How a year can change the conversation…
Security experts once heralded the coming of biometric security as a game changer in authentication. The use of physiological factors like fingerprints or irises dominated the conversation of identity and access management’s future. It looked for a moment like the death knell of passwords.
Yet today, news of the various tools and tricks to subvert biometric security methods splash across the headlines. At the end of last year, researchers in Germany unveiled methods to circumvent and fool palm-vein authentication. Facial recognition tools, becoming more prevalent in consumer devices, can be fooled by 3D printed heads. With a simple inkjet printer, hackers can recreate any fingerprint they desire.
Panic spreads among observers and experts of biometric security. Yet this panic might prove unfounded, or at least overblown (as can be the case in cybersecurity). Here’s why we think biometric security is still secure and worth researching as part of your next-gen identity and access management solution:
Don’t Confuse What is Possible and What is Probable
Academics researching cybersecurity and digital attack tactics constitute one of the most important branches of threat intelligence. Without their tireless work, our identity and access management solutions wouldn’t have the foresight or the preparation necessary to keep pace with hackers.
However, a noticeable disconnect can occur between academic and on-the-ground attack scenarios. Put another way, just because a research team can pull something off does not mean hackers will have the same resources or patience to copy them. For example, the German researchers mentioned above needed over 2,000 tries to get their faked palm vein authentication to work.
Granted, experts note hackers have become more collaborative and combining their resources they could develop a more consistent method to subvert biometric security. However, hackers as a rule trend towards the easier tactic and the easier targets; hence phishing attacks remain such a popular and effective tool for subverting authentication protocols. More likely, they’ll invest their resources to improving their social engineering than their biometric subversions.
While you cannot simply set and forget your biometric security, you shouldn’t think of it as any weaker or stronger than any other authentication protocol. Instead, consider it another part of your potential arsenal; it can suit some enterprises’ access management but may not fit with others.
Biometric Security Works Best in MFA
We think of access management in binary terms: you are either secure, and hackers cannot break into your network, or not and not. However, a probabilistic model provides a more accurate understanding of cybersecurity. The more layers to your identity authentication, the less likely hackers will be able to circumvent your cybersecurity, and vice versa.
The early assumptions surrounding biometric security—that it could supplant passwords—fuels the current panic in the discourse. However, biometric security remains secure so long as your enterprise treats it as another layer in your overall authentication platform.
When you incorporate biometric security into your two-factor authentication, your access management becomes stronger; hackers will have to acquire both your employees’ passwords and their biometric information to try and break into the network.
However, two-factor authentication faces its own scrutiny. Hackers have found ways to subvert the traditional authentication use of mobile devices and insert themselves into the authentication process. Therefore, enterprises embrace multi-factor authentication (MFA) for its more layered approach to access management.
Additionally, multifactor authentication can be applied in a granular fashion. Your regular employees may only require two-factor authentication, whereas your most privileged users may need as many as five factors to access your sensitive digital assets.
Don’t Get Caught Up With the Physical Factors
A fixation on the physiological also contributes to the panic surrounding biometric security; fingerprints, vocal recognition, and palm readers grab attention and carry a distinct futuristic aura many find appealing.
However, in the cascade of physiological biometric security headlines, it can be easy to forget other forms of biometric security exist. Behavioral biometrics such as typing behavior can prove just as informative and accurate as a fingerprint and will prove much harder to hack.
Moreover, behavioral biometrics are subtle and non-intrusive, which will appeal to enterprises with employees reluctant to embrace the still new technology.
In short, if you are worried about biometric security, you do have some cause for it. However, don’t let your worry blind you to its possibilities for your enterprise and your security.
Latest posts by Ben Canner (see all)
- 4 Gartner Cool Vendors 2019: Identity and Access Management - May 20, 2019
- 6 Questions to Improve Your Identity Management Strategy - May 16, 2019
- The 10 Best Free and Open Source Identity Management Tools - May 15, 2019