Story image

Making biometric technology more secure – One Identity

03 Oct 2018

By One Identity APJ technology and strategy regional manager Serkan Cetin

Signing into mobile phones and laptops with a pin or password is quickly becoming a thing of the past.

Now, physiological biometric technology such as fingerprint scanners and facial recognition are commonplace.

There are some obvious benefits to using physiological biometrics over passwords: convenience and security.

Passwords can be difficult to remember, especially when a user must maintain multiple passwords for a growing number of digital accounts.

It’s hard for users to forget their fingerprints or face.

There are distinct security advantages to using something that’s a unique part of the user, rather than something they must recall from memory.

However, many physiological biometric technologies such as fingerprint recognition and iris scanning are easier to hack than many people may think.

While irises, fingerprints and other human subtleties may be unique, they are not incorruptible.

Hackers have used many different techniques to fool scanners, many related to replicating biometrics.

Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mould from a picture of a latent fingerprint on a wine glass.

It fooled scanners 80% of the time.

The Chaos Computer Club, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print.

Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook.

The animation was convincing enough to bypass four out of the five systems tested.

The fact that many of these biometrics technologies can be hacked so easily is troubling but expected.

Biometrics measures similarity, not identity, so a biometric match represents a probability of correct recognition.

Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.

While individuals can create new passwords for their accounts, humans cannot change their retinae or fingerprints.

Solution: Build a security ecosystem with behavioural biometrics in mind

A stronger way to prevent such attacks is to move towards using behavioural biometrics, such as keystroke dynamics or mouse movement analysis.

Each user has an idiosyncratic pattern of behaviour, even when performing identical actions, such as typing or moving a mouse.

As a result, behavioural biometrics are much harder to steal or imitate than physiological biometrics.

Algorithms powered by Artificial Intelligence can learn and analyse these behavioural characteristics to identify inconsistent tendencies quickly and autonomously.

It’s obvious that a hacker looking for sensitive data will behave differently in an IT system than the targeted individual.

Behavioural biometrics can track several tendencies or habits, including a user’s typing speed, whether they use the left or right shift key, how often they use backspace compared to delete, or whether they use shift or Caps Lock to change letter case.

It’s likely the hacker has a different typing speed, moves the mouse differently and executes unusual commands than the targeted user usually does.

When enough anomalies exist, the security system raises an instant alert for the security team and helps them investigate the incident.

While the physiological biometrics in mobile phones and laptops are user-friendly and safe, they are not truly safe.

Fingerprint recognition on phones typically takes multiple images of a finger so it can find a match quickly.

A truly safe physiological biometric authentication takes longer, more like 10 seconds.

Behavioural biometrics is the ultimate customer experience security measure.

Keystroke dynamics and mouse movement analysis help identify breaches and serve as a continuous, biometric authentication.

These behaviours can be continuously monitored and verified without interrupting the user experience, unlike physiological biometrics technology, which requires intrusive one-off authentication.

Building biometrics into the security ecosystem helps in reducing the number of stolen user credentials.

As biometrics can detect inconsistencies accurately and in real-time, they can catch criminals before they spend days, weeks or months sitting in IT systems.

Behavioural biometrics are difficult to duplicate 

While it may be possible to fool physiological biometrics and look like someone, behavioural biometrics makes it much harder to behave like them.

While behavioural biometrics such as keystroke dynamics or mouse movement analysis are ideal additional layers of defence, it is crucial that it forms a part of a bigger security environment that includes multi-factor authentication solutions, consistently updating and patching systems, and educating staff.

IT teams must remember, as with other systems of security, there are no silver bullets in the world of cybersecurity and identity and access management.

Utilising more verification measures in unison gives the largest possible chance to avoid hackers gaining access to sensitive information.

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.