While the idea of using biometrics for authentication is becoming more mainstream – helped along by the fact that many consumer devices such as smartphones and laptops now support biometrics – organizations still have to consider how to effectively implement biometrics within their environments.
“It’s hard to envision a future that doesn’t have biometrics,” says Gartner VP and analyst Ant Allan. “The question is ‘What is the most effective way to use biometrics?'”
“By commoditizing biometrics for cyber, we’re merging what was a high-stakes means of identification — fingerprints and crime scenes — with relatively low-stakes scenarios such as unlocking your phone, all for the sake of convenience. I’m not sure that’s a worthwhile trade off,” argues Sailpoint CISO Rex Booth.
For many enterprises, concerns over how the biometrics information is stored or what would happen if the data is stolen is typically the responsibility of the third-party vendor offering biometrics technology. Still, if that third-party vendor gets breached and the enterprise’s authentication data finds its way to the Dark Web, some blame will eventually land on the CISO’s desk. Regardless of the stolen data’s value to the thieves, no one should assume that criminals – given enough time and access to powerful equipment – won’t be able to eventually unlock authentication data.
Sailpoint’s Booth argues that an enterprise using biometrics as a routine authentication approach could ultimately hurt the enterprise’s security, along with the security of all employees, contractors as well as partners who need access to enterprise systems.
“As somebody whose fingerprints are on file in a CCP database somewhere thanks to the OPM hack in 2015, I’ve accepted that I’ve lost control of my biometrics,” Booth says. “But that doesn’t mean I want to use them everywhere and risk losing further control for low-reward use cases. They should be reserved for meaningful scenarios.”
Build MFA by Combining Strategies
One common enterprise authentication strategy for biometrics is to embrace the original intent behind multifactor authentication (MFA). A popular criticism of enterprise MFA implementations is that they tend to use the weakest possible authentication approaches, such as unencrypted numbers sent via SMS, which is highly susceptible to man-in-the-middle attacks.
The better approach is to use a couple of high-security approaches, such as continuous authentication (CA) and behavioral analytics (BA). Continuous authentication concentrates on what systems are being accessed and what actions are being initiated. Behavioral analytics verifies user identity by comparing many dozens of different factors, such as errors per 100 keystrokes, typing speed, angle a phone is held, characteristics of the phone, time of day, and so on.
By definition, continuous authentication does not stop once an authentication is confirmed, but continually watches to see if the user misbehaves an hour later. After all, an insider attack will just about always pass the authentication hurdle because the attacker truly does have credentials — the user simply abuses the privilege by trying to steal money or data or to sabotage the system.
A very good tactic to make behavioral analytics more secure is frequently changing which attributes are considered and what users will be asked to do to confirm their identity. “Users can’t really predict what they will be prompted to do and when they will be prompted to do it” and that makes it much more difficult for a fraudster to be prepared, Allan says.
Multifactor authentication creates a more secure, layered approach so that the entire authentication doesn’t rest on a single point of failure. MFA might look like continuous authentication plus behavioral analytics plus something physical, such as a FIDO token.
To further strengthen the security, perhaps add one of the many authenticator apps. If the enterprise authentication program includes four or five highly secure approaches such as those, then biometrics can indeed serve as a convenient first step. That would mean that the biometrics could have a lenient setting, reducing user frustration without undermining the overall authentication effort.
Add Piggybacking to MFA
One way to lower authentication costs is by trusting and leveraging the biometrics within the smartphones that likely are already on the person of every user, an effort known as piggybacking. The plus side is that this comes with a lower cost; the downside is that IT and security have little to no say in how the biometrics are administered or protected. But if a sufficiently robust MFA is in place, even lenient settings may not be a problem.
“I think (piggybacking) is a great first step. Is (security doing biometrics themselves) necessary or is it just creating friction?” says Damon McDougald, the global Identity lead at Accenture.
Gartner’s Allan also approves of the piggyback biometrics approach. “It’s something the users are already familiar with, and you’re avoiding paying for a third-party product and everything you need to wrap around it,” he says. “But the choice is technology is being made by somebody else. How is it being configured? The enrollment is not something you have control of.”
Accenture’s McDougald stresses that excessive friction with any form of authentication could deliver an unintended problem. “Humans are very creative when we have a problem. We’ll just bypass the authentication — and the bad guys can exploit that,” he says.