The following guest article is from Dan Puterbaugh, Attorney and Evangelist, Adobe.
Passwords are a persistent problem. People forget them, share them and write them on Post-its. Clearly, strings of characters are an imperfect method of authentication. The next wave of identity management will be biometric— at least, that’s what we’ve been hearing for the past 15 years. But biometric identity authentication has never really gained traction, and for that, we should probably be grateful.
Authentication methods fall into three categories: something you know, something you have or something you are. Something you know is usually a password, something you have is a physical token such as a fob or an app on a mobile device and something you are might be a fingerprint or an eyeball.
An iris scanner in every home?
Best practice today is to use multi-factor authentication (MFA), which is two or more types of authentication. MFA in a consumer environment usually requires two of something you know, since it’s impractical to expect every customer to own a fob or submit a fingerprint to access each of their online accounts.
A typical application in use by banks requires accountholders to associate a photographic image with their account in addition to supplying a password. Another form of two-factor something you know is when a website texts a code to a user’s phone, which then must be entered along with a password.
Biometric data is a category that’s difficult to apply in B2C markets. The first difficulty is capturing the initial data; it’s unrealistic to expect customers to appear in person at a facility to record their fingerprint or get their eyes scanned.
After that, of course, is the challenge of using that data in everyday transactions. Ordinary people don’t have iris scanners in their homes. Ordinary people do, however, have smart phones. Is that the solution to bringing two-factor authentication to the mass market?
This is how urban myths begin
The Chaos Computer Club, a group of German hackers, were apparently able to crack into an iPhone 5S just two days after the device’s release by photographing a fingerprint left on a glass surface, and then transferring the image to a thin film placed over a live finger and pressing the Home button.
Along the same lines, the hosts of "MythBusters" claimed to have achieved the same goal by creating a fingerprint using latex and ballistic gel, although security researchers called foul on that endeavor.
What’s important to note about researchers’ protest is that the lock the "MythBusters" claimed to crack required more than just a fingerprint: biometric locks also measure galvanic skin response, body temperature, and other signs of life, so an evil-doer would not be able to simply cut off the finger of somebody with authorization and use it to enter a room.
Yes, security professionals are paid to think of possibilities like that. In fact, iris and retinal scans are considered more secure than fingerprints because it’s a lot harder to remove a person’s eyeball than it is to slice off a finger.
Biometric is still bits and bytes
Bodily harm is certainly the most gruesome vulnerability possible in biometric authentication, but it’s not the most likely. Biometric authentication can be hacked in the usual way, because once a scan is created of a fingerprint, iris or retina, that scan is stored as computer-readable language in a database.
The scans are only as secure as the database they’re stored in or the encryption they’re subjected to, and we have seen repeatedly that no database or encryption is completely secure.
That’s concerning, because the ramifications of stolen biometric data are worse than those of stolen passwords. After a suspected breach, users are directed to change their passwords — but nobody can be issued a new fingerprint or retina. Once that data is stolen, its owner can never be authenticated again, at least with that data, with any level of confidence.
Keeping ahead of hackers is a process
Because people can’t revoke the structures of their fingers or eyeballs, biometric authentication is always going to carry a level of risk. Of course, just like any form of authentication, it’s more trustworthy in conjunction with another form, such as a PIN (something you know) or an app (something you have).
However, if biometric data is risky due to its irrevocability, then the question is whether it’s wise to use it at all. The point of multi-factor authentication isn’t to provide a trustworthy form of authentication in combination with a less trustworthy form of authentication; it’s to provide two equally trustworthy forms.
But we have to do something. At this point in our technological evolution, it’s ridiculous to even point out how much business we do on the web, both as companies and consumers.
Everybody knows that identity theft is no longer epitomized by an individual having their credit rating destroyed; identity theft costs enterprises many millions of dollars in penalties, lawsuits and loss of intellectual property, and costs governments millions in tax fraud. Identity theft is big money, and big money attracts clever evildoers by the swarm.
Security innovators are looking at ways to use biometric data more securely, such as capturing a person’s facial expressions, vocal quality and even DNA. Whatever the next phase of identity authentications turns out to be, it won’t be the ultimate answer; rather, it will be the next phase in what’s certain to be a long string of phases intended to keep us a step ahead of hackers.