Saturday, April 22, 2023

Why Biometrics Should Be Part Of An MFA Solution - 5 Golden Reasons

 


Remember all of my blogs about passwords?  The basic premise behind most of them was that no matter how much we hate our passwords, they are still going to be around with us for the longest time.  Although they have proven their huge weaknesses, and IMHO, will be the weakest link in the security chain (no, not humans) we will still use them.

Sure, businesses have tried to make their employees adopt stronger and more complex passwords, but the truth of the matter is that we are creatures of habit. 

No matter what new things might be ahead of us, we still want to use what we already have and for the longest time.  Heck, people still use the same passwords over and over again.

To combat this, businesses have adopted the use of what are called Password Managers.  These are relatively easy to use software apps that essentially create long and complex passwords, stores them, and even changes out the passwords once they have reached a certain time limit, as set forth by the IT Security team. 

They will even alert the end user if the passwords that are in use succumb to a security breach.

But to add more security to this, companies then adopted what is known as Two Factor Authentication, simply known as 2FA for short.  This is where the employee (for example) will not only have to enter their password, but also be authenticated by another mechanism (such as a challenge/response kind of thing).  But like the password itself, this also proved to be highly vulnerable to the Cyberattacker.

So then, businesses turned over to what is known as Multifactor Authentication, or MFA for short. This is where the employee now has to be authenticated by at least three or more different types of authenticating mechanisms.  So for example, this could involve the password, an RSA token, and even the challenge/response question.

But even with this, there are still issues that have arisen.  The reason for this is that many entities still use weaker forms of authentication.  Once again, this falls down to again using the password.  Once that is hacked into, the Cyberattacker, for the most part, can make a reasonably good attempt to get into the other credentials.

Is there a solution for all of this?  Actually, yes there is.  It is known as “Biometrics”.  This is where an individual’s identity can be confirmed based upon taking a snapshot of their physiological and/or behavioral features.  From here, the unique features are extracted which are then used for authentication purposes.

It has a number of distinct advantages which include the following:

*The raw image of the physiological and/or behavioral features are never stored.  Rather, they are converted over to mathematical files which are stored and used for authentication purposes.

*If in the chance that a Biometric Template is stolen, it is not the same thing as credit card theft (I have been asked this a lot).  After all, what can a Cyberattacker do with a mathematical file?  Really nothing.

*If a template is damaged or even hijacked, all that needs to be done are new raw images to be collected. There are no reset costs, which is typically true of the password.

*Biometric Templates are truly unique identifiers.  For example, nobody has the same fingerprint, retinal structure, or even the same iris structure.  That is what makes Biometrics so appealing in MFA situations.

Now there is the concern of what are known as Deepfakes.  Long story short, this is where AI and ML are used to construct a real live image of somebody or something.  But, to a trained eye, one can notice the subtle differences to spot out a Deepfake.  Now the question arises if Deepfakes can be used to reconstruct the raw images as just described? 

I have never really thought about this until now. But given the way that technology is evolving, it is possible that it could happen.  But here is the beauty of Biometrics.  All modalities require a live scan sample. 

Meaning, if Fingerprint Recognition is being used, it requires that a pulse be taken from the finger first.  Although Biometric systems could still possibly be spoofed, the technology is also rapidly advancing in this area to stop this from happening as well.

My Thoughts On This:

Implementing the use of Biometrics in an MFA solution (or even as a stand alone one) is not too complex.  In fact, it is even easier to set up than your own smartphone.  Corporate America is now finally realizing the full benefits of using Biometrics, and here are some resources that I have come across:

The FIDO Alliance for Biometrics standards:

https://fidoalliance.org/fido2/

Using Smart Cards along with Biometrics in an MFA solution:

https://www.securetechalliance.org/smart-cards-intro-standards/#:~:text=The%20primary%20standards%20for%20smart,standard%20broken%20into%20fourteen%20parts.

A Playbook for avoiding Biometric Template Spoofing:

https://www.biometricupdate.com/202303/biometric-anti-spoofing-handbook-updated-with-liveness-competitions-legislative-impact

In the end, the best of MFA solutions will address these authentication questions:

*Something you have

*Something you are

*Something you know

Also keep in mind that a beauty of MFA is that you just don’t have to deploy three layers of authentication.  You can deploy as many as you deem necessary, in order to protect both your digital and physical assets.

Finally, the last thing to remember about Biometrics is its social implications.  Since it is the physiological and/or behavioral samples that are being collected, there is the issue of privacy rights and violation of Civil Liberties.  But that is a blog for the future.  Stay tuned.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...