Endpoint

1/18/2017
02:30 PM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What CISOs Need To Know Before Adopting Biometrics

Biometric techniques offer a solution to the password problem, but getting started can be tough. Here are a few things you need to know.

Businesses have long sought a better way to balance end-user security and usability, and it's clear the password-only model needs to change.

Faced with employees who are unwilling to remember more than a handful of unique passwords despite using dozens of different devices, services, and platforms, organizations have thrown their weight behind biometric authentication. Fingerprints, voice, and retina patterns — which are hard to fake and impossible to forget — promise an escape from poor end-user security habits.

Laying the Groundwork for Biometric Authentication
With myriad off-the-shelf solutions and potential approaches to implementing biometric authentication, it can be difficult to know where to start. Here are a three considerations CISOs should keep in mind while planning their organization's transition:

1. Biometric data is personally identifiable information. It's always important for organizations to protect their users' passwords, but biometric authentication data presents an extra layer of complexity. Not only is biometric data used to access sensitive or confidential resources, it is valuable in its own right. In fact, organizations that contract with the U.S. government are often required to submit to the personally identifiable information management practices outlined in the Privacy Act of 1974, but states can and do pass more stringent regulations in a patchwork of security breach notification laws. For example, California's SB 1386 requires organizations to notify individuals when PII is believed to be compromised.

Before fully adopting biometric authentication, IT leaders must carefully consider how PII will be stored and used. A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network, for example, but biometric tokenization can largely eliminate this weakness. Organizations should focus on securing devices that will store biometric data through measures such as encryption, adoption of trusted platform modules in client machines to prevent data theft, and other physical security measures.

2. Passwords still have a place. Although biometric authentication promises to make users less reliant on passwords, it's limited in its ability to fully supplant them. Even ignoring the legal and ethical complexities introduced by biometric authentication, a breach can permanently render biometric data unusable from a security standpoint. A password, once compromised, can be changed, but the same can't be said of fingerprints, hand geometry, and retina patterns.

At the same time, biometric authentication isn't 100% reliable. Where no modern system will reject a correct password, every biometric authentication configuration must account for some level of false negatives and positives. Especially in highly secure environments, false positives may present an unacceptable risk, while false negatives require a fallback authentication mechanism such as a traditional password. CISOs planning to adopt biometric authentication must ensure that biometric credentials are issued in addition to, not in place of, traditional passwords.

3. Protecting data through redundancy. Organizations planning to deploy biometric authentication on any large scale must include data loss prevention in their implementation from the beginning. This is true not only of biometric data transmitted by users but also of the data they intend to access. To prevent the loss of biometric data, organizations should invest in high-availability authentication servers, using technology such as load balancing to ensure high demand doesn't prevent end users from authenticating. IT leaders must also consider ways to protect the data end users wish to access. Since any single form of biometric authentication could report a false positive, organizations should make sure that sensitive systems can use multiple biometric sources in tandem, such as both facial and fingerprint recognition.

A More-Secure Future
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10008
PUBLISHED: 2019-04-24
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login a...
CVE-2019-9950
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials agains...
CVE-2019-9951
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php...
CVE-2018-10055
PUBLISHED: 2019-04-24
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.
CVE-2018-7577
PUBLISHED: 2019-04-24
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.