January 14, 2019

Biometric Authentication Not As Safe As You Think

Unique: Noun: The quality of being one and only of its kind. This is the Holy Grail of identity authentication but what defines the truly unique? Is it size weight or shape? Molecular structure? Or is it something else?  May think that snowflakes are the closest thing to being unique but scientists have discovered that there are only actually 35 distinct shapes. So, if snowflakes aren’t that unique, how do we think we can ever come up with some form of unique credential to use for cyber security?  The current trend seems to be biometrics, specifically, fingerprints and face prints.  But are they as secure as we think?

What Is Biometric Authentication? 

Let’s start with the basics. According to TechTarget’s SearchSecurity biometric authentication is:

“A security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed. Typically, biometric authentication is used to manage access to physical and digital resources such as buildings, rooms and computing devices.”

In more simple terms, a device records some biological characteristic such as fingerprint, face print, voice print, retinal scan or even vein patterns then match that stored information whenever requested for authentication.

You would like to believe that these biological characteristics of you are unique to you, but are they really, especially when they are reduced to something stored digitally?

Biometric Authentication Is NOT As Safe As You Think

It turns out that a fingerprint is more secure than a 4-digit password but less secure than a 5-digit password.  StackExchange examines this statistic: 

“According to Apple, Touch ID the probability of a fingerprint matching is 1:50000 while the probability of guessing a four digit passcode is 1:10000. Statistically speaking, this would make Touch ID five times more secure. But the answer isn't that simple. Reconstructing a fingerprint is far easier than reconstructing a passcode. Although a fingerprint is unique, you are basically walking around with the security key on you at all times. I see have a fingerprint is like have the four digits of a passcode, just not in the right order (is this the right thinking though?).” 

Teri Robinson at SC Magazine wrote an article titled “Researchers create wax hand to get around vein sensor tech” and reported: 

“Security researchers created a fake hand out of wax capable of getting around vein sensor technology – used by organizations like Germany’s BND signals intelligence agency, the researchers told an audience at Chaos Communications Congress in Leipzig.”

So, if your vein pattern can be spoofed this easily, imagine how easy it is to do the same for your other biological characteristics.

Perhaps an even scarier proposition is if the digitally stored versions of your biometrics have been compromised then you are in serious trouble because you can’t change your own biology. This is validated by Danny Palmer, Senior Reporter at ZD Net:

“Biometrics also has another issue, in that they can't be altered. If records of your fingerprint or face, or iris, are compromised, attackers could use it to bypass all of your accounts, and you can't realistically reset your face or your fingerprints.”

Biobehavioral Authentication Comes Of Age 

The good news is that your behaviors are truly immutable. The way you type, the frequency with which you access applications over days/weeks/months,or even ho wyou type on a keyboard.  Acceptto is a transformative cybersecurity company delivering continuous identity access protection and real-time threat analytics with Biobehavioral™ AIML-powered authentication technology in an age where your identity is persistently attacked.

We built our company with the premise that your login credentials have already been compromised. Your passwords have been hacked no matter how complex you’ve made them. Two-factor security is temporal, causes high friction and can be easily intercepted during transmission. Current multi-factor authentication (MFA) security solutions lack context and rely on too few attributes. Your biometrics are binary, and regardless of how safe a fingerprint or retina scan appears to be, it can be spoofed and cannot be reset, ever. And, there are few, if any, solutions that continuously validate your identity post-authentication.

With Acceptto’s Cognitive Authentication you can ensure:

  • Actionable threat analytics: Real-time, continuous identity monitoring & validation post-authentication.
  • Dynamic authentication:Adjustable, risk-based policy orchestration and continuous enforcement.
  • Credential stuffing neutralized: Eliminate account takeover (ATO) instantly with intelligent contextual MFA.

Check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy. Register for a free trial today.

MFA biobehavioral authentication identity Access Management