The principle of ‘logging in’ has long since been identified with the act of inputting a password. Having a password that can be kept secret in your memory was seen to be as good as gold, until hackers became sufficient at guessing or cracking them. Additionally, we would make passwords that were super easy to crack like ‘password’, or the name of our cat, or child, or birthday and would tend to keep all of our passwords the same for every account we created. Remembering a series of passwords is much more time and energy consuming than just having one password for everything, but making our lives easier also meant making the lives of a hacker even easier.
As a result, the idea of newer ways to authenticate yourself was born. Instead of logging in with ‘what you know’, what about being able to login with ‘what you are (biometrics) or ‘what you do’ (behavioural data)? It’s these considerations that have led to developments in identity and access management (IAM) technology.
Companies such as Meontrust, provide convenient ways to implement biometric authentication to online services using your device’s biometric functionality and the biometric method can easily be combined with other methods by using an IAM solution.
It isn’t uncommon today for larger companies to access their networks with a smartcard or fingerprint reader, as well as a password. In the consumer world, we are also increasing the use of new authentication methods, such as fingerprint scanning on our mobile devices. Think about the iPhone and the innovative Touch ID.
How safe is it to login using a fingerprint?
Biometrics should really be considered as usernames and not passwords. Logging in to an account via a fingerprint only for example, can be risky. Here’s a few things to consider before setting yourself or your business up with biometric authentication.
Biometrics can be lifted
Have you ever been told not to keep all of your passwords written down as someone can steal them? You leave your fingerprints everywhere and your fingerprint is just as easy to lift. Don’t believe me?
Check out this video of Chaos Computer Club hacking the Touch ID on an iPhone5s.
You might think that the iPhone6 has improved security, but it actually seems that nothing has been done to fix the issue.
Of course for your phone to be hacked into like this, you would also need to have your phone stolen, but the technology is easy to use and would mean that your device could be compromised as soon as it is taken.
It was also discovered that your fingerprint can be lifted using photographs. Which means you don’t even have to touch anything to be at risk. You just need to have a high resolution image of your fingerprint stored somewhere online.
Biometrics are difficult to reset
Security researches have shown methods of remotely intercepting biometric data, much like a keylogger intercepts keystrokes. Closer to today, we have seen biometrics being compromised with the help of printers, paper and ink and a camera. In the event that biometric data is compromised, the consequences may be far reaching. When a password is compromised you can reset it. If your fingerprint is compromised, the reset involves a sharp knife and does not improve the customer experience. Other biometrics, such as blood vessel patterns, retina, electro-cardiogram patterns etc. are even more difficult to change, or downright impossible.
Biometrics are ‘something you are’ not ‘something you know’
There are additional legal considerations when using biometrics as a method of single-factor authentication. These considerations will vary from country to country. In the United States for example, the 5th amendment protects you from having to give up your password to your phone during a traffic stop. However, if you use a fingerprint scanner on your phone, the 5th amendment does not protect this and you can be compelled to unlock your phone with your fingerprint. This is due to the legal differences between something you know versus something you are.
Biometrics have false accept rates
In biometrics there is always going to be a false accept rate (FAR), or false reject rate (FRR). The FAR tells you how often someone who should have not been recognized was in fact recognized. Most biometric systems claim their FAR’s are in the 1 in 10,000 to 1 in 1,000,000 ranges.
A hacker can use a copy of a user’s biometric characteristics collected by the system to produce fake biometrics that will allow login. This is called a physical spoof attack and is compared to a hacker watching someone write down their password and copying it.
If a hacker doesn’t have access to the biometric characteristics, your fingerprint, they can still gain access by creating a fake biometric characteristic by intelligently (through complex algorithms) guessing, or using a real sample of non-valid users. Imagine using a dictionary to work out your password.
Recommendations when using biometrics
Even with the above considerations in mind, this is not to say that biometrics have no place in identity and access management (IAM). Biometrics make for a convenient additional factor in authenticating your identity, or accessing secure information like your private key. In the same light, you could use a certificate to authenticate your identity, or even a mobile phone. In an ideal world, you would implement a system that looks like this:
- System boots up to a welcome screen, it does not display any UserID, this would reduce the likelihood of guessing a username.
- Swiping your fingerprint or scanning your retina will not log you in to your system, it would only bring up your UserID. Again, biometrics are your identity. You could also include certificates as a form of ID here. See this whitepaper on Certificate Based Authentication for more information.
- Now that your UserID is on the screen, you can authenticate with something you know or have for stronger authentication. The masked UserID creates an additional layer of security.
Biometrics are convenient and there are plenty of lower hanging fruit for the criminally inclined. Before implementing them for single factor authentication, be certain that you understand the legal implications and risk factors associated with this method. Biometric methods are typically easy for the end user and can improve the customer experience. With an IAM solution, you can select the appropriate way to authenticate a user from social identities to smart cards, and biometrics can be one of the alternatives, or working as an additional factor together with other methods.