sb-eu logo
Story image

Making biometric technology more secure – One Identity

03 Oct 2018

By One Identity APJ technology and strategy regional manager Serkan Cetin

Signing into mobile phones and laptops with a pin or password is quickly becoming a thing of the past.

Now, physiological biometric technology such as fingerprint scanners and facial recognition are commonplace.

There are some obvious benefits to using physiological biometrics over passwords: convenience and security.

Passwords can be difficult to remember, especially when a user must maintain multiple passwords for a growing number of digital accounts.

It’s hard for users to forget their fingerprints or face.

There are distinct security advantages to using something that’s a unique part of the user, rather than something they must recall from memory.

However, many physiological biometric technologies such as fingerprint recognition and iris scanning are easier to hack than many people may think.

While irises, fingerprints and other human subtleties may be unique, they are not incorruptible.

Hackers have used many different techniques to fool scanners, many related to replicating biometrics.

Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mould from a picture of a latent fingerprint on a wine glass.

It fooled scanners 80% of the time.

The Chaos Computer Club, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print.

Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook.

The animation was convincing enough to bypass four out of the five systems tested.

The fact that many of these biometrics technologies can be hacked so easily is troubling but expected.

Biometrics measures similarity, not identity, so a biometric match represents a probability of correct recognition.

Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.

While individuals can create new passwords for their accounts, humans cannot change their retinae or fingerprints.

Solution: Build a security ecosystem with behavioural biometrics in mind

A stronger way to prevent such attacks is to move towards using behavioural biometrics, such as keystroke dynamics or mouse movement analysis.

Each user has an idiosyncratic pattern of behaviour, even when performing identical actions, such as typing or moving a mouse.

As a result, behavioural biometrics are much harder to steal or imitate than physiological biometrics.

Algorithms powered by Artificial Intelligence can learn and analyse these behavioural characteristics to identify inconsistent tendencies quickly and autonomously.

It’s obvious that a hacker looking for sensitive data will behave differently in an IT system than the targeted individual.

Behavioural biometrics can track several tendencies or habits, including a user’s typing speed, whether they use the left or right shift key, how often they use backspace compared to delete, or whether they use shift or Caps Lock to change letter case.

It’s likely the hacker has a different typing speed, moves the mouse differently and executes unusual commands than the targeted user usually does.

When enough anomalies exist, the security system raises an instant alert for the security team and helps them investigate the incident.

While the physiological biometrics in mobile phones and laptops are user-friendly and safe, they are not truly safe.

Fingerprint recognition on phones typically takes multiple images of a finger so it can find a match quickly.

A truly safe physiological biometric authentication takes longer, more like 10 seconds.

Behavioural biometrics is the ultimate customer experience security measure.

Keystroke dynamics and mouse movement analysis help identify breaches and serve as a continuous, biometric authentication.

These behaviours can be continuously monitored and verified without interrupting the user experience, unlike physiological biometrics technology, which requires intrusive one-off authentication.

Building biometrics into the security ecosystem helps in reducing the number of stolen user credentials.

As biometrics can detect inconsistencies accurately and in real-time, they can catch criminals before they spend days, weeks or months sitting in IT systems.

Behavioural biometrics are difficult to duplicate 

While it may be possible to fool physiological biometrics and look like someone, behavioural biometrics makes it much harder to behave like them.

While behavioural biometrics such as keystroke dynamics or mouse movement analysis are ideal additional layers of defence, it is crucial that it forms a part of a bigger security environment that includes multi-factor authentication solutions, consistently updating and patching systems, and educating staff.

IT teams must remember, as with other systems of security, there are no silver bullets in the world of cybersecurity and identity and access management.

Utilising more verification measures in unison gives the largest possible chance to avoid hackers gaining access to sensitive information.

Story image
80% of security breaches involve exposure of customer data - IBM
The new report from IBM indicates that 80% of surveyed organisations reported having exposed customers’ personally identifiable information (PII) as a result of a breach.More
Story image
Auth0 closes US$120m Series F funding round
This latest round of funding will help us continue to grow aggressively across Australia and New Zealand (A/NZ) and Asia Pacific (APAC). It puts us in a very strong position."More
Story image
RedShield develops 'virtual shield' to protect against SAP RECON vulnerability
The vulnerability (CVE-2020-6287) could allow attackers to take over SAP systems by remotely accessing the server. More
Story image
A third of millennials think they're 'too boring' to be victim of cyber attack
While many millennials are concerned at how their data is being used and whether they are being targeted by cyber-attackers, according to Kaspersky any potential action taken to tighten their online security is at ‘the bottom of their to-do list’.More
Story image
Global spending on cybersecurity to grow by almost 6%
Even if the global economy worsens and IT budgets suffer, the cybersecurity market will still grow by at least 2.5%, according to a new report by Canalys.More
Story image
HPE powers Edinburgh International Data Facility
“In the data-centric era deriving insights and value from across multiple datasets will be a key to success for business and government alike. We look forward to boosting the UK’s capacity for data-driven innovation through this initiative.”More