Are physical biometrics really the way to go?
By Robert Capps, vice president of business development, NuData Security
Hackers recently used Social Security numbers and other personally identifiable data obtained from other breaches to generate personal identification numbers required for filing taxes electronically with the IRS. Using a bot loaded with the information from over 400,000 taxpayers, hackers successfully generated PINs for 101,000 individuals before the IRS detected the attack and shut the operation down.
This is just the latest example of cyber criminals leveraging stolen information from other breaches to try and gain entry to legitimate user accounts. Passwords and other static elements used to verify identity are no longer effective security measures.
Organizations clearly need to find better ways to verify good customers. Banks and other organizations looking for new ways to authenticate are supposedly easy for users yet still secure. Physical biometric methods, which promise to make it harder to impersonate the legitimate user or customer, seem like a promising choice. But in the mad rush for alternatives, could we be making the problem worse?
While physical biometrics work when someone has physically presented themselves to the authenticating party, these same biometrics quickly lose effectiveness in an online world. Why? Because using a single biometric data point to authenticate a user is no different than adding a second, static password. In certain scenarios, they could be worse: a stolen or leaked password can be reset, but your iris cannot.
Static images and patterns like heartbeats or fingerprints can be reproduced, captured and reused. And they can be stolen en masse, like the 5.6 million fingerprints stolen from the Office of Personnel Management last year. There is also a very real threat of fraudsters going after individuals in person to collect physical biometrics for criminal activities – and such fears are steering away risk-averse companies.
Organizations that want a better authentication method do have the option of less-invasive biometrics, ones that are more secure and more consumer-friendly: non-identifying behavioral biometrics.
For instance, when you're surfing the Web on your mobile device, do you realize that you have a unique way of holding it that's different from other people, even if only slightly? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or your thumbs to type? How hard do you press on the screen when you hit each key?
Our mobile devices have many sensitive instruments built in that can capture this non-identifying information. When taken together into an aggregated profile, are extremely effective at identifying repeat good users and yet are still tolerant of changes as a user's behavior as it naturally changes over time. Using these subtle and unique signals, organizations can easily identify when the account owner is not the one attempting to authenticate – even if the correct login and password is used in conjunction with the authentic account holder's computer or mobile device.
Unlike physical biometrics, the markers based on user behavior cannot be stolen, duplicated or reused. They have no intrinsic, easily translated into cash value to criminals. This isn't to say there is no value in using a fingerprint or any other specific biological metric; the danger is using such a signal or identifier as the sole or secondary authentication method. It also forces the user to go out of their way to prove their identity, adding unnecessary friction to a good user's experience. How much friction are you willing to force on consumers before they finally abandon their action or, even worse – abandon your company altogether?
Fortunately, collecting these behavioral data points is a frictionless process. No special effort is required on the part of the user. They do not have to enter, enroll in or provide any additional information to a website or application to benefit from the protection these kinds of complex yet not personally identifiable biometrics offer. Users simply keep doing what they are used to doing: interacting with the sites and services as they always have.
Because physical biometrics pose their own safety issues and can be replicated, with lifelong consequences to the owner, they should not be a primary means of authenticating users. Behavioral biometrics are a far more secure form of online authentication. They are too complex to steal or replicate, offering a greater level of individuality and safety, and their collection occurs behind the scenes for a painless, friction-free experience for your legitimate users. There is little point in changing one static data check for another, not when there is powerful alternative in behavioral biometrics that is friction-free and impersonation-proof.
As NuData Security's vice president of business development, Robert Capps is responsible for developing and nurturing strategic alliances, partnerships and channels.
Robert is a recognized technologist, thought leader and advisor with over twenty years of experience in the design, management and protection of complex information systems – leveraging people, process and technology to counter cyber risks. In his previous role at RedSeal as a senior director, Robert was responsible for technical, security and customer operations. Prior to RedSeal, Robert was senior manager, global trust and safety at StubHub.