Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/18/2017
02:30 PM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What CISOs Need To Know Before Adopting Biometrics

Biometric techniques offer a solution to the password problem, but getting started can be tough. Here are a few things you need to know.

Businesses have long sought a better way to balance end-user security and usability, and it's clear the password-only model needs to change.

Faced with employees who are unwilling to remember more than a handful of unique passwords despite using dozens of different devices, services, and platforms, organizations have thrown their weight behind biometric authentication. Fingerprints, voice, and retina patterns — which are hard to fake and impossible to forget — promise an escape from poor end-user security habits.

Laying the Groundwork for Biometric Authentication
With myriad off-the-shelf solutions and potential approaches to implementing biometric authentication, it can be difficult to know where to start. Here are a three considerations CISOs should keep in mind while planning their organization's transition:

1. Biometric data is personally identifiable information. It's always important for organizations to protect their users' passwords, but biometric authentication data presents an extra layer of complexity. Not only is biometric data used to access sensitive or confidential resources, it is valuable in its own right. In fact, organizations that contract with the U.S. government are often required to submit to the personally identifiable information management practices outlined in the Privacy Act of 1974, but states can and do pass more stringent regulations in a patchwork of security breach notification laws. For example, California's SB 1386 requires organizations to notify individuals when PII is believed to be compromised.

Before fully adopting biometric authentication, IT leaders must carefully consider how PII will be stored and used. A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network, for example, but biometric tokenization can largely eliminate this weakness. Organizations should focus on securing devices that will store biometric data through measures such as encryption, adoption of trusted platform modules in client machines to prevent data theft, and other physical security measures.

2. Passwords still have a place. Although biometric authentication promises to make users less reliant on passwords, it's limited in its ability to fully supplant them. Even ignoring the legal and ethical complexities introduced by biometric authentication, a breach can permanently render biometric data unusable from a security standpoint. A password, once compromised, can be changed, but the same can't be said of fingerprints, hand geometry, and retina patterns.

At the same time, biometric authentication isn't 100% reliable. Where no modern system will reject a correct password, every biometric authentication configuration must account for some level of false negatives and positives. Especially in highly secure environments, false positives may present an unacceptable risk, while false negatives require a fallback authentication mechanism such as a traditional password. CISOs planning to adopt biometric authentication must ensure that biometric credentials are issued in addition to, not in place of, traditional passwords.

3. Protecting data through redundancy. Organizations planning to deploy biometric authentication on any large scale must include data loss prevention in their implementation from the beginning. This is true not only of biometric data transmitted by users but also of the data they intend to access. To prevent the loss of biometric data, organizations should invest in high-availability authentication servers, using technology such as load balancing to ensure high demand doesn't prevent end users from authenticating. IT leaders must also consider ways to protect the data end users wish to access. Since any single form of biometric authentication could report a false positive, organizations should make sure that sensitive systems can use multiple biometric sources in tandem, such as both facial and fingerprint recognition.

A More-Secure Future
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.