The tipping point for biometric securityABC Technology and Games 26 Nov 2014
Currently most of us depend on passwords to protect our online identities. But passwords may be the largest security liability of the internet. They have numerous weaknesses that put consumers, corporates and the wider online world at significant risk. These weaknesses fall into three categories:
- People. Most organisations leave users to choose their own passwords and people tend to choose passwords they can remember rather than passwords that are secure. In fact, 91 percent of all passwords used are found in the top 1000 most used passwords and indeed, more than 10 percent of PINs picked at random will be 1234.
- Passwords are easily lost or stolen. Many people reuse the same password on multiple sites - creating a massive exposure for their entire online identity. Recent large scale data breaches have included the exposure of passwords. 600,000 logins to a popular social networking site are compromised every day. Once a hacker has the password to one account they can unlock a huge quantity of personal, financial and corporate information.
- Recovery is flawed. If a user loses or forgets a password the usual recovery method is to ask them a question or questions that only they should know the answer to. Unfortunately the answers to these questions can often be found elsewhere online. Or hackers could use social engineering to steal passwords by masquerading as a trusted entity to either the user or other people with access to the user's information.
But using biometrics for online security has rarely been seen outside Hollywood movies to date. Consumers have been put off by high error rates and privacy concerns while organisations find server-side biometric templates too risky to hold and are a prized target for cybercriminals.
Existing biometric authentication models are focused on identity management and identity proofing, which are related but separate issues to authentication. Making the problem worse is that there is little interoperability between sites, applications and users.
However the tipping point for biometric security is approaching. The Biometrics Institute is an impartial forum for sharing knowledge and information about biometrics. To address concerns about privacy and data protection, it has designed a range of privacy guidelines to assure the public that best practice privacy principles are followed. The guidelines are intended to be a guide across many countries and jurisdictions - recognising that biometrics and IT connect beyond national and organisational boundaries.
Biometric security technology is maturing. Over the next two years biometric security is predicted to meet end user and organisational demands for both convenience and security. We can now combine multiple authentication factors that are easy-to-use, but do not require the use of passwords. This is due to a number of developments in the biometric security landscape.
Firstly, the rise of the smartphone has offered an opportunity to re-think the application of biometrics from both a security and user perspective. Previously when presented with fingerprint readers on laptops, which are near ubiquitous in a corporate setting, users who enroled their fingers, discovered the only thing they could do was unlock their laptop, leaving them asking "now what?".
The incentive to use the fingerprint reader was non-existant, as entering their password on a keyboard was easy, so very few used it. The smartphone changed this as typing complex passwords is difficult and inconvinient on small mobile keyboards leading users to use either simple PINs or no password protection at all. Re-thinking the biometric as a convenience feature for the user but as security feature for the device increases the incentive for use. As a user you can pick up your phone and have it automatically unlock and start working and as security control it ties the device to me.
Secondly, a number of industry initiaves with common aspects have formed. Organisations like The FIDO (Fast Identity Online) Alliance who are developing technical standards for biometric devices and controls for use by all, and single vendor systems like Apple's TouchID and Samsung's PassAPI are focussing on using simple integration for developers.
Significantly all of these systems are adopting the mandate of using on-device (client side) biometrics, rather than using central (server side) biometrics.
With on-device only biometrics, the biometric authentication happens on the device, unlocking regular strong credentials, that are then sent instead of passwords or biometric data. This means that each service provider does not hold any biometric data on the user and the user is also guaranteed of using unique strong credentials that can easily be managed and consumed.
Other advances include:
- Building systems that use biometrics but still have a secure back up method available to users.
- Integrating location awareness and biometrics for systems access. Users have to be in the expected location as well as having the correct biometric identity.
- Having biometrics work with any form of authentication such as PINs.
- Providing the freedom for developers and integrators to integrate biometrics into their technology as required.
Ultimately, convenience, ease-of-use, speed and accuracy are appealing attributes for authentication and this will drive the adoption of biometrics.
Nick Savvides, Security Expert for Norton and Symantec in the Pacific region.