Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/18/2017
02:30 PM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What CISOs Need To Know Before Adopting Biometrics

Biometric techniques offer a solution to the password problem, but getting started can be tough. Here are a few things you need to know.

Businesses have long sought a better way to balance end-user security and usability, and it's clear the password-only model needs to change.

Faced with employees who are unwilling to remember more than a handful of unique passwords despite using dozens of different devices, services, and platforms, organizations have thrown their weight behind biometric authentication. Fingerprints, voice, and retina patterns — which are hard to fake and impossible to forget — promise an escape from poor end-user security habits.

Laying the Groundwork for Biometric Authentication
With myriad off-the-shelf solutions and potential approaches to implementing biometric authentication, it can be difficult to know where to start. Here are a three considerations CISOs should keep in mind while planning their organization's transition:

1. Biometric data is personally identifiable information. It's always important for organizations to protect their users' passwords, but biometric authentication data presents an extra layer of complexity. Not only is biometric data used to access sensitive or confidential resources, it is valuable in its own right. In fact, organizations that contract with the U.S. government are often required to submit to the personally identifiable information management practices outlined in the Privacy Act of 1974, but states can and do pass more stringent regulations in a patchwork of security breach notification laws. For example, California's SB 1386 requires organizations to notify individuals when PII is believed to be compromised.

Before fully adopting biometric authentication, IT leaders must carefully consider how PII will be stored and used. A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network, for example, but biometric tokenization can largely eliminate this weakness. Organizations should focus on securing devices that will store biometric data through measures such as encryption, adoption of trusted platform modules in client machines to prevent data theft, and other physical security measures.

2. Passwords still have a place. Although biometric authentication promises to make users less reliant on passwords, it's limited in its ability to fully supplant them. Even ignoring the legal and ethical complexities introduced by biometric authentication, a breach can permanently render biometric data unusable from a security standpoint. A password, once compromised, can be changed, but the same can't be said of fingerprints, hand geometry, and retina patterns.

At the same time, biometric authentication isn't 100% reliable. Where no modern system will reject a correct password, every biometric authentication configuration must account for some level of false negatives and positives. Especially in highly secure environments, false positives may present an unacceptable risk, while false negatives require a fallback authentication mechanism such as a traditional password. CISOs planning to adopt biometric authentication must ensure that biometric credentials are issued in addition to, not in place of, traditional passwords.

3. Protecting data through redundancy. Organizations planning to deploy biometric authentication on any large scale must include data loss prevention in their implementation from the beginning. This is true not only of biometric data transmitted by users but also of the data they intend to access. To prevent the loss of biometric data, organizations should invest in high-availability authentication servers, using technology such as load balancing to ensure high demand doesn't prevent end users from authenticating. IT leaders must also consider ways to protect the data end users wish to access. Since any single form of biometric authentication could report a false positive, organizations should make sure that sensitive systems can use multiple biometric sources in tandem, such as both facial and fingerprint recognition.

A More-Secure Future
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.