Biometrics: a modern security enabler?

 - By Vic Mankotia, VP – Solution Strategy, APAC & Japan, CA Technologies.

With enterprise mobility growing at a fast pace, the trend of BYOD is fast catching up across organizations as employees now prefer to bring their own devices to work. As a result, organizations are increasingly encouraging the trend of BYOD to enable better collaboration across internal and external stakeholders to gain better productivity amongst employees. With this trend, mobility is set to bring in paradigm shift as we look at managing millions devices. This revolution has taken most enterprises by storm, almost replacing the traditional enterprise model where an employee used to come to work and use company’s IT Infrastructure to work. Over time, this has given rise to new technologically advanced workforces, thus reshaping the way IT is purchased, managed, delivered, and secured.

Further encouraging BYOD are factors like wide network connectivity, continued access to files and emails, variety of mobile apps and solutions designed for the enterprise and last but not the least, the growth of social media. Personal devices allow employees to access the data whenever required, making it just a phone key away to gain enhanced capabilities. However, the growing trend of BYOD is diminishing the differences between personal and enterprise data. Though BYOD has various advantages it is accompanied by security threats to data. Due to access of work-related spreadsheets, emails, calendars and other files on personal devices, the security of data has been a major concern. With the increase in cyber-attacks enterprises are at huge risk, making the information security a major concern for enterprises.

Due to the mission critical data present on mobile devices it has become important to secure it. For years, passwords have been one of the most preferred ways to secure data digitally. But, as the modern information security threats are increasing, the lacunas in using passwords are becoming apparent. A recent hacking incident with one of the leading online note-taking service compelled the service provider to reset 50 million passwords. Using a basic password or a four digit PIN is no longer enough to protect your device or data. Multi Factor Authentication is needed for many applications and access.

Biometrics offers considerable security benefits to the consumer – including better protection from identity theft, data theft, and possibly even financial fraud. It’s significantly more secure than using a basic password which is vulnerable to force attacks. For instance, India is witnessing growing adoption of phone banking due to the fact that it offers significant level of convenience. However, the mission critical data can be easily compromised in the wake of any improper security measures.
The use of the biological markers like fingerprints, faces and irises to identify people is rapidly moving from science fiction to reality. Apple’s latest iPhone, which went on sale few days back, can be unlocked with a fingerprint. With Apple 5s introducing this feature, a tremendous momentum was expected to add to this already growing industry.

First and foremost, the users are threat to biometric authentication. The individuals overly trust internet applications with facial or other biometrics, readily acquired via multi-nodal interfaces. A person’s biometrics can’t be kept secret and they can’t be retracted. Since the fingerprint is one password you leave around everywhere and it needs to be further authenticated, one should not use that print pattern as a password, which you leave around in public places, every single day. ‘Trust’ is a rare currency and in the event of finger prints replacing passwords, we are calling for threats and disasters. It is possible to steal or copy a person’s biometrics. Experts have said that fingerprints and other indicators can be copied, giving hackers and thieves access to private information. And once compromised, fingerprints cannot be reset, like passwords.
Consumers should understand that Identity is the new Perimeter. It is also an individual’s responsibility to ensure that this perimeter is NOT breached. Right people should have access to the right information.

The vulnerability of this system was recently seen with the hacking of the iPhone 5s. There is another risk with biometrics if you think long term. If Apple or some other biometric scanning company allows websites to validate you with a biometric scanner, then in the future you could sign into a no. of accounts with your finger print. If that fingerprint template is stolen by a hacker then they could use it to break into other accounts as well. Biometric system also faces threats from applications. Biometric engines for the various biometrics are available not just through vendors but via open source. That says a lot about whether we intend to use biometrics as a ‘toy’ or as a real security measure; and, whether the established privacy and use policies are more than just fancy frills. Another threat is system vulnerabilities and weaknesses at the system component level and/or during transmission that could result in spoofing, data insertions, score manipulation, database compromise, hill climbing and threshold manipulation.

In enterprises, the major threat to biometrics authentication is one at the organization level associated with assuring an identity during enrollment. How do we know that the user being enrolled is the authentic user? For higher security applications, rigorous policies and procedures are needed for the enrollment assurance. Industry guidelines or regulations for the integrity of an enrollment process for authentication of the user prior to the acceptance of biometric enrollment credentials should be followed.

Biometrics is being adopted by various sectors like homeland security, healthcare, automotive and leading companies like Facebook are also adding facial recognition to their platform. As the consumers lives are moving from offline to the realm of digital technologies, biometrics is set to become the face of web authentication. Today, a consumer might require unique 11 passwords for everything from online banking to social media, adding the stress to build secured gateways.

CA Advanced Authentication is a real-time, layered security solution that is delivered in an authentication-as-a-service format. The use of authentication services eliminates the need for the typical infrastructure, maintenance and upgrade tasks while providing a flexible, scalable and reliable solution that reduces the risk of inappropriate access or fraud. If CA Advanced Authentication is used along with biometrics then devices can be safer. Also there is CA SiteMinder which provides Single Sign-On (SSO) and Web access management to authenticate users and control access to Web applications and portals. It enables the secure delivery of essential information. CA SiteMinder as the capability to do biometric authentication with a validated partner ensuring better safety.

Even though biometrics is the most widely suggested replacement for passwords, it also comes with its own challenges. Biometric systems are seductive, but the reality isn’t that simple. They have complicated security properties. But biometrics, if paired with other authentication processes offer better protection and security to customers.