Biometrics can replace passwords, but pose a hidden threat if stolen
As the technology sector moves further into biometric authentication different vulnerabilities are introduced. After all, a stolen phone or password is different than a stolen iris or thumbprint.
Recently, Yahoo and Google announced initiatives to kill the password. With nascent systems for identity verification, such as biometrics, becoming more prevalent, will the password become a relic of the past?
In 2013, Apple introduced Touch ID fingerprint scanners into consumer-targeted smartphones. On announcing the feature the company made it clear that the fingerprint information is stored locally in a secure location rather than being stored remotely on Apple servers or in the Cloud, making it very difficult for external access.
The ramifications of a stolen palm print or iris can be much more damaging than a stolen password. If legislation or regulations are proposed in biometrics, the following principles should be considered to protect privacy and security:
–Limit collection of biometrics – The collection should be limited to the minimum necessary.
–Define clear rules on the legal process required for collection.
–Limit the amount and type of data stored.
–Limit the combination of more than one biometric in a single database.
–Define clear rules for use and sharing.
–Enact robust security procedures to avoid data compromise.
–Mandate notice procedures.
–Define and standardize audit trails and accountability throughout the system.
–Ensure independent oversight.
Fingerprints increasingly replace passwords for security measures and hackers may leverage this vulnerability to their advantage. For instance, Darktrace, a British cybersecurity company, installed a hacking diagnostic tool in an Asian manufacturing business which used a fingerprint system to control access to areas of its campus. The system was successfully attacked resulting in the loss of the entire database of employee fingerprints. The attacker even gained the ability to add new fingerprints to the system, granting access to any part of the business.
The concept of biometric authentication is rapidly becoming a reality. Mastercard Identity Check will allow users to authenticate their online purchases through facial recognition and fingerprint biometrics. Increasingly, biometrics are being used to do away with the messiness of passwords. The passwords people choose are often weak or kept on a remote server where they can be hacked. In contrast, biometric information is authenticated on the device itself and not stored.
Forrester research expects several new software-based, mobile-fueled biometrics to become available in the next 12 to 18 months but caution to avoid using biometric-based solutions as a sole authentication factor. Many have subtle security and privacy challenges and some have usability challenges.
Coming more into popularity now is a combination of password and biometrics in the form of two-factor authentication. This typically combines login with a text message or email you need as a second step for verifying that it is really you. It’s tougher to hack and is being phased in for banking customers by federal mandate.
Cybercriminals are already able to hack ATM biometric readers. In fact, devices are being sold on the Dark Web that can allegedly steal fingerprints. In June of 2015 the Office of Personnel Management (OPM) discovered records of 21.5 million current, former and prospective Federal employees had been stolen. 5.6 million of those records were people’s fingerprints.
First appeared at PaymentsSource