Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/18/2017
02:30 PM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What CISOs Need To Know Before Adopting Biometrics

Biometric techniques offer a solution to the password problem, but getting started can be tough. Here are a few things you need to know.

Businesses have long sought a better way to balance end-user security and usability, and it's clear the password-only model needs to change.

Faced with employees who are unwilling to remember more than a handful of unique passwords despite using dozens of different devices, services, and platforms, organizations have thrown their weight behind biometric authentication. Fingerprints, voice, and retina patterns — which are hard to fake and impossible to forget — promise an escape from poor end-user security habits.

Laying the Groundwork for Biometric Authentication
With myriad off-the-shelf solutions and potential approaches to implementing biometric authentication, it can be difficult to know where to start. Here are a three considerations CISOs should keep in mind while planning their organization's transition:

1. Biometric data is personally identifiable information. It's always important for organizations to protect their users' passwords, but biometric authentication data presents an extra layer of complexity. Not only is biometric data used to access sensitive or confidential resources, it is valuable in its own right. In fact, organizations that contract with the U.S. government are often required to submit to the personally identifiable information management practices outlined in the Privacy Act of 1974, but states can and do pass more stringent regulations in a patchwork of security breach notification laws. For example, California's SB 1386 requires organizations to notify individuals when PII is believed to be compromised.

Before fully adopting biometric authentication, IT leaders must carefully consider how PII will be stored and used. A fingerprint reader installed on a workstation is less risky than biometric authentication passed over a network, for example, but biometric tokenization can largely eliminate this weakness. Organizations should focus on securing devices that will store biometric data through measures such as encryption, adoption of trusted platform modules in client machines to prevent data theft, and other physical security measures.

2. Passwords still have a place. Although biometric authentication promises to make users less reliant on passwords, it's limited in its ability to fully supplant them. Even ignoring the legal and ethical complexities introduced by biometric authentication, a breach can permanently render biometric data unusable from a security standpoint. A password, once compromised, can be changed, but the same can't be said of fingerprints, hand geometry, and retina patterns.

At the same time, biometric authentication isn't 100% reliable. Where no modern system will reject a correct password, every biometric authentication configuration must account for some level of false negatives and positives. Especially in highly secure environments, false positives may present an unacceptable risk, while false negatives require a fallback authentication mechanism such as a traditional password. CISOs planning to adopt biometric authentication must ensure that biometric credentials are issued in addition to, not in place of, traditional passwords.

3. Protecting data through redundancy. Organizations planning to deploy biometric authentication on any large scale must include data loss prevention in their implementation from the beginning. This is true not only of biometric data transmitted by users but also of the data they intend to access. To prevent the loss of biometric data, organizations should invest in high-availability authentication servers, using technology such as load balancing to ensure high demand doesn't prevent end users from authenticating. IT leaders must also consider ways to protect the data end users wish to access. Since any single form of biometric authentication could report a false positive, organizations should make sure that sensitive systems can use multiple biometric sources in tandem, such as both facial and fingerprint recognition.

A More-Secure Future
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.

Related Content:

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.