for quite some time now. Barely a year goes by without someone loudly proclaiming that its final breaths are close at hand.
They’re easy to guess; easy to forget and people can’t quite help writing them down in plain view. What’s more – there is a whole array of technologies on offer that could help replace this tired, feeble dinosaur of a solution. And yet, it persists.
In recent years, solutions like multi-factor authentication and single sign-on have become popular as a way to largely circumvent the weaknesses of the password. And one in particular has caught people’s eye: biometrics.
Suddenly – the genetic information that is unique in every single person on the planet can be used as a security credential. Users can’t forget it and attackers can’t guess it.
So why aren’t we having our faces scanned and fingerprints checked multiple times a day in a world which requires we carry nothing but a human body to verify our identities?
Well it’s not quite that simple.
Ping Identity recently carried out a survey of over 4,000 consumers in five different countries. We wanted to gauge their views on the various secure authentication options available to them. Biometrics was by far the most trusted authentication solution – 34% considered biometrics and facial recognition to be the most secure form of identity verification and 50% said that it was among the top two most secure options available.
Biometric authentication eclipses other forms; it tends to be more secure, more convenient and less intrusive than using passwords or tokens. Moreover, they sidestep many of their weaknesses. But that’s not to say the picture is entirely rosy.
Respondents also registered a seemingly conflicting mistrust of the technology. Nearly half – 46% – say that they have privacy concerns around the use of biometrics. One highlighted contention in the survey was that their biometric might be abused by the company or government collecting it.
Biometrics hasn’t been without criticism as regards security. Some of those concerns are often founded on a poor understanding of the technology. However, that’s not to say they’re groundless.
The primary concern is just how authoritative biometric data can be. It makes it a great authenticating factor, but it also means it’s uniquely sensitive. Unlike a password, it can’t be changed and if it’s stolen, that means game over for whoever was so unlucky as to have their fingerprints run off with.
Many consumers have had their first taste of biometrics in their smartphones. Apple introduced the feature in 2013’s iPhone 5s, and other manufacturers soon followed suit. In these cases, the biometric information is often well protected within the phone. However, in transit it becomes considerably more vulnerable. And just because it’s well protected inside a phone doesn’t mean it can’t be obtained by the right attack at the right time.
The hackers behind the Office of Personnel Management breach of 2015 – in which a threat actor – made off with the information of millions of current and former government employees, among that horde of data were the fingerprints of nearly 6 million.
Much of the information that was taken in that breach will not come back to hurt those government employees, or the state for which they worked. Passwords can be changed; social security numbers and the potential damage that personal information theft can wreak can be mitigated. You only get one set of fingerprints, though.
Furthermore, the recording of a biometric imprint is easier than one might think and those imprints are recorded in more places than you might think. Websites like Facebook regularly record biometric identifiers, as do popular devices like Siri and many IoT devices capture and store them without our immediate knowledge. As security researcher, Graham Cluely once said, “fingerprints are not secrets, you literally leave them lying around everywhere you go.”
The possibilities get stranger still. In 2014, shortly after the release of a new iPhone model, hacker Jan Kissler managed to create a copy of the German Minister of Defence using a series of photos on Google Images, Kissler managed to copy the fingerprint of Ursula Von der Leyen, the German Minister of Defence.
Our respondent’s fears aren’t ridiculous but biometrics is still one of the most promising forms of authentication technologies around and is a far less risky proposition than passwords.
Those looking to adopt biometrics within their organisation should investigate further. They should be asking their vendors how biometric data is being stored, how it’s protected, if it will be encrypted and when, who will have access to it and whether it will eventually be deleted. Or perhaps most pressing – is that data going to be sold or transferred to a third party?
Merely because biometrics is a superior form of authentication to the password doesn’t mean we have to throw it out entirely. Forms of multi-factor authentication have proved increasingly popular and introducing multiple levels of security can help reinforce each level’s weak spots.
The risks have to be judged soberly. Whatever suspicions people have around biometrics, there is no such thing as a 100% secure product. People will have to hold their vendors to account to ensure the security they need.
By Rob Otto, EMEA CTO, Ping Identity