Skip Navigation
BlackBerry ThreatVector Blog

Biometric Authentication Issues Underscore Need for Continuous Authentication

Traditional biometric authentication has for years been the ultimate "something you are" in the triad of authentication security, which is comprised of: something you are (such as biometrics), something you know (such as PIN/Password or code texted to you), and something you have (such as one-time-password-issuing credentials via a USB security key).

But the inherent weaknesses of traditional biometrics – at least the two most-commonly-used versions, fingerprint and facial-recognition – are now getting some attention for issues of policy and efficacy. Identity and access management has always been a pillar of a good security posture, but with the surge in remote workers due to the COVID-19 crisis, ensuring the validity of users both inside and outside of the traditional enterprise network has never been more critical, or more challenging.

The increased attention to traditional biometrics of late is due to both a major fingerprint authentication flaw identified where a screen cover allowed anyone to access a device by simply touching the screen, as well as some proposed Massachusetts legislation attempting to limit biometric data collection.

In both cases, the issues are centered less on the overall effectiveness of biometric authentication and more on a specific problem with a peripheral device as well as some confusion over legislation wording. Nevertheless, these stories emphasize the need for better authentication mechanisms, particularly cutting edge solutions like continuous authentication, a key component in a Zero Trust security architecture.

Glitch Vulnerability for Biometrics

So, what happened with the fingerprint scan issue? It wasn't technically a device issue so much as a bug that materialized when the phones interacted with specific screen protectors.

As Forbes noted, "The use of a cheap gel screen protector from eBay has completely undone the security of the device. A pliable gel protector had captured the authorized user’s fingerprint and then essentially used it for the next access attempt. This meant the device would open whenever pressure was applied. This escalated as an issue when a U.K. user found that with the $3 gel cover attached, they could use any finger to unlock the device..."

The deeper problem here is that both Android and iOS devices encourage third-parties to use the biometric fingerprint scan to replace login credentials for just about everything, which meant this glitch didn't merely unlock the mobile device, it also potentially opened bank accounts and authorized purchases at e-commerce sites, to name just a couple of the more concerning repercussions.

In short, if anyone using that screen protector had lost or had their phone stolen, just about everything accessible by that device was at risk. That is, of course, the opposite of the intent of using biometrics to replace passwords, but here we are.

The answer to such vulnerabilities is a move to continuous authentication approaches that validate the identity of a user in an ongoing manner using a wide variety of data that can include location, beyond simple usernames and passwords – or in this case, a fingerprint.

Continuous authentication examines a host of user activity from typing speed and device handling characteristics to other behavioral and contextual factors that are much more comprehensive than passwords and fingerprints – even when multi-factor authentication methods such as SMS text codes are in place.

Legislative Issues

On the legislative front, Massachusetts lawmakers had their own set of issues with biometrics. A reading of the proposed legislation made it clear that the intent of the bill was to stop or limit public surveillance systems such as digital video cameras on public streets, at airports, in parking lots and building lobbies – all of which were designed to identify specific people in a crowd.

Setting aside whether this is a good or bad thing from a law enforcement or privacy perspective – and the fact that the presence of public security cameras are believed to reduce crime in that specific area – the repeated references to “biometric surveillance” as opposed to “biometric authentication” seem to make the intent clear.

And yet, a problem crops up in the proposed legislation's definition: it defines a "biometric surveillance system" as "any computer software that performs face recognition or other remote biometric recognition." That's the full text of the definition, and intentionally or not, if passed, could be interpreted as a ban on facial recognition on any device.

The legislation offers another definition: "other remote biometric recognition" that excludes fingerprint scanning, palm scanning, and DNA scanning, but it did not exclude facial recognition, which complicates the issue. The full "other remote biometric recognition" definition states "an automated or semi-automated process that assists in identifying an individual or capturing information about an individual based on the characteristics of an individual’s gait, voice, or other immutable characteristic ascertained from a distance."

The term "from a distance" would have addressed this issue, had it merely specified the distance. For example, had it said, "more than eight meters of distance," that would have excluded smartphones which identify at a matter of inches of distance. And it could have made it clear that this was truly only pertaining to surveillance systems instead of identification systems.

Continuous Authentication Over Biometrics

While both the issues described above are arguably disparate and could even seem somewhat esoteric, they underscore the fact that the use of biometric data alone as a viable solution for identity and access management for the enterprise is confounded by a wide range of issues from public policy to efficacy in its real world application.

Done properly, biometric authentications can work reasonably well, but the realities and limitations of a smartphone make it less than ideal both from a security and a convenience perspective. In addition, this does not even begin to expound on the issues around the potential for biometric data to be compromised if it is stored improperly – remember you can change a password, but you can’t practically change your fingerprint or facial structure.

This is not a minor security matter. Mobile devices are rapidly controlling and generating an ever-increasing percentage of data interactions. And given that they are being used to access bank records, medical test results, and other highly sensitive data, this approach to authentications could easily prove disastrous. For enterprises today, more secure mechanisms like continuous authentication solve authentication challenges without the addition of new security risks.

Continuous authentication offers the enterprise the advantages of multi-factor authentication combined with passive behavioral and contextual analytics that do not negatively impact user experience or workflows while monitoring for any anomalies that would require a deeper level of authentication. It’s the best option for organizations seeking enhanced security without compromising on mobility and productivity for their employees.

Ryan Permeh

About Ryan Permeh

Senior Vice President and Chief Security Architect

Ryan works within the office of the CTO to define technology strategy and architecture, that will help integrate technology across BlackBerry and focus it towards reducing customer risk. Ryan has been in the security industry for over 20 years and has a long history in both offensive and defensive security. Ryan came to BlackBerry as part of the Cylance acquisition. He was co-founder and Chief Scientist of Cylance and led the architecture behind Cylance’s mathematical engine and groundbreaking approach to security. Prior to co-founding Cylance, he previously served as Chief Scientist for McAfee focused on technology strategy, and as a Distinguished Engineer at eEye Digital Security focused on building security assessment tools.

He has published numerous articles, papers, and books, and is a frequent speaker at conferences around the world on the topics of security, privacy, machine learning, and entrepreneurship. His research has led to numerous innovations in both offensive and defensive security technology and he has published over 20 patents in the security and data science fields. He is known as the discoverer and primary analyst of the “Code Red” computer worm and contributed to many other analyses of significant threats over his career.