There seems to be a real ‘love them or hate them’ divide when it comes to biometrics.
Many of us are comfortable using them on a daily basis. Our smartphones and other connected devices utilise our fingers and thumbs – and more recently, our faces – to unlock them, and authenticate access to the apps we rely on in our day-to-day lives.
This frequent usage – or dare I say, reliance – suggests that many of us enjoy the convenience and ease of use, over entering passwords or PIN numbers.
But not everyone shares this view. Issues surrounding civil rights, bias and privacy are just some areas of grievance or concern held by some. That’s because biometric data is different to passwords – it’s personal and permanent.
So if a company, government body or school have my personal biometric data, it begs a host of privacy and security questions: Where are they storing it? Who has access to it? Is it secure? What else are they using it for? And what happens to it when I leave?
So, which is best?
PIN numbers and passwords are both susceptible to a hacker’s guesswork. A fairly simple degree of social engineering all-too-often yields the wrong kind of results. But biometrics are not fool proof or 100% secure either. So how does a consumer or a security professional know which is best?
Systems and applications can force users to make passwords particularly complex – 12 or more characters, alphanumeric combinations, case sensitive, special characters, and so on. This is all well and good, but most of us need to write down passwords of such complexity in order to remember them – somewhat diluting the effectiveness.
What about fingerprints?
Our individual fingerprints are unique to us. But they are subject to change. Day-to-day wear and tear that may result in cuts, bruises or burns can all change the pattern of our unique prints.
As a result, recognition systems have to dial down their accuracy to a level that avoids excessive authentication failures in order to achieve a match. Otherwise, a weekend of gardening or DIY could result in you being denied access to the office on Monday morning!
But this reduction in accuracy also reduces reliability. Facial recognition solutions are reported to have been spoofed by simply presenting a photograph of a user. It appears that no solution is fool proof.
But are biometrics more vulnerable to theft?
Any biometric data stored centrally will likely be in a database, very similar to one that holds email addresses and passwords. If an organisation’s systems are breached and an attacker is able to access or copy a database – its actual content makes little difference. That said, not all biometric solutions actually centrally store an image of your fingerprint or palm. For instance, Apple’s solution is described on their website as:
“Your fingerprint data is encrypted, stored on device, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It can’t be accessed by the OS on your device or by any applications running on it. It’s never stored on Apple servers, it’s never backed up to iCloud or anywhere else, and it can’t be used to match against other fingerprint databases.”
How easy is it to reuse stolen credentials?
A stolen account name and password can easily be used to attempt to access multiple accounts or services. The attacker can use automation tools to cause widespread damage and disruption without leaving their armchair or having to buy any special gizmos to do so. Furthermore, the all-too-common habit of reusing passwords across multiple sites increases the risk factor enormously.
Trying to use a stolen fingerprint or palm scan to authenticate to a system or gain access to a building takes a much more determined effort. Taking a digital representation of a fingerprint and turning it into a physical thing in latex – or some similar substance – is time consuming and not straightforward.
But it’s not impossible – remember Mr. Kill and the laser in the Bond movie, Die Another Day?
As for facial recognition, there is nothing stopping an attacker attempting to use a photograph of your face to spoof a facial recognition system. They don’t even have to steal it – they could simply take a photo of you in a public place. Even iris recognition systems have been spoofed, so these biometrics are not infallible.
But I can change my password!
And here is the key! A stolen or compromised password can be blocked or changed easily and quickly, allowing normal secure service to be resumed. Changing part of an individual’s biometric signature just isn’t going to happen.
So, does Multi-Factor Authentication (MFA) offer the best of both worlds?
MFA uses our biometric signature as just one part of an authentication or verification process. To access a building or logon to your banking app you have to provide both a PIN number and then scan your fingerprint, palm or face to complete the process.
In this instance, an attacker with a copy of your biometric signature is still unable to do anything unless they have the PIN number too, and vice versa. And if that PIN is ever compromised, it can be changed easily.
Would solutions like this improve security?
Well, they certainly relieve the user from password overload. And PIN numbers are typically more memorable than complex passwords, and as such, may not need to be written down – all of which has to be a step in the right direction.
It’s also worth noting that for each and every biometric solution, there will be a proportion of the population who are unable to use it. The work-around solution you choose should not reduce or weaken the overall security posture.
In the wake of Covid-19, biometric solutions and other contactless technologies in this space have clear benefits to organisations in these new times of social distancing. Traditional door entry systems are all high-volume physical contact points, and require regular cleaning and disinfecting.
For a large enterprise, replacing a traditional card reader and PIN entry system, with card reader and palm scan, for example, would vastly reduce the amount of physical contact. This all helps to reduce the cleaning burden, and contributes to a safer working environment.
Replacing that 12-character complex password, with a PIN number and a biometric verification might also make your IT system more secure, too.
Traditional enterprise IT approaches are crumbling fast – the boundary firewall, the corporate network, the trusted device. Throughout all this change there has been and remains one constant – us, the user. And with us wherever we go is our individual biometric signature.
Utilising some elements of this unique and always-available signature – whether that’s a finger print, palm vein, retina scan, facial or voice recognition – or perhaps more likely a combination of these or ‘multi-modal biometrics’ as the way to authenticate ourselves will become the new normal.
What is Fujitsu doing?
Fujitsu is continually evaluating the development of a wide range of biometric solutions that utilize the very latest biometric security technologies. One of these is PalmSecure, a contactless, palm-vein device that offers an easy-to-use, hygienic solution for verifying identity.
The palm vein device works by capturing a person’s vein pattern image while radiating it with near-infrared rays. This vein pattern is then verified against a pre-registered pattern to authenticate the individual.
Since joining Fujitsu’s Defence & National Security business unit, Mark has assumed responsibility for the department’s cyber services strategy and portfolio. He is also responsible for managing strategic technical security relationships with partners and UK government. In this capacity he is utilizing his accumulated technical knowledge across multiple products, services and solutions combined with experience of the numerous available procurement routes.
In June 2019, Mark was awarded the status of Fujitsu Distinguished Engineer, a global network of role model technologists: https://www.fujitsu.com/uk/innovation/fujitsu-distinguished-engineers/. He currently serves as an elected member of techUK’s Cyber Security Management Committee.