Biometric Authentication – Our ‘Unique Human Identities’ Under Attack
Editor’s Note: In late 2018, CyberArk published five cybersecurity predictions for 2019. This deep-dive blog series will examine each prediction in detail to help organizations stay on top of emerging threats and out-innovate and out-maneuver cyber attackers. One of the goals for this series is to provide updates on how these trends develop and progress over the course of the year. Today’s topic is biometric authentication.
The buzz around biometric authentication and its role in cybersecurity continues to build. Once reserved for sci-fi movies, biometric fingerprint readers, facial recognition systems, retinal scanners and more have, in recent years, proven effective in authenticating consumer devices. This has prompted many enterprise organizations to explore biometric authentication as a way to safeguard their sensitive data. Some information security pundits believe biometric technology is the future of digital security, while others voice mounting concerns around privacy. Before we weigh the risks and rewards, here’s a quick overview.
Breaking Down Biometric Authentication
To be useful for identification and access control purposes, biometric markers must be completely unique to an individual, permanent and recordable. Examples of biometric data include a person’s unique facial structure, the one-of-a-kind patterned iris encircling a pupil in the eye, the tiny ridges of a fingerprint, the unique sound waves of a person’s voice (or “voiceprint”), the geometry of a hand or the way a person interacts with a computer system (his/her typing cadence, mouse usage, keystrokes, etc.) These ‘unique human identities’ are collected, stored and matched in a database, providing a secure way for users to log into a host of devices or systems without having to use (and remember) multiple passwords.
A survey conducted by CyberArk among UK office workers released in late 2018 revealed that many organizations are beginning to integrate cutting-edge new security technologies into their strategies, with nearly one in five (19%) reporting that their IT security team is experimenting with biometric security techniques, including fingerprint and retinal scans and embedded microchips.
The Biometric Authentication Cybersecurity Conundrum
When it comes to biometric authentication, there are myriad security and privacy concerns.
First and foremost, because of the permanent nature of these identifiers, the stakes are much higher and the security and privacy risks are much greater. Since you cannot change your face, hand vein structure or fingerprints like you can change a traditional password, if someone steals and uses or duplicates your biometric identity, you can’t do much about it – leaving your devices and accounts vulnerable and exposed. Furthermore, the permanence of biometric authentication could easily lead some individuals and organizations to become overly confident in the technology and give up on cybersecurity best practices such as strong password policies and multi-factor authentication (MFA).
Cyber attackers understand all of this and have mounted a wave of attacks against these newly engineered biometric markers for digital and physical authentication.
Here are just a few ways attackers are targeting these identities to gather massive amounts of biometric data for future modeling purposes and nefarious use:
- Embedded human microchips. According to the biohacking company Dangerous Things, between 50,000 and 100,000 people today sport an embedded microchip, which they use to do things like unlock their office door, get into the gym, buy lunch and simplify travel. Yet, a number of security researchers have demonstrated ways to successfully hack into these chip implants – from infecting a chip with a virus through an SQL injection attack to conducting a URL attack on a browser vulnerability on an NFC chip.
- Genetic consumer services. If you’ve ever taken an at-home DNA test, your unique genetic information is now in the hands of an organization you probably know little to nothing about. Last June, genealogy testing service MyHeritage revealed that 92 million accounts were found on a private server. While personal DNA was not compromised in this instance, it illustrates the potential for far-reaching damage in the case of a successful breach.
- Biometric stores within organizations. As adoption of biometric authentication soars, massive amounts of highly sensitive data are being collected, stored on-premises and in the cloud, processed and accessed with little protection or oversight. Cyber attackers are increasingly targeting data stores within organizations, understanding that many have not implemented the appropriate technical and organizational measures needed to keep this sensitive data secure.
Unfortunately, uncrackable biometric authentication technology is still very much science fiction. While the future of traditional passwords isn’t looking bright, there is still much work to be done on both the cybersecurity and privacy regulation fronts before organizations can adopt this futuristic authentication approach with confidence.