Is biometric technology secure? Exploring two scenarios
As people, technologists, and organisations, we have a wealth of technology and connectivity at our fingertips. This has clear benefits for how we live and work, offering greater flexibility, productivity, and scalability for businesses. Sadly, cyber-criminals also have great opportunities to strike. And when they do, their actions not only impact the targeted person or organisation, but their customers and wider stakeholders too.
Jonas Nilsson, Head of Product Management at Fingerprints further explores.
From gaining access into Microsoft Exchange’s software – leading to the hacked accounts of at least 250,000 organisations – or Acer’s stolen data being leaked online as part of a $50 million ransomware attack, cyber-crime is a very real problem that affects many, regardless of industry or company size. It not only damages an organisation’s revenue, reputation and infrastructure, but the effects of malicious attacks are set to cost the world $10.5 trillion annually by 2025.
The good news is that the fight against cyber-crime is heading in the right direction. Improving cyber security is a priority for many leaders, further evidenced by the vast investment that’s anticipated – with spending expected to surpass $260 billion by 2026.
This increased focus on robust security has put a spotlight on alternative authentication methods. Especially since 80% of computer hacks and cyber-crimes have been as a result of passwords being compromised. And, while they might be easy to implement, 60% of consumers say they have too many passwords to remember, with some having over 85 covering their professional and personal accounts. In addition, 41% re-use or only slightly vary their passwords. As humans, we are an important link in the IT security chain, with some even citing human error as the number one cyber security threat to businesses.
Is biometric technology secure?
While users, technology vendors and organisations can never be completely immune to attacks, everyone can take steps to level-up security with more robust authentication methods that specifically serve their business’s needs and fight against future breaches.
And that’s where biometrics comes into the picture.
Either independently or as an integrated part of multi-factor authentication, biometric technology can be the solution, but it’s not a one-size-fits-all approach because organisations require varying levels of scalable security and authentication. After all, not everyone is trying to protect Fort Knox.
There are many inherent security features of biometrics to help curb cyber-crime. For example, implementing biometrics makes an immediate jump from single-factor authentication using only something you know (PIN/password) to multi-factor based on something you have and something you are.
The management of the data is also key. Consumer device authentication utilises a ‘privacy by design’ approach that inherently protects end-user biometric data with an on-device authentication approach. This means biometric data is captured, enrolled, stored, and managed all on the same device, without ever leaving the device owner’s control.
It’s a common misconception that biometric data, such as fingerprints, are stored as images that, if stolen, would permanently compromise the corresponding fingerprint and its use for any device or application. In fact, data from a biometric sensor is captured and stored as a fingerprint template. This mathematical representation makes hacking useless, as the template code cannot be reverse engineered into the original fingerprint image, nor can it be linked to other services or personal data.
Can you spoof biometric technology?
Early spoofs would only need a very high-quality photocopy or, amazingly, the use of a gummi bear. Extensive research and development created advanced sensors and algorithms that are extremely difficult to spoof. It’s worth noting that spoofing requires considerable care, skill, money, and time, and also for a number of factors to come together perfectly, which is extremely unlikely in the real world:
- A good latent print. To retrieve a latent print that’s high quality enough to work, either a willing volunteer or the commitment to stalk a victim until a viable print can be retrieved is needed
- Advanced Photoshop skills. Even if a quality latent print is secured, advanced editing skills are needed to get the level of 3D detail needed
- A lab environment – or very similar. To convert these prints into an effective mould usually requires a lab environment and significant effort
- Access to the device. To perform the hack, the attacker would also need access to the device in question for an extended period of time. Most people will report their device lost or stolen, or block their debit card, before anything can be achieved. Also, most devices only give attackers a small number of attempts to gain access before reverting to passphrase and locking
The fingerprint sensor spoofing seen in media today is either a proof-of-concept or a cooperative spoof and takes months to work, alongside a highly skilled team and the perfect scenario of circumstances. Most criminals also want to put their time into attacks that can be replicated and scaled across multiple devices, people, or companies. Investing the time, money, and effort to spoof a fingerprint would only help the fraudster access one person’s devices and services, likely for a limited time. Largely, the risk and investment outweigh the reward.
Biometrics is not ‘one-size-fits-all’
Biometric technology provides many robust cyber security options to suit an organisation’s specific requirements. For example:
- Scenario 1: Moving away from passwords, PINs, and token systems for everyday authentication
Biometrics presents the very real possibility for businesses and users to say goodbye to passwords and PINs for good.
In social engineering attacks, attackers generally take the path of least resistance and most often, it is the end-user that is the ‘weakest link’ in the security chain.Consumers are vulnerable to attacks, such as phishing, where they can be tricked into giving away information such as a PIN or password. With consumer biometrics, the user only presents their biometrics to their personal device, meaning they cannot give anything away. Additionally, biometrics is not ‘glanceable’ like a PIN in a shoulder surfing attack. This also removes the risks generated by mistakes or complacency, such as creating a password that is easily guessed or used across multiple accounts.
As well as immediately increasing security, biometric technology maintains and even, in some cases, increases convenience and UX.
- Scenario 2: The need to protect high-value assets and resist sophisticated attacks
Certain systems and implementations can prevent highly sophisticated attacks and subsequently protect the most valuable targets. A great example of this is Fingerprints’ recently launched FPC1523 sensor for physical and logical access devices and applications. The model enables users to store a key in a secure area of the memory and ‘pair’ between the secure element and the sensor, preventing the exchange of a valid sensor to a rogue one. It can also encrypt the communication between the two, ensuring ‘replay attacks’ don’t occur.
Tailoring cybersecurity through biometric technology to meet specific needs
Security works on the basic premise that nothing is 100% secure. Traditional solutions – like keys and safes – through to digital security (such as biometrics and FIDO2 tokens), are there to make life difficult for criminals who don’t want to deal with how time-consuming, expensive, and risky it can be if they were to try and hack into a device or application.
Biometrics provides an easy pathway for people and organisations to move from basic traditional security measures to more sophisticated, multi-factor digital security. That foundation can be built on with different biometric systems and implementations that protect everything from smaller scale operations to those possessing high-value assets. The important factor to remember is that biometric technology offers choice and the ability to integrate security solutions that are tailored to specific needs, budget, and existing infrastructure.