Endpoint

1/18/2017
02:30 PM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What CISOs Need To Know Before Adopting Biometrics

Biometric techniques offer a solution to the password problem, but getting started can be tough. Here are a few things you need to know.

Businesses have long sought a better way to balance end-user security and usability, and it's clear the password-only model needs to change.

Faced with employees who are unwilling to remember more than a handful of unique passwords despite using dozens of different devices, services, and platforms, organizations have thrown their weight behind biometric authentication. Fingerprints, voice, and retina patterns — which are hard to fake and impossible to forget — promise an escape from poor end-user security habits.

Laying the Groundwork for Biometric Authentication
With myriad off-the-shelf solutions and potential approaches to implementing biometric authentication, it can be difficult to know where to start. Here are a three considerations CISOs should keep in mind while planning their organization's transition:

1. Biometric data is personally identifiable information. It's always important for organizations to protect their users' passwords, but biometric authentication data presents an extra layer of complexity. Not only is biometric data used to access sensitive or confidential resources, it is valuable in its own right. In fact, organizations that contract with the U.S. government are often required to submit to the personally identifiable information management practices outlined in the Privacy Act of 1974, but states can and do pass more stringent regulations in a patchwork of security breach notification laws. For example, California's SB 1386 requires organizations to notify individuals when PII is believed to be compromised.

Before fully adopting biometric authentication, IT leaders must carefully consider how PII will be stored and used. A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network, for example, but biometric tokenization can largely eliminate this weakness. Organizations should focus on securing devices that will store biometric data through measures such as encryption, adoption of trusted platform modules in client machines to prevent data theft, and other physical security measures.

2. Passwords still have a place. Although biometric authentication promises to make users less reliant on passwords, it's limited in its ability to fully supplant them. Even ignoring the legal and ethical complexities introduced by biometric authentication, a breach can permanently render biometric data unusable from a security standpoint. A password, once compromised, can be changed, but the same can't be said of fingerprints, hand geometry, and retina patterns.

At the same time, biometric authentication isn't 100% reliable. Where no modern system will reject a correct password, every biometric authentication configuration must account for some level of false negatives and positives. Especially in highly secure environments, false positives may present an unacceptable risk, while false negatives require a fallback authentication mechanism such as a traditional password. CISOs planning to adopt biometric authentication must ensure that biometric credentials are issued in addition to, not in place of, traditional passwords.

3. Protecting data through redundancy. Organizations planning to deploy biometric authentication on any large scale must include data loss prevention in their implementation from the beginning. This is true not only of biometric data transmitted by users but also of the data they intend to access. To prevent the loss of biometric data, organizations should invest in high-availability authentication servers, using technology such as load balancing to ensure high demand doesn't prevent end users from authenticating. IT leaders must also consider ways to protect the data end users wish to access. Since any single form of biometric authentication could report a false positive, organizations should make sure that sensitive systems can use multiple biometric sources in tandem, such as both facial and fingerprint recognition.

A More-Secure Future
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.