Addressing risk in the application of biometric technologies
Source: Alice MacGregor
The Stack discusses the emergence of biometrics with Diogo Mónica, Security Lead at Docker, and Kevin Curran, a senior computer science lecturer at the University of Ulster. Both experts are members of the Institute of Electrical and Electronics Engineers (IEEE) – a professional association working to advance, promote and coordinate research in biometric technology and applications.
We have seen a surge in interest around using biometric technologies for verification. How reliable are these solutions?
Diogo: Different biometric authentication technologies have widely different false positive and false negative rates. In particular, facial recognition is still very inaccurate and prone to a high false positive rate. However, fingerprint authentication, in part thanks to Apple and TouchID, is becoming a lot better.
Kevin: The accuracy of facial recognition identification systems can vary greatly due to factors including lighting, angle and camera sensitivity. Fingerprint scanning can also be limited by temperature variance and other conditions. Laptops have had fingerprint reading capabilities for years, but are rarely used. As Diogo mentioned, Apple’s Touch ID system has been widely deployed. The Touch ID system is remarkable from a security point of view, despite instances where it was bypassed through use of scanners, latex and persistence. Fingerprint scanners cannot be the answer, however, because we leave fingerprints on every surface we touch.
keyboard-biometricsThere are other biometric systems out there – some of which use contextual information (location etc.) in smart ways. Many people are not familiar with keystroke dynamics, which assesses keystroke logging. Seek times and hold times can be very specific to a person, regardless of how fast they use the device. Most people have specific letters that take them longer to find than their average seek time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in reaching keys they hit with their right hand than with their left hand.
Keystroke dynamic information is typically discarded but can be used to verify the identity of the person producing them. Several home software and commercial software products claim to use keystroke dynamics for authentication such as BioTracker, ID Control, TypeWATCH, Authenware, Probayes and KeyTrac.
What are the security advantages of using these types of verification? Are there specific threats and failings we need to look out for?
The objective of biometric identity authentication is to establish a bond of trust between an organisation and the user.
Diogo: I’d say the only advantage of using biometric identification is convenience. A fingerprint isn’t something that you can forget at home, or have to memorise. Usability of a security system is incredibly important so that users don’t simply disable it. If you have to memorise a 4-digit PIN to access your phone, you might not go through the trouble, but if you have the ability to configure your fingerprint such that when you press the home button your phone auto-unlocks, you will probably enable it. Unusable security isn’t security at all, and biometric authentication systems usually provide usable security.
fingerprint-IDFrom a privacy perspective though, it all goes downhill. The main problem with biometrics, in particular with facial recognition, is that it is incredibly easy to fake and is essentially irrevocable. If your password gets compromised, you change it. If a high-definition picture of you gets out, your only resource is plastic surgery. Very impractical.
For these reasons, biometric authentication should only ever be used as an additional authentication factor, and never as the sole mechanism used to authenticate a user.
Kevin: Unlike passwords and pins, a biometric identifier cannot be lost, forgotten or shared. You can choose from a large list that includes finger, face, retinal scan, iris, gait, vein infrared thermogram, hand geometry and palm print. Or you can use a combination of these identifiers (multimodal-biometrics).
facial-recognition-idFingerprint scans taken when the finger is flat will be different when misaligned, wet, dirty or practically frozen. Facial techniques are not immune to problems either, as facial characteristics checked with glasses will be different with sunglasses, no glasses and colour of the ambient light. These can result in either false acceptance or false rejection. If this is not managed and measured properly, it can lead to a bad user experience. The objective of biometric identity authentication is to establish a bond of trust between an organisation and the user. The more accurate any chosen authentication method is, the stronger the bond of trust will be.
Every biometric authentication method has problems to overcome. Voice, for example, must be measured against both the ambient background e.g. a restaurant, a train, a corner shop or sports arena. The main barrier to its widespread adoption is the problem of aural eavesdropping. Whether it be casual or malicious, bystanders may be able to overhear a private verbal interaction by screen readers or users.
A PIN plus a password is not actually multi-factor, since both items are something you know
Voice authentication can however play an important role in certain niche areas. The process of authentication is stressful for many users looking to access devices or services. Individuals who are blind have difficulties with processes of authentication such as CAPTCHA which cut them off from bank accounts and all other online access points because they’re required to visualise and input meaningless character sequences.
What is the importance of a multi-factor approach?
Kevin: Multifactor authentication reduces risk by involving different types of factors that would require an attacker to use different methods of attack, making a breach more difficult. Multi-factor authentication should combine at least two of the following to strongly authenticate a user; something you know (typically a password/PIN), something you have (a trusted device identifier that is not easily duplicated), and something you are (your unique biometrics).
In order to qualify as multi-factor authentication, two items must be combined from different categories. A PIN plus a password is not actually multi-factor, since both items are something you know. When combined, three factor authentication with a device ID allows enterprises to easily combine ‘what we have’ and ‘what we know’, with the all-important ‘who we are’. This integrates a core benefit to future security systems.
Do you see biometric processes eventually overtaking traditional methods?
Diogo: We’re already seeing some of this happening with Apple Pay and its equivalents, so I would say biometrics will only get more popular. In terms of timelines, I would say that more than 25% of all payments in the U.S. will be processed in this way as soon as 2025.
Kevin: I agree that it is practicable that biometric authentication will become the common medium of providing credentials, although it should always be combined with a multi-factor method.
smartcardOne popular hardware approach for authentication is smart cards. Smart card technology is a great way to store biometrics information. A smart card can provide a strong authentication platform in your pocket. Together, mobile phones and smart cards can be used for physical and logical access authentication.
Hardware security tokens carry serious concerns. Firstly, they involve additional costs, such as the cost of the token and any replacement fees. Users always need to carry the token with them. Users need multiple tokens for multiple websites and devices. Finally, they do not fully protect you from a man-in-the-middle attack (i.e., an attack where an intruder intercepts a user’s session and steals the user’s credentials by acting as a proxy between the user and the authentication device). Essentially, if you lose the token, you lose control.
As mentioned above, a related area is digital certificate on USBs or smart cards. The problem here is that they require users to carry an additional smart card reading device or USB at all times. They also involve additional cost, such as certifying the authority’s subscription cost. You need multiple certificates for different sites or devices. It can be difficult for non-authorised users to extract the private key when stored on a smart card—they’ll require user training for certificate generation and use.
How will companies incorporate biometric technologies into their corporate security strategies?
Kevin: Security is dependent on a users’ ability to maintain a secret ID and password. It is not completely reliable when used for making financial transactions remotely, such as fund transfers or other payments through an internet banking channel. The cost of support increases as well. With an increase in user ID and password complexity, IT support staff may need to spend extra time dealing with authentication problems, such as helping staff reset passwords that are locked after a certain number of failed entry attempts.
A hurried implementation of biometric authentication and BYOD at your own risk is not good enough.
The biggest change in the workplace might be the rise of mobile devices as the device of choice for biometric reading. Most of the flagship smartphones have biometric sensors already incorporated into the hardware that may cause a need for additional hardware costs such as scanners. There are also extra costs needed for deployment, support and maintenance. It may not even be suitable for mass-consumer deployment.
biometrics-mobileMobile device management must be in place to enforce secure policies. This can help with the problem of lost devices, so a company can wipe or clear the lost device while also preventing lawsuits. Google provides tools for Google Apps administrators to allow selective device wipes that clean app data without wiping the device entirely.
There is a large overlap between recommended secure practice in traditional computing and mobile. One notable difference is in the app ecosystem. The sheet proliferation of apps makes it difficult for IT departments to monitor. A better approach is to isolate enterprise applications and encrypt enterprise data within a mobile device. They can do so with the devices own home screen, launcher, apps, and widgets so that apps inside the container are separated from applications outside the container.
Education also plays an important role in holistic security. It is critical that employees are shown why apps should be obtained via reputable app stores. Workers must be briefed on the potential dangers of ‘rooting’ devices and to steer clear of ‘recent uploads’ as most malware is eventually discovered and removed after a period of time, on the app stores. IT departments should enforce timely updates of software and apps when it becomes available. A hurried implementation of biometric authentication and BYOD at your own risk is not good enough. Implementation should take effect at the same time as the enforced policies of an organisation. Companies have too much to lose especially when so much sensitive corporate information is hosted on remote mobile devices.
| }
|