Remember all of my blogs about passwords? The basic premise behind most of them was
that no matter how much we hate our passwords, they are still going to be
around with us for the longest time.
Although they have proven their huge weaknesses, and IMHO, will be the
weakest link in the security chain (no, not humans) we will still use them.
Sure, businesses have tried to make their employees adopt
stronger and more complex passwords, but the truth of the matter is that we are
creatures of habit.
No matter what new things might be ahead of us, we still
want to use what we already have and for the longest time. Heck, people still use the same passwords
over and over again.
To combat this, businesses have adopted the use of what are
called Password Managers. These are relatively
easy to use software apps that essentially create long and complex passwords, stores
them, and even changes out the passwords once they have reached a certain time
limit, as set forth by the IT Security team.
They will even alert the end user if the passwords that are
in use succumb to a security breach.
But to add more security to this, companies then adopted
what is known as Two Factor Authentication, simply known as 2FA for short. This is where the employee (for example) will
not only have to enter their password, but also be authenticated by another
mechanism (such as a challenge/response kind of thing). But like the password itself, this also
proved to be highly vulnerable to the Cyberattacker.
So then, businesses turned over to what is known as Multifactor
Authentication, or MFA for short. This is where the employee now has to be
authenticated by at least three or more different types of authenticating mechanisms. So for example, this could involve the password,
an RSA token, and even the challenge/response question.
But even with this, there are still issues that have arisen. The reason for this is that many entities
still use weaker forms of authentication.
Once again, this falls down to again using the password. Once that is hacked into, the Cyberattacker,
for the most part, can make a reasonably good attempt to get into the other
credentials.
Is there a solution for all of this? Actually, yes there is. It is known as “Biometrics”. This is where an individual’s identity can be
confirmed based upon taking a snapshot of their physiological and/or behavioral
features. From here, the unique features
are extracted which are then used for authentication purposes.
It has a number of distinct advantages which include the
following:
*The raw image of the physiological and/or behavioral features
are never stored. Rather, they are
converted over to mathematical files which are stored and used for
authentication purposes.
*If in the chance that a Biometric Template is stolen, it is
not the same thing as credit card theft (I have been asked this a lot). After all, what can a Cyberattacker do with a
mathematical file? Really nothing.
*If a template is damaged or even hijacked, all that needs
to be done are new raw images to be collected. There are no reset costs, which is
typically true of the password.
*Biometric Templates are truly unique identifiers. For example, nobody has the same fingerprint,
retinal structure, or even the same iris structure. That is what makes Biometrics so appealing in
MFA situations.
Now there is the concern of what are known as Deepfakes. Long story short, this is where AI and ML are
used to construct a real live image of somebody or something. But, to a trained eye, one can notice the
subtle differences to spot out a Deepfake.
Now the question arises if Deepfakes can be used to reconstruct the raw images
as just described?
I have never really thought about this until now. But given
the way that technology is evolving, it is possible that it could happen. But here is the beauty of Biometrics. All modalities require a live scan sample.
Meaning, if Fingerprint Recognition is being used, it requires
that a pulse be taken from the finger first.
Although Biometric systems could still possibly be spoofed, the technology
is also rapidly advancing in this area to stop this from happening as well.
My Thoughts On This:
Implementing the use of Biometrics in an MFA solution (or even
as a stand alone one) is not too complex.
In fact, it is even easier to set up than your own smartphone. Corporate America is now finally realizing
the full benefits of using Biometrics, and here are some resources that I have
come across:
The FIDO Alliance for Biometrics standards:
https://fidoalliance.org/fido2/
Using Smart Cards along with Biometrics in an MFA solution:
A Playbook for avoiding Biometric Template Spoofing:
In the end, the best of MFA solutions will address these
authentication questions:
*Something you have
*Something you are
*Something you know
Also keep in mind that a beauty of MFA is that you just don’t
have to deploy three layers of authentication.
You can deploy as many as you deem necessary, in order to protect both
your digital and physical assets.
Finally, the last thing to remember about Biometrics is its
social implications. Since it is the physiological
and/or behavioral samples that are being collected, there is the issue of
privacy rights and violation of Civil Liberties. But that is a blog for the future. Stay tuned.
No comments:
Post a Comment