Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

02:30 PM
Bojan Simic
Bojan Simic
Connect Directly
E-Mail vvv

How to Get the Most Benefits from Biometrics

Providing an easy-to-use, uniform authentication experience without passwords is simpler than you may think.

Biometric systems have many benefits that enhance cybersecurity. But organizations must learn how to leverage and simplify this complex environment — consisting of mobile devices and sensors that are unified under the common FIDO standard — to reap the most benefits from it.

First of all, IT and cybersecurity teams must take a firmer stance on mobile security because mobile devices are where biometric functions are most often found. Second, having the right user experience (UX) for biometrics is essential because many users may reject an approach that is counterintuitive or too cumbersome. Cybersecurity and UX are no longer mutually exclusive, and many of today's new password-free solutions can provide a uniform experience that is accessible to all users regardless of their technical acumen. Over time, biometrics will be part of the physical world, allowing users to unlock their laptops, devices, offices, and conference rooms, all underpinned by the FIDO standard, which will ultimately deliver the best protection across the enterprise.

Here are some recommendations for leveraging the biometric ecosystem in the most beneficial ways possible.

Mastercard, Aetna, and First Citrus Bank used biometrics to abandon the risk of holding centralized credentials and passwords for a portion of their users in order to reduce cybersecurity attacks and breaches. The primary benefit these enterprises and we practitioners observe is that we're replacing the "something you know" factor of user authentication with the more difficult to reproduce "something you are." The majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate, which makes it difficult to mimic a biometric template — that is, an image of a fingerprint or a face, or a subset of a voice.

Using these sensors paired with standards-based authentication (such as FIDO Alliance protocols) that eliminates shared secrets means that service providers can slow down adversaries while making the UX easier to use. This disrupts hackers' fraud model to the point where they would have to go from device to device in order to obtain a single user's credentials, which are often encrypted and isolated in the most secure area of the device. Or they must physically have access to the device of each user they want to target. This approach makes it unfeasible to have a mass credentials breach such as those we've been seeing on a regular basis. 

But what of the fragmented array of choices among operating systems, authentication modes (e.g., touch, face, voice, behavioral), and devices, particularly in the Android space? The best way to defragment this ecosystem is by adopting an open standard — such as FIDO — that uses biometric capabilities, meeting security targets while providing a uniform UX. Consumers know how to use the biometric capability of their mobile device or laptop without issue, and the UX is similar across devices even though they come from different manufacturers and function across different operating systems. 

Take a Tougher Stance on Mobile Security
Many of our financial services are available as mobile apps, which has led to a rapid increase in the attack surface.

Enterprises must take a much harder stance on mobile security because they continue to be affected by breaches because of the credential reuse success rate, which is currently at 2% to 4%, according to Shape Security’s "Credential Spill Report." The mobile platform is not immune to this growth in credentials-based fraud. Therefore, we should get ahead of fraud's migration to mobile by ending shared-secret forms of authentication to mobile apps. Standards like FIDO are mobile-centric and make the marriage of device biometrics and public key infrastructure the cornerstone of secure, seamless experiences across mobile devices, desktops, and the Internet of Things.

But we shouldn't stop there. As hackers realize their wholesale model of mass credential breaches has been disrupted, they will target devices with malware — for example, keyloggers. So, while mobile security will see an improvement with strong authentication without shared secrets, we'll need more robust malware intrusion, device health, and defense capabilities on mobile devices.

Make User Experience a Top Priority
Any method of access alternative to passwords should be simpler and faster, or consumers will balk at adoption. In today's business atmosphere, keeping the user's attention is critical because it's easy to lose it. Ease of use should be the top priority for every organization. 

Providing an easy-to-use, uniform experience for biometrics is simpler than one may think. Most employees already have a company or personal smartphone with one or more biometric capabilities. Cybersecurity teams should ensure that all mobile devices across their enterprise can be leveraged seamlessly to authenticate to workstations, to apps using single sign-on, and to physical access systems. Organizations can then remove the password from the login process — and from existence with FIDO standards — and provide a seamless UX by having the user authenticate with the familiar biometric capability on their mobile device. 

An Iterative Process
Cybersecurity teams will succeed with biometrics if they embrace it as a gradual process. Find areas of your business where biometrics can have the greatest effect quickly and deploy the capabilities there. This can be for internal use cases or consumer-facing apps.

Related Content:


Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/13/2019 | 4:08:45 AM
Much more tasks
Biometrics help to save a lot of time and can actually perform more tasks than we would expect. Apart from simply opening doors or locks, biometrics can also be used to track employees' attendance for daily work or for courses/training. They provide accurate recording and easy tabulating of recorded data. This system would help prevent human error and also save a lot of time on administrative duty.
Kathleen Peters
Kathleen Peters,
User Rank: Author
6/11/2019 | 11:03:00 AM
Biometrics are an important part of a layered approach
Biometrics are a key component for authentication use cases, and one that consumers have grown comfortable with providing. There is a high level of convenience when "you are your ID". Depending on the nature of a particular transaction, a realtime risk assessment can be done to determine whether the biometric should be used as a step-up; or in conjunction with other information provided by the consumer (what you know, what you have); or in conjunction with attributes passively provided by the device they are using. At the time of a new account opening, or for high-value transactions, a combination of authentication methods, both actively involving the user and in the background, can provide security as well as convenience. 
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.