Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/5/2019
02:30 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get the Most Benefits from Biometrics

Providing an easy-to-use, uniform authentication experience without passwords is simpler than you may think.

Biometric systems have many benefits that enhance cybersecurity. But organizations must learn how to leverage and simplify this complex environment — consisting of mobile devices and sensors that are unified under the common FIDO standard — to reap the most benefits from it.

First of all, IT and cybersecurity teams must take a firmer stance on mobile security because mobile devices are where biometric functions are most often found. Second, having the right user experience (UX) for biometrics is essential because many users may reject an approach that is counterintuitive or too cumbersome. Cybersecurity and UX are no longer mutually exclusive, and many of today's new password-free solutions can provide a uniform experience that is accessible to all users regardless of their technical acumen. Over time, biometrics will be part of the physical world, allowing users to unlock their laptops, devices, offices, and conference rooms, all underpinned by the FIDO standard, which will ultimately deliver the best protection across the enterprise.

Here are some recommendations for leveraging the biometric ecosystem in the most beneficial ways possible.

Mastercard, Aetna, and First Citrus Bank used biometrics to abandon the risk of holding centralized credentials and passwords for a portion of their users in order to reduce cybersecurity attacks and breaches. The primary benefit these enterprises and we practitioners observe is that we're replacing the "something you know" factor of user authentication with the more difficult to reproduce "something you are." The majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate, which makes it difficult to mimic a biometric template — that is, an image of a fingerprint or a face, or a subset of a voice.

Using these sensors paired with standards-based authentication (such as FIDO Alliance protocols) that eliminates shared secrets means that service providers can slow down adversaries while making the UX easier to use. This disrupts hackers' fraud model to the point where they would have to go from device to device in order to obtain a single user's credentials, which are often encrypted and isolated in the most secure area of the device. Or they must physically have access to the device of each user they want to target. This approach makes it unfeasible to have a mass credentials breach such as those we've been seeing on a regular basis. 

But what of the fragmented array of choices among operating systems, authentication modes (e.g., touch, face, voice, behavioral), and devices, particularly in the Android space? The best way to defragment this ecosystem is by adopting an open standard — such as FIDO — that uses biometric capabilities, meeting security targets while providing a uniform UX. Consumers know how to use the biometric capability of their mobile device or laptop without issue, and the UX is similar across devices even though they come from different manufacturers and function across different operating systems. 

Take a Tougher Stance on Mobile Security
Many of our financial services are available as mobile apps, which has led to a rapid increase in the attack surface.

Enterprises must take a much harder stance on mobile security because they continue to be affected by breaches because of the credential reuse success rate, which is currently at 2% to 4%, according to Shape Security’s "Credential Spill Report." The mobile platform is not immune to this growth in credentials-based fraud. Therefore, we should get ahead of fraud's migration to mobile by ending shared-secret forms of authentication to mobile apps. Standards like FIDO are mobile-centric and make the marriage of device biometrics and public key infrastructure the cornerstone of secure, seamless experiences across mobile devices, desktops, and the Internet of Things.

But we shouldn't stop there. As hackers realize their wholesale model of mass credential breaches has been disrupted, they will target devices with malware — for example, keyloggers. So, while mobile security will see an improvement with strong authentication without shared secrets, we'll need more robust malware intrusion, device health, and defense capabilities on mobile devices.

Make User Experience a Top Priority
Any method of access alternative to passwords should be simpler and faster, or consumers will balk at adoption. In today's business atmosphere, keeping the user's attention is critical because it's easy to lose it. Ease of use should be the top priority for every organization. 

Providing an easy-to-use, uniform experience for biometrics is simpler than one may think. Most employees already have a company or personal smartphone with one or more biometric capabilities. Cybersecurity teams should ensure that all mobile devices across their enterprise can be leveraged seamlessly to authenticate to workstations, to apps using single sign-on, and to physical access systems. Organizations can then remove the password from the login process — and from existence with FIDO standards — and provide a seamless UX by having the user authenticate with the familiar biometric capability on their mobile device. 

An Iterative Process
Cybersecurity teams will succeed with biometrics if they embrace it as a gradual process. Find areas of your business where biometrics can have the greatest effect quickly and deploy the capabilities there. This can be for internal use cases or consumer-facing apps.

Related Content:

 

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
6/13/2019 | 4:08:45 AM
Much more tasks
Biometrics help to save a lot of time and can actually perform more tasks than we would expect. Apart from simply opening doors or locks, biometrics can also be used to track employees' attendance for daily work or for courses/training. They provide accurate recording and easy tabulating of recorded data. This system would help prevent human error and also save a lot of time on administrative duty.
Kathleen Peters
50%
50%
Kathleen Peters,
User Rank: Author
6/11/2019 | 11:03:00 AM
Biometrics are an important part of a layered approach
Biometrics are a key component for authentication use cases, and one that consumers have grown comfortable with providing. There is a high level of convenience when "you are your ID". Depending on the nature of a particular transaction, a realtime risk assessment can be done to determine whether the biometric should be used as a step-up; or in conjunction with other information provided by the consumer (what you know, what you have); or in conjunction with attributes passively provided by the device they are using. At the time of a new account opening, or for high-value transactions, a combination of authentication methods, both actively involving the user and in the background, can provide security as well as convenience. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...