Not a Catch-all
Businesses are relying on biometrics for additional login processes
- By Alisdair Faulkner
- May 01, 2017
When used effectively, biometrics can contribute
to safer cybersecurity practices. By moving beyond
basic password-based authentication, the
technology provides a much-needed, alternative
layer of security that’s often more difficult
for fraudsters to hack. Across the globe, businesses are relying on biometrics
to bolster employee login processes, financial institutions are
leveraging the technology to verify online purchases and consumer
solutions such as Apple’s Touch ID are making daily smartphone usage
more seamless and secure.
ABI Research estimates that the global biometrics market will
reach more than $30 billion by 2021, which marks a 118 percent
increase from 2015. Despite this growing enthusiasm, though, it’s a
mistake for organizations to rely solely on biometrics to keep their
networks and user data secure. While the technology can add an effective,
additional layer of cybersecurity, it’s not a catch-all. In fact,
the very nature of biometric technology can introduce additional
security gaps.
Consider the following examples of key biometrics characteristics
that can lead to serious cybersecurity weaknesses:
Unreliable facial recognition. While it can be used as an effective
form of authentication, facial recognition is challenging to implement
because it can lead to high false positive rates. For instance, if
an individual is wearing sunglasses or a new pair of reading glasses
their facial scan can get rejected. Also, it can be difficult for facial
recognition machines to decipher between individuals who look similarly,
whether it is two separate people who look alike or the same
person who appears in different photos at varying ages or lighting.
Insecure fingerprints. With biometrics, fingerprints can be used in
lieu of (or in addition to) passwords. Unlike with passwords, however,
users aren’t trained to protect their fingerprints, and keep them a secret.
As a result, they can be very easy for hackers to steal. In fact,
one hacker famously beat Apple’s Touch ID technology just one day
after its release by creating a copy of a fingerprint smudge left on an
iPhone screen and using it to hack into the phone.
Significant user friction. Maintaining an effective balance between
strong cybersecurity and frictionless usability is critical, but it’s not
easy. It’s even more difficult when it comes to invasive authentication
systems like biometrics, particularly if users are already happy
with the level of security they get with passcode and/or two-factor
authentication (2FA) systems. Biometrics require total user buy-in,
and given the added layer of personal (i.e. physical) security involved,
that can be difficult to maintain.
Perhaps the most worrisome aspect of biometrics, though, is that
biometric-based authentication is irrevocable. A face, voice or fingerprint
can’t be discarded and replaced like a password or a credit card;
it’s permanently associated with a user. And just as passwords are
occasionally used across multiple accounts and therefore constantly
susceptible to attacks, there will always be insecure systems that can
result in a leak of biometric credentials, rendering them useless for
all other systems.
ABI Research estimates that the global biometrics market will
reach more than $30 billion by A more effective approach to cybersecurity
relies not on one technology, like biometrics, but instead on
multiple technologies and forms of intelligence. By stitching together
verified user data points such as location, payment details, websites
visited, login credentials or typical transaction behavior to form “digital
identities,” for example, organizations can better pinpoint and
transact with legitimate users. ABI Research estimates that the global
biometrics market will reach more than $30 billion by Because this
collected user data is unique and impossible to fake, as it leverages
the infinite number of connections users create when they transact
online, organizations can securely deliver more seamless user experiences
and thwart malicious hackers in real-time.
ABI Research estimates that the global biometrics market will
reach more than $30 billion by Basic password systems, 2FA and
biometrics alone are no longer enough. To compete with the increasing
resources and skills of today’s determined hackers, organizations
need to think bigger and implement real-time
cybersecurity solutions that leverage existing
user data to quickly and accurately authenticate
trusted users and effectively assess risk, before it’s
too late.
This article originally appeared in the May 2017 issue of Security Today.
About the Author
Alisdair Faulkner is the chief products officer at ThreatMetrix.