Traditional biometric authentication has for years been the ultimate "something you are" in the triad of authentication security, which is comprised of: something you are (such as biometrics), something you know (such as PIN/Password or code texted to you), and something you have (such as one-time-password-issuing credentials via a USB security key).
But the inherent weaknesses of traditional biometrics – at least the two most-commonly-used versions, fingerprint and facial-recognition – are now getting some attention for issues of policy and efficacy. Identity and access management has always been a pillar of a good security posture, but with the surge in remote workers due to the COVID-19 crisis, ensuring the validity of users both inside and outside of the traditional enterprise network has never been more critical, or more challenging.
The increased attention to traditional biometrics of late is due to both a major fingerprint authentication flaw identified where a screen cover allowed anyone to access a device by simply touching the screen, as well as some proposed Massachusetts legislation attempting to limit biometric data collection.
In both cases, the issues are centered less on the overall effectiveness of biometric authentication and more on a specific problem with a peripheral device as well as some confusion over legislation wording. Nevertheless, these stories emphasize the need for better authentication mechanisms, particularly cutting edge solutions like continuous authentication, a key component in a Zero Trust security architecture.
Glitch Vulnerability for Biometrics
So, what happened with the fingerprint scan issue? It wasn't technically a device issue so much as a bug that materialized when the phones interacted with specific screen protectors.
As Forbes noted, "The use of a cheap gel screen protector from eBay has completely undone the security of the device. A pliable gel protector had captured the authorized user’s fingerprint and then essentially used it for the next access attempt. This meant the device would open whenever pressure was applied. This escalated as an issue when a U.K. user found that with the $3 gel cover attached, they could use any finger to unlock the device..."
The deeper problem here is that both Android and iOS devices encourage third-parties to use the biometric fingerprint scan to replace login credentials for just about everything, which meant this glitch didn't merely unlock the mobile device, it also potentially opened bank accounts and authorized purchases at e-commerce sites, to name just a couple of the more concerning repercussions.
In short, if anyone using that screen protector had lost or had their phone stolen, just about everything accessible by that device was at risk. That is, of course, the opposite of the intent of using biometrics to replace passwords, but here we are.
The answer to such vulnerabilities is a move to continuous authentication approaches that validate the identity of a user in an ongoing manner using a wide variety of data that can include location, beyond simple usernames and passwords – or in this case, a fingerprint.
Continuous authentication examines a host of user activity from typing speed and device handling characteristics to other behavioral and contextual factors that are much more comprehensive than passwords and fingerprints – even when multi-factor authentication methods such as SMS text codes are in place.
On the legislative front, Massachusetts lawmakers had their own set of issues with biometrics. A reading of the proposed legislation made it clear that the intent of the bill was to stop or limit public surveillance systems such as digital video cameras on public streets, at airports, in parking lots and building lobbies – all of which were designed to identify specific people in a crowd.
Setting aside whether this is a good or bad thing from a law enforcement or privacy perspective – and the fact that the presence of public security cameras are believed to reduce crime in that specific area – the repeated references to “biometric surveillance” as opposed to “biometric authentication” seem to make the intent clear.
And yet, a problem crops up in the proposed legislation's definition: it defines a "biometric surveillance system" as "any computer software that performs face recognition or other remote biometric recognition." That's the full text of the definition, and intentionally or not, if passed, could be interpreted as a ban on facial recognition on any device.
The legislation offers another definition: "other remote biometric recognition" that excludes fingerprint scanning, palm scanning, and DNA scanning, but it did not exclude facial recognition, which complicates the issue. The full "other remote biometric recognition" definition states "an automated or semi-automated process that assists in identifying an individual or capturing information about an individual based on the characteristics of an individual’s gait, voice, or other immutable characteristic ascertained from a distance."
The term "from a distance" would have addressed this issue, had it merely specified the distance. For example, had it said, "more than eight meters of distance," that would have excluded smartphones which identify at a matter of inches of distance. And it could have made it clear that this was truly only pertaining to surveillance systems instead of identification systems.
Continuous Authentication Over Biometrics
While both the issues described above are arguably disparate and could even seem somewhat esoteric, they underscore the fact that the use of biometric data alone as a viable solution for identity and access management for the enterprise is confounded by a wide range of issues from public policy to efficacy in its real world application.
Done properly, biometric authentications can work reasonably well, but the realities and limitations of a smartphone make it less than ideal both from a security and a convenience perspective. In addition, this does not even begin to expound on the issues around the potential for biometric data to be compromised if it is stored improperly – remember you can change a password, but you can’t practically change your fingerprint or facial structure.
This is not a minor security matter. Mobile devices are rapidly controlling and generating an ever-increasing percentage of data interactions. And given that they are being used to access bank records, medical test results, and other highly sensitive data, this approach to authentications could easily prove disastrous. For enterprises today, more secure mechanisms like continuous authentication solve authentication challenges without the addition of new security risks.
Continuous authentication offers the enterprise the advantages of multi-factor authentication combined with passive behavioral and contextual analytics that do not negatively impact user experience or workflows while monitoring for any anomalies that would require a deeper level of authentication. It’s the best option for organizations seeking enhanced security without compromising on mobility and productivity for their employees.