• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

The truth behind biometric authentication

Content

Biometric identification has advanced quickly over the last few years.

The technology is now reliable enough to see widespread use, even in consumer products. High-end smartphones already come with fingerprint scanners, along with voice and face recognition technology. E-passports and biometric scanners at airports are now standard practice. In theory, biometrics are perfect for user authentication: we all have distinct, identifiable biological signatures that are difficult, if not impossible, to fake. But while biometrics may seem secure on the surface, they are not exactly foolproof.
 

The dark side of biometrics

The first issue with biometric verification is how ‘permanent’ it is. If you found out your account is at risk, it’s simple enough to just change the password. But if your biometrics are compromised, you can’t change your voice, fingerprints and face. Identity theft that exploits biometrics can be much more difficult to recover from.

The second issue is their fallibility. While they can be much more secure than easy-to-guess passwords, hackers have already shown they can fool fingerprint scanners with an 80% success rate. And since you can’t wear gloves all the time, you’re bound to leave your fingerprints in public spaces as you go about your day, leaving you open to fingerprint-lifting hackers.

Your voiceprint isn’t 100% secure either. We already know deepfakes powered by AI and Machine Learning can imitate voices quite convincingly. The more audio samples the hackers have, the easier it is to fool voice recognition biometrics. If you’re a celebrity or public figure, there are probably hours of your audio/video recordings just a google search away. As deepfake technology advances, faking someone’s voice will only get easier and more accurate. Even advanced facial recognition technology can be fooled by using something as simple as a photograph or a mask.
 

What this means for businesses
Organisations that hold customer and employee biometric data will have a huge responsibility to safeguard it and make sure it’s handled appropriately. That’s a big risk for any company to take, and there will need to be very specific policies on how that data should be handled. If their system is hacked and biometric data leaks out into the wild even once, those affected are likely to face an increased risk of hacking for the rest of their lives. Their biometric data will forever remain a security risk.

That being said, biometrics do offer advantages that no other security measures do. For some use cases, like e-passports in international airports, they make a lot of sense. You just need to be fully aware of what your use case is and how the technology fits into your cybersecurity strategy. If your company is considering adopting biometric security, here are the important things to keep in mind: 

  • Data protection. Is your current data infrastructure properly secured? How do you handle customer or employee data? You need to have baseline protections in place before you consider holding biometric data. Watch out for any specific compliance or regulatory policies around biometric data you may need to follow.

     
  • Reliability testing. Test, test, and then test again. Make sure you’re working with a reputable biometrics provider. Don’t fall for the buzzwords. There are a lot of companies out there overselling the ‘AI capabilities’ of their systems, which in reality may be quite limited. Do your due diligence and make sure to thoroughly test the system for your specific use case.

     
  • Multi-factor authentication. Relying exclusively upon biometric authentication isn’t the best idea. Reduce risks by combining biometric authentication with another authentication method. The proven classics like passwords, SMS authentication or hardware devices work great when used with biometrics as part of a multi-factor authentication process.

     
  • Identity and Access Management. IAM systems are designed to perform three key tasks: identify, authenticate, and authorise. It’s a governance framework designed to ensure only the right person has access to specific devices, apps, or IT resources to perform specific tasks, which makes it a powerful asset for cybersecurity.

Biometrics are just one part of the security equation

The fact that biometrics are, for the most part, immutable, is both their biggest advantage and biggest drawback. While the technology can provide a super-effective layer of security, if used on its own it can also be a single point of failure. 

The best way to gain the security benefits of biometrics is to make it a part of your overall security infrastructure, rather than depending on them exclusively. This is why having a clearly defined cybersecurity policy is so important. Biometrics should fit into your cybersecurity policy, not the other way around. When it comes to handling someone’s biodata, data that they cannot alter or change throughout their lives, you cannot afford to take any unnecessary risks.

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara