Identity and identity security are taking greater and greater prominence in cybersecurity. It was one of the most discussed and debated topics at the RSA Conference this year—and for no small reason. 81% of data breaches involve stolen privileged credentials. Improper role management can result in insider threats, both deliberate and accidental. Poor onboarding, provisioning, and offboarding management can lead to orphaned accounts or employees using vulnerable access workarounds. To top it all off, passwords—long considered the pinnacle of authentication—has been proven to be unreliable in securing identities and unpopular among professionals and employees alike.
While these identity issues are still being explored and experimented on, in the case of passwords biometric authentication has emerged as their potential complement or even replacement. Yet there has been some controversy surrounding the viability of biometric authentication.
In this context, the International Biometric + Identity Association (IBIA) recently unveiled their new whitepaper—“Biometrics Explained: Answers to 13 Basic Biometrics Questions”—which presents some interesting counterarguments to the most persistent questions surrounding biometric authentication deployment and functionality. The IBIA is a trade organization representing identity technology vendors.
Here are some of the key findings we found in “Biometrics Explained: Answers to 13 Basic Biometrics Questions:”
How Do We Secure Users’ Biometric Authentication Data?
IBIA contends that biometric data is really no different from any other highly valuable proprietary data. As with user passwords, they do need extensive cybersecurity protocols to secure—encryption, access controls, etc.—but they can’t wreck the same amount of damage as stolen passwords. Passwords stolen can be used instantly. Biometric template encoding needs to be reverse-engineered to do the same—a much taller order.
IBIA Found Almost No Biometric Data Breaches
IBIA only identifies one theft of user biometric authentication data in digital history—the 2015 OPM theft of millions of fingerprints. However, given the nature of the threat, this may constitute a compromise only to those users trying to cross the Chinese border. Biometric data is almost always heavily secured and is much harder to monetize or exploit than biographic health data making it an unappealing target for hackers.
Which leads neatly to…
Stolen Biometric Authentication Data Is Hard to Exploit
IBIA concedes it is certainly possible for hackers to maliciously use stolen biometric data, but it is actually much harder than other identity thefts. Having biometric data is different from having the ability to present it as an authentication factor when prompted. The process to make it presentable is obtuse and can render the stolen data useless.
Ultimately, IBIA concludes that biometric authentication is still more secure than the single factor username/password paradigm. The question is whether their findings will match with the reality of facing the ingenuity of threat actors.
You can download the IBIA whitepaper here.
Latest posts by Ben Canner (see all)
- Experts Comment: 21 Million Passwords, 773 Million Emails Breached via “Collection #1” - January 17, 2019
- Experts Weigh In: The Oklahoma Securities Commission Breach - January 17, 2019
- Want Better Identity Management? Remove your Orphaned Accounts - January 15, 2019