Making biometric technology more secure – One Identity
By One Identity APJ technology and strategy regional manager Serkan Cetin
Signing into mobile phones and laptops with a pin or password is quickly becoming a thing of the past.
Now, physiological biometric technology such as fingerprint scanners and facial recognition are commonplace.
There are some obvious benefits to using physiological biometrics over passwords: convenience and security.
Passwords can be difficult to remember, especially when a user must maintain multiple passwords for a growing number of digital accounts.
It’s hard for users to forget their fingerprints or face.
There are distinct security advantages to using something that’s a unique part of the user, rather than something they must recall from memory.
However, many physiological biometric technologies such as fingerprint recognition and iris scanning are easier to hack than many people may think.
While irises, fingerprints and other human subtleties may be unique, they are not incorruptible.
Hackers have used many different techniques to fool scanners, many related to replicating biometrics.
Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mould from a picture of a latent fingerprint on a wine glass.
It fooled scanners 80% of the time.
The Chaos Computer Club, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print.
Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook.
The animation was convincing enough to bypass four out of the five systems tested.
The fact that many of these biometrics technologies can be hacked so easily is troubling but expected.
Biometrics measures similarity, not identity, so a biometric match represents a probability of correct recognition.
Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.
While individuals can create new passwords for their accounts, humans cannot change their retinae or fingerprints.
Solution: Build a security ecosystem with behavioural biometrics in mind
A stronger way to prevent such attacks is to move towards using behavioural biometrics, such as keystroke dynamics or mouse movement analysis.
Each user has an idiosyncratic pattern of behaviour, even when performing identical actions, such as typing or moving a mouse.
As a result, behavioural biometrics are much harder to steal or imitate than physiological biometrics.
Algorithms powered by Artificial Intelligence can learn and analyse these behavioural characteristics to identify inconsistent tendencies quickly and autonomously.
It’s obvious that a hacker looking for sensitive data will behave differently in an IT system than the targeted individual.
Behavioural biometrics can track several tendencies or habits, including a user’s typing speed, whether they use the left or right shift key, how often they use backspace compared to delete, or whether they use shift or Caps Lock to change letter case.
It’s likely the hacker has a different typing speed, moves the mouse differently and executes unusual commands than the targeted user usually does.
When enough anomalies exist, the security system raises an instant alert for the security team and helps them investigate the incident.
While the physiological biometrics in mobile phones and laptops are user-friendly and safe, they are not truly safe.
Fingerprint recognition on phones typically takes multiple images of a finger so it can find a match quickly.
A truly safe physiological biometric authentication takes longer, more like 10 seconds.
Behavioural biometrics is the ultimate customer experience security measure.
Keystroke dynamics and mouse movement analysis help identify breaches and serve as a continuous, biometric authentication.
These behaviours can be continuously monitored and verified without interrupting the user experience, unlike physiological biometrics technology, which requires intrusive one-off authentication.
Building biometrics into the security ecosystem helps in reducing the number of stolen user credentials.
As biometrics can detect inconsistencies accurately and in real-time, they can catch criminals before they spend days, weeks or months sitting in IT systems.
Behavioural biometrics are difficult to duplicate
While it may be possible to fool physiological biometrics and look like someone, behavioural biometrics makes it much harder to behave like them.
While behavioural biometrics such as keystroke dynamics or mouse movement analysis are ideal additional layers of defence, it is crucial that it forms a part of a bigger security environment that includes multi-factor authentication solutions, consistently updating and patching systems, and educating staff.
IT teams must remember, as with other systems of security, there are no silver bullets in the world of cybersecurity and identity and access management.
Utilising more verification measures in unison gives the largest possible chance to avoid hackers gaining access to sensitive information.