Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/5/2019
02:30 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Get the Most Benefits from Biometrics

Providing an easy-to-use, uniform authentication experience without passwords is simpler than you may think.

Biometric systems have many benefits that enhance cybersecurity. But organizations must learn how to leverage and simplify this complex environment — consisting of mobile devices and sensors that are unified under the common FIDO standard — to reap the most benefits from it.

First of all, IT and cybersecurity teams must take a firmer stance on mobile security because mobile devices are where biometric functions are most often found. Second, having the right user experience (UX) for biometrics is essential because many users may reject an approach that is counterintuitive or too cumbersome. Cybersecurity and UX are no longer mutually exclusive, and many of today's new password-free solutions can provide a uniform experience that is accessible to all users regardless of their technical acumen. Over time, biometrics will be part of the physical world, allowing users to unlock their laptops, devices, offices, and conference rooms, all underpinned by the FIDO standard, which will ultimately deliver the best protection across the enterprise.

Here are some recommendations for leveraging the biometric ecosystem in the most beneficial ways possible.

Mastercard, Aetna, and First Citrus Bank used biometrics to abandon the risk of holding centralized credentials and passwords for a portion of their users in order to reduce cybersecurity attacks and breaches. The primary benefit these enterprises and we practitioners observe is that we're replacing the "something you know" factor of user authentication with the more difficult to reproduce "something you are." The majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate, which makes it difficult to mimic a biometric template — that is, an image of a fingerprint or a face, or a subset of a voice.

Using these sensors paired with standards-based authentication (such as FIDO Alliance protocols) that eliminates shared secrets means that service providers can slow down adversaries while making the UX easier to use. This disrupts hackers' fraud model to the point where they would have to go from device to device in order to obtain a single user's credentials, which are often encrypted and isolated in the most secure area of the device. Or they must physically have access to the device of each user they want to target. This approach makes it unfeasible to have a mass credentials breach such as those we've been seeing on a regular basis. 

But what of the fragmented array of choices among operating systems, authentication modes (e.g., touch, face, voice, behavioral), and devices, particularly in the Android space? The best way to defragment this ecosystem is by adopting an open standard — such as FIDO — that uses biometric capabilities, meeting security targets while providing a uniform UX. Consumers know how to use the biometric capability of their mobile device or laptop without issue, and the UX is similar across devices even though they come from different manufacturers and function across different operating systems. 

Take a Tougher Stance on Mobile Security
Many of our financial services are available as mobile apps, which has led to a rapid increase in the attack surface.

Enterprises must take a much harder stance on mobile security because they continue to be affected by breaches because of the credential reuse success rate, which is currently at 2% to 4%, according to Shape Security’s "Credential Spill Report." The mobile platform is not immune to this growth in credentials-based fraud. Therefore, we should get ahead of fraud's migration to mobile by ending shared-secret forms of authentication to mobile apps. Standards like FIDO are mobile-centric and make the marriage of device biometrics and public key infrastructure the cornerstone of secure, seamless experiences across mobile devices, desktops, and the Internet of Things.

But we shouldn't stop there. As hackers realize their wholesale model of mass credential breaches has been disrupted, they will target devices with malware — for example, keyloggers. So, while mobile security will see an improvement with strong authentication without shared secrets, we'll need more robust malware intrusion, device health, and defense capabilities on mobile devices.

Make User Experience a Top Priority
Any method of access alternative to passwords should be simpler and faster, or consumers will balk at adoption. In today's business atmosphere, keeping the user's attention is critical because it's easy to lose it. Ease of use should be the top priority for every organization. 

Providing an easy-to-use, uniform experience for biometrics is simpler than one may think. Most employees already have a company or personal smartphone with one or more biometric capabilities. Cybersecurity teams should ensure that all mobile devices across their enterprise can be leveraged seamlessly to authenticate to workstations, to apps using single sign-on, and to physical access systems. Organizations can then remove the password from the login process — and from existence with FIDO standards — and provide a seamless UX by having the user authenticate with the familiar biometric capability on their mobile device. 

An Iterative Process
Cybersecurity teams will succeed with biometrics if they embrace it as a gradual process. Find areas of your business where biometrics can have the greatest effect quickly and deploy the capabilities there. This can be for internal use cases or consumer-facing apps.

Related Content:

 

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kathleen Peters
50%
50%
Kathleen Peters,
User Rank: Author
6/11/2019 | 11:03:00 AM
Biometrics are an important part of a layered approach
Biometrics are a key component for authentication use cases, and one that consumers have grown comfortable with providing. There is a high level of convenience when "you are your ID". Depending on the nature of a particular transaction, a realtime risk assessment can be done to determine whether the biometric should be used as a step-up; or in conjunction with other information provided by the consumer (what you know, what you have); or in conjunction with attributes passively provided by the device they are using. At the time of a new account opening, or for high-value transactions, a combination of authentication methods, both actively involving the user and in the background, can provide security as well as convenience. 
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
6/13/2019 | 4:08:45 AM
Much more tasks
Biometrics help to save a lot of time and can actually perform more tasks than we would expect. Apart from simply opening doors or locks, biometrics can also be used to track employees' attendance for daily work or for courses/training. They provide accurate recording and easy tabulating of recorded data. This system would help prevent human error and also save a lot of time on administrative duty.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.