Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/5/2019
02:30 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get the Most Benefits from Biometrics

Providing an easy-to-use, uniform authentication experience without passwords is simpler than you may think.

Biometric systems have many benefits that enhance cybersecurity. But organizations must learn how to leverage and simplify this complex environment — consisting of mobile devices and sensors that are unified under the common FIDO standard — to reap the most benefits from it.

First of all, IT and cybersecurity teams must take a firmer stance on mobile security because mobile devices are where biometric functions are most often found. Second, having the right user experience (UX) for biometrics is essential because many users may reject an approach that is counterintuitive or too cumbersome. Cybersecurity and UX are no longer mutually exclusive, and many of today's new password-free solutions can provide a uniform experience that is accessible to all users regardless of their technical acumen. Over time, biometrics will be part of the physical world, allowing users to unlock their laptops, devices, offices, and conference rooms, all underpinned by the FIDO standard, which will ultimately deliver the best protection across the enterprise.

Here are some recommendations for leveraging the biometric ecosystem in the most beneficial ways possible.

Mastercard, Aetna, and First Citrus Bank used biometrics to abandon the risk of holding centralized credentials and passwords for a portion of their users in order to reduce cybersecurity attacks and breaches. The primary benefit these enterprises and we practitioners observe is that we're replacing the "something you know" factor of user authentication with the more difficult to reproduce "something you are." The majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate, which makes it difficult to mimic a biometric template — that is, an image of a fingerprint or a face, or a subset of a voice.

Using these sensors paired with standards-based authentication (such as FIDO Alliance protocols) that eliminates shared secrets means that service providers can slow down adversaries while making the UX easier to use. This disrupts hackers' fraud model to the point where they would have to go from device to device in order to obtain a single user's credentials, which are often encrypted and isolated in the most secure area of the device. Or they must physically have access to the device of each user they want to target. This approach makes it unfeasible to have a mass credentials breach such as those we've been seeing on a regular basis. 

But what of the fragmented array of choices among operating systems, authentication modes (e.g., touch, face, voice, behavioral), and devices, particularly in the Android space? The best way to defragment this ecosystem is by adopting an open standard — such as FIDO — that uses biometric capabilities, meeting security targets while providing a uniform UX. Consumers know how to use the biometric capability of their mobile device or laptop without issue, and the UX is similar across devices even though they come from different manufacturers and function across different operating systems. 

Take a Tougher Stance on Mobile Security
Many of our financial services are available as mobile apps, which has led to a rapid increase in the attack surface.

Enterprises must take a much harder stance on mobile security because they continue to be affected by breaches because of the credential reuse success rate, which is currently at 2% to 4%, according to Shape Security’s "Credential Spill Report." The mobile platform is not immune to this growth in credentials-based fraud. Therefore, we should get ahead of fraud's migration to mobile by ending shared-secret forms of authentication to mobile apps. Standards like FIDO are mobile-centric and make the marriage of device biometrics and public key infrastructure the cornerstone of secure, seamless experiences across mobile devices, desktops, and the Internet of Things.

But we shouldn't stop there. As hackers realize their wholesale model of mass credential breaches has been disrupted, they will target devices with malware — for example, keyloggers. So, while mobile security will see an improvement with strong authentication without shared secrets, we'll need more robust malware intrusion, device health, and defense capabilities on mobile devices.

Make User Experience a Top Priority
Any method of access alternative to passwords should be simpler and faster, or consumers will balk at adoption. In today's business atmosphere, keeping the user's attention is critical because it's easy to lose it. Ease of use should be the top priority for every organization. 

Providing an easy-to-use, uniform experience for biometrics is simpler than one may think. Most employees already have a company or personal smartphone with one or more biometric capabilities. Cybersecurity teams should ensure that all mobile devices across their enterprise can be leveraged seamlessly to authenticate to workstations, to apps using single sign-on, and to physical access systems. Organizations can then remove the password from the login process — and from existence with FIDO standards — and provide a seamless UX by having the user authenticate with the familiar biometric capability on their mobile device. 

An Iterative Process
Cybersecurity teams will succeed with biometrics if they embrace it as a gradual process. Find areas of your business where biometrics can have the greatest effect quickly and deploy the capabilities there. This can be for internal use cases or consumer-facing apps.

Related Content:

 

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kathleen Peters
50%
50%
Kathleen Peters,
User Rank: Author
6/11/2019 | 11:03:00 AM
Biometrics are an important part of a layered approach
Biometrics are a key component for authentication use cases, and one that consumers have grown comfortable with providing. There is a high level of convenience when "you are your ID". Depending on the nature of a particular transaction, a realtime risk assessment can be done to determine whether the biometric should be used as a step-up; or in conjunction with other information provided by the consumer (what you know, what you have); or in conjunction with attributes passively provided by the device they are using. At the time of a new account opening, or for high-value transactions, a combination of authentication methods, both actively involving the user and in the background, can provide security as well as convenience. 
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
6/13/2019 | 4:08:45 AM
Much more tasks
Biometrics help to save a lot of time and can actually perform more tasks than we would expect. Apart from simply opening doors or locks, biometrics can also be used to track employees' attendance for daily work or for courses/training. They provide accurate recording and easy tabulating of recorded data. This system would help prevent human error and also save a lot of time on administrative duty.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.