Point/Counterpoint: The Current State and Future of Biometrics – Part Two
Brought to you by BeyondTrust
Morey Haber, VP of Technology, BeyondTrust
John J. Masserini, CSO, MIAX Options
In this two-part Q&A, Morey Haber and John Masserini discuss the current and future state of biometrics. Industry thought leaders, Haber and Masserini address leading questions surrounding biometrics from the vendor and enterprise perspective.
In part one, Morey and John examined the possibility of biometrics as a replacement for existing authentication technology and discussed methods for using biometrics to augment existing solutions.
In this installment, Haber and Masserini continue their assessment of biometrics and other forms of adaptive authentication. They also examine the process for retaining and purging biometric data, and draw conclusions.
Q: What forms of biometrics are you considering? Fingerprints, facial recognition, infrared, retina, voice, behavioral, etc.?
Haber: While I have been focusing on fingerprints for this discussion, many other techniques exist for biometrics that can be successfully integrated into your security model. With any of them, all the considerations above must be considered and altered accordingly.
For example, if you plan to use a retina scanning device, rotation of the biometric data makes absolutely no sense. If you plan to use the facial recognition in Windows 10, the security of the hardware needs to be considered as well since you are potentially using a very pricey piece of camera equipment to perform infrared and visual identification.
Personally, I think fingerprints will be the primary deployment vehicle for most organizations, followed by esoteric techniques based on behavior (like keystroke monitoring of a password based on time and pressure) to augment current security mechanisms.
Masserini: Most biometric alternatives are too costly to implement on a wide scale, so fingerprints remain the choice de jure for general adoption. Facial or retina will likely only be used in selective, highly secure areas. I think 2016 will see a huge jump in the adoption of behavioral analytics to augment the existing enterprise controls.
Over the past eighteen months, we’ve seen a significant uptick in solutions which perform User Behavior Analytics (UBA) monitoring which can enhance the monitoring and alerting aspects of the existing security infrastructure. As these products mature and the models hit a consistently reasonable level of accuracy, we will likely be able to leverage their decision capabilities by incorporating them into the authentication process.
Imagine how seamless an authentication process would be if we were able to model a user’s behavior and immediately determine if we need additional credentials before allowing them to perform a specific function.
Q: What other adaptive authentication technologies could benefit from biometrics? Two Factor?
Haber: Biometrics can successfully augment almost any existing security mechanism if it is implemented with solid ergonomics, and physical security and encryption in mind. For example, having a fingerprint reader on a two-factor key fob sounds like an effective way to retrieve a key, if battery life and local biometric data is properly secured on the fob.
While mobile applications can replace this hardware (in lieu of a fob), the concept of tying multiple identification techniques together with dissimilar data types just makes the process of authentication more secure.
So consider how you add biometrics. An external USB biometric reader may sound attractive to add for access, but its simple theft can easily be used to retrieve a user’s fingerprint. Ergonomics and physical (above battery life) need to be considered when merging with existing solutions.
Masserini: Many of the newer biometric solutions allow for multiple templates to be created for each user, providing certain ‘randomness’ to the authentication process. Although admittedly a bit scary, imagine if we had ten legitimate passwords for each user ID.
We could use any of the passwords to login, but could never use the same one back-to-back, or perhaps the same one on any given day. While unwieldy with a username/password combination, it's a perfectly feasible solution with fingerprint biometrics.
Another option is the use of multiple fingerprints (or biometrics) for basic authentication, providing an arguably strong form of identification. Models such as these not only make the user's life simpler, but add a control not available in today's password-centric world.
Q: Any additional thoughts?
Haber: For biometrics to succeed there will always be a need to add additional elements to verify a user’s identity. The more you can separate biometrics from a documentable authentication scheme, the more secure the system will be.
For example, take this concept, which I have yet to see implemented, called a Biometric Pin. The method uses a traditional secure fingerprint biometric reader, but has logic to require more than one fingerprint. A user selects 4 fingers to scan from both hands just like applying a pin. They then register them in their mentally defined order. I.e. Left Thumb, Right Middle, Left Middle, and Right Index.
The technique requires all four biometrics in the proper order (analogous to a pin) and only storage of these four fingers. The sequence of fingers, and which finger, is not known to the system and policy requires a new rotation every “n” days. In this scenario, biometrics alone could be used for authentication or authorization since it incorporates more elements than a single fingerprint and requires mental (difficult to document) knowledge of which fingers to apply and in which order.
While this suggestion is just a hypothetical example of how to implement secure biometrics, it illustrates that any single biometric technique alone will never be sufficient.
Masserini: While biometric solutions have a solid place in the enterprise, it's more augmentative then disruptive. While we are still far from the replacement of passwords with biometrics, advancements in the biometric space will continue to challenge us to re-think how could better utilize such an approach.
I truly believe that Behavior Analytics will be a driving force in the next 24-36 months and will mature to a point where we can integrate their models into Adaptive Authentication solutions to truly make automated, intelligent decisions about needing additional credentials based on activity or action rather than the specific username.
I also believe that a well thought out implementation of biometrics stands to mitigate the weakness we currently face with passwords, albeit not by replacing them, but by giving us alternative means to verify users without overburdening them with additional passwords or tokens.