The Real Risks of Biometric Authentication
As technology evolves, passwords become less effective at keeping information safe. They're definitely not the best way to ensure someone is who they say they are — with the right username and password, you can pretend to be anyone. Biometrics are unique to each individual, and you don't need to remember anything, so they're touted as a secure way to verify someone's identity. But is this really the case?
Julia O’Toole CEO , MyCena Security Solutions
While biometrics are often promoted as a revolutionary security enhancer, the
method is far from bulletproof and could put organizations and their employees at
serious risk. Here, Julia O’Toole, CEO of MyCena Security
Solutions, explains why.
World Password Day, every year, provides
an opportunity for cybersecurity experts across the world to share their wisdom
on what organizations can do to improve their digital access security.
Traditional, employee-generated passwords
have long been touted as a security risk for businesses, so World Password Day is
a chance to promote alternative network authentication tools, and one of the key
themes to once again garner attention this year was biometric security.
Biometric authentication simply uses
a person’s biometric data to identify them, such as a fingerprint, facial scan,
voice, or any other unique feature of a human body that belongs to them. Biometric
data are unique and indissociable to each individual,
so it is not necessary to remember them in order to use them and this type of authentication
is often promoted as a secure way to verify the identity of a person. But is this
really the case?
While it is indeed difficult for a
person to steal another person’s face, voice or fingerprints in the physical world,
the reality is quite different in the digital world, and there are three characteristics
of biometric data that make them particularly inept to guarantee authentication
security.
Many people think their biometric data
is unique and tamper-proof. But while this is true in the physical world, where
it is indeed difficult to falsify an iris, a fingerprint or a face, it does not
apply to the digital world.
Biometric data are digitized data,
i.e., stored as 1s and 0s on a server. Once saved, they can be copied into backup
files and stored on servers anywhere in the world. The risk is if access to one
of the servers is compromised, these files and the biometric data they contain can
be stolen and copied without anyone noticing.
Because of the inseparability from
its owner, biometric data cannot be changed easily, whereas passwords can be changed
at will. This makes biometric data particularly sensitive and vulnerable if stolen,
as it eternally exposes its owner to identity theft, even after their death thanks
to spectacular advances in AI.
The highest risk with biometric authentication
is that a person’s biometric data is not private but public, since people live mostly
in societies with their faces uncovered and communicate with their voice.
Thanks to technological advances and
AI, criminals can easily recreate biometric data from photos or voice recordings
of a person, take their identity, scam their loved ones, or access their online
accounts.
In 2014, a hacker reconstructed the
fingerprints of Ursula Von der Leyen, Germany’s then defense
minister, from a high-definition photo of her hand. With AI tools, criminals can
easily and cheaply reproduce a voice with an audio sample of just a few sentences.
In 2022, 36 000Opens
a new window cases of identity theft scams
were reported, where imitations of family members’ voices convinced people that
their loved ones were in distress and needed financial help. Many people fell into
the trap and lost thousands of dollars, with some receiving ransom demands of up
to $1 million.
Organizations that use their employees’
biometrics expose themselves to even more risks.
1.
Biometric data is employees’ personal data that does
not belong to organizations. If stolen at work, it can cause irreversible damage
to employees in their personal lives.
2.
The theft of biometric data outside the workplace
can allow criminals to access company data. When organizations ask their employees
to use their biometrics for authentication, they suddenly lose control over their
security.
With 95% of breaches caused by human
error, it’s no wonder organizations have turned to biometric authentication to address
these errors. However, the theft of biometric data has become so widespread that
it is no longer a viable methodology for authenticating employees.
Rather than exposing employees to these
exponential risks, it is safer for organizations to regain control of their access
and put security back under their own responsibility, not under the control of their
employees.
Organizations can use access segmentation
and encryption management solutions that allow them to generate strong, independent
and unbreakable passwords from a centralized console and distribute them encrypted
to their employees, so that no one ever sees or knows them.
By keeping the control of their access,
organizations ensure that passwords remain encrypted from end to end. All the user
has to do is simply find the right password and use it, just as we do with physical
keys in the real world. After all, passwords are only keys, but digitized. And no
one would think of cutting out their own keys before going home. It’s the same in
the digital world.
On top of eliminating 95% of security
breaches, which comes from humans handling credentials, this method allows the segmentation
of all accesses, preventing a breach of a system from spreading inside the network
and leading to a network takeover. Segmentation reinstates internal digital doors
and stops attackers from travelling across the network after a breach, therefore
limiting the potential damage caused by a breach, while preventing ransomware. This
also takes a huge burden off employees’ shoulders, who
no longer have to remember passwords or worry about being targeted by phishing attacks,
since they can’t reveal information that they don’t know.
Biometrics are
often touted as the number one security solution today, but when organizations force
their employees to use them, they are exposing themselves and their staff to serious
and irreversible risks. Instead, business leaders should look to reduce their exposure
to biometrics theft, remove passwords from their employees’ knowledge, and keep
full control over their digital access. Only then do they have a chance against
cybercriminals.
How are you ensuring better security
in your biometric authentication process? Share with us on FacebookOpens
a new window , TwitterOpens a
new window , and LinkedInOpens a new window . We’d love
to hear from you!
Image Source: Shutterstock
References