In this two-part Q&A, Morey Haber and John Masserini discuss the current and future state of biometrics. Industry thought leaders, Haber and Masserini address leading questions surrounding biometrics from the vendor and enterprise perspective.
Q: Can biometrics replace any existing authentication technology today?
Haber: Yes, but there is a lot of work, and additional security, that is needed for biometrics to be a secure and viable solution. For example, biometrics should only be used for authentication or authorization but never both at the same time.
In addition, biometrics alone, without a pin or other verification media is insufficient. Furthermore, technologies need to evolve to ensure that a fingerprint alone cannot jeopardize the integrity of the system. Plus, security policies for storage, encryption, and even biometric rotation (like password rotation) need to be clearly defined and successfully implemented and enforced.
Masserini: The biometric industry has certainly matured over the past decade, providing several trustworthy solutions, but I’d rather say it’s a part of the maturation of authentication technology rather than a replacement of it. Most biometric solutions require a pin when used for authentication, and in reality, a pin is no more or less secure than a password.
The biggest challenges of biometric deployment are the delineation between authentication and authorization. Today’s authentication technologies combine both of these factors into a single action, rather than a deterministic view of identification versus action.
While it is feasible to deploy a biometric solution in the same manner, one must question why you would go through the effort and expense to only nominally increase security. By leveraging existing authentication technology along with a biometric solution, you can significantly enhance the control, while simultaneously making it easier for the user.
Q: When should biometrics augment existing solutions?
Haber: Consider any security model that it is easy to document or communicate. The authentication mechanisms for these security models are via paper, verbally, electronically, or even a text message. A username and password is a traditional example of this. Both strings are easy to document.
Biometrics is a great addition to this type of technology, or even using PIN codes, to ensure the proper identity is using this less secure authentication vehicle.
Masserini: I think a key point that needs to be made here is ‘authentication, not authorization.’ There are a number of easily adaptable solutions on the market that can leverage biometric authentication within the enterprise. The challenge comes when organizations who have typically taken an ‘all data is equally important’ position try to delineate between various access rights.
Let’s face it, when most people think about biometrics, they think it is just an ‘easy PC login,’ which is basically only moderately better than where we are now with passwords. To fully appreciate what a biometric solution can offer, organizations should separate the authentication process from the authorization process.
For instance, I may grant a device access to a network based on a biometric authentication, but lock them into a network or limit the devices capability until further authorization credentials are supplied – basically adaptive authentication. Now you need to get on the web? Perhaps the fingerprint is enough. Now you want to send an email? That requires a pin as well so I know you’re authorized to do so.
Biometrics can offer a great deal in enhancing the controls in the infrastructure, but only if deployed thoughtfully – otherwise, it’s fundamentally nothing more than a username/password control.
Q: When should biometrics never be used?
Haber: Biometrics should never be used alone for access regardless of authentication or authorization. Door locks are a perfect example of this problem. A stolen fingerprint can easily be manufactured to bypass the physical security of the device and compromise the contents behind the door. A second example is your mobile device.
A fingerprint is used for authorization and authentication in the case or logging in potentially access a financial mobile app pay. While this is not as risky as a biometric door look, since it assumes you have possession of the device, it represents and unacceptable risk for entities securing more information than just a consumer’s device, personal financials and information.
I would never allow an application on a mobile device that uses its local biometric system alone to ask sensitive data within an organization. There should always a second mechanism on top of that to provide the users identity.
Masserini: That’s basically asking ‘when should a password never be used.’ Biometrics and passwords are becoming fairly ubiquitous so it’s more of a question around what the risk is.
As stated several times already, one should never rely solely on a biometric alone as a method of strong authentication, but as a key part of a multi-faceted, multi-tier authentication architecture. For example, presuming the fingerprint reader on a mobile device is trustworthy, then sending that same device an SMS code for logging into a critical service doesn’t not provide the level of assurance required to say, process a six-figure wire transfer, however, it may be good enough to check email.
Upcoming Part Two:
In the next installment, Haber and Masserini continue their assessment of biometrics and other forms of adaptive authentication. They also examine the process for retaining and purging biometric data, and draw conclusions.