News Stay informed about the latest enterprise technology news and product updates.

Sexy, but stupid: Biometrics security requires balancing risks

When it comes to biometrics, security coexists with stupidity, unless implementers take the time to understand the limits, according to Adam Englander at RSAC 2018.

Reliance on biometrics security controls may be the new hot thing -- especially for the way a thumbprint or glance...

can eliminate the friction of consumer transactions. But relying on them without understanding how they work is a misguided strategy, according to Adam Englander.

Englander, chief architect for multifactor authentication products at Iovation Inc., a fraud prevention and authentication company based in Portland, Ore., put it more bluntly in his session at RSA Conference 2018, titled "Biometrics: Sexy, Secure and ... Stupid." In the course of explaining why biometrics are suddenly so popular, he also offered a counterpoint to some of the enthusiasm generated by the mainstreaming of biometric authentication by the likes of Apple, Microsoft and Samsung.

"Most people are probably here because biometrics are sexy. It's the hot new thing," Englander said. Biometrics are "sexy like a Tesla," because "electric cars have been around for over 100 years, but nobody wanted them until the Tesla came out," he added. While previous electric cars worked, they didn't work that well for most users. So, it wasn't until Tesla came out with a car that was effective and attractive that the market for electric cars took off.

Unlike electric cars, Englander noted that archeological finds of clay tablets with thumbprints demonstrate that biometrics have been in use for about 4,000 years, when ancient accountants pressed their thumbs into the clay tablets to indicate they were the ones who did the work.

What's made the difference for biometrics? Englander argued it is their recently discovered utility for enabling payments through mobile devices that has made biometrics "really sexy."

If a transaction requires entering a password, which on a phone can be time-consuming and requires concentration to get right, the transaction gets slowed down to the point that the person doing it might think twice about completing it. "On an impulse buy, I had that extra two or three seconds to think, which is not what retailers want," Englander said. Retailers want you to just make the purchase, and if you can do it just by looking at a phone or pressing a thumb, that's "really awesome."

"Another nice thing about biometrics is that they can't be unknowingly stolen," Englander said. "They can be copied, just like many other things, but they can't be stolen. I would probably notice if my thumb was missing; I would probably notice if my iris was missing."

Security tokens or passwords that have been written down can be stolen without the owner noticing. Just as they can't be unknowingly taken, biometrics can't be transferred: A user can't share her thumbprint or face with other users.

Biometrics security: Inherently stupid

Englander said biometric factors are "inherently stupid" for a number of reasons, starting with the fact that the "biometrics don't evolve." While one of the strengths of biometrics is they provide enough complexity to be useful for authentication, there is no way to increase the complexity of a biometric factor like a fingerprint. "There's no way to get more swirls on your thumb," Englander pointed out. Furthermore, biometrics can't be changed short of a "catastrophic event," like the loss of a finger or hand, or facial disfigurement from some injury.

What it means, Englander said, is "the net value of biometrics increases over time."

Unlike with passwords, which system administrators can change after a breach, biometrics data can never be changed;  thus, it continues to grow in value, even if encrypted.

"Biometrics has a significant flaw: There's this thing called Moore's Law that says that computing power is going to increase by a percentage every year, but your biometric does not," Englander said. And the people whose fingerprints were compromised in the 2015 breach of the U.S. Office of Personnel Management can never depend on their fingerprints to be a secure method of authentication. "Until you die, the credentials are now compromised."

How to do biometrics the smart way

Given the static nature of biometric factors, it may be foolhardy to depend entirely on them for authentication. But doing biometrics "the smart way" by understanding their strengths and weaknesses can pave the way for more secure authentication.

First, Englander recommended using true multifactor authentication (MFA), incorporating biometrics as one of three factors for authentication. But true MFA, he warned, requires at least three factors:

  • Inherence. "What you are," or biometric factor;
  • Knowledge. "What you know," usually a password; and
  • "What you have," usually a token of some sort.

"Without all three, it's not true MFA."

"Three is better than one," Englander said, noting that if you have three factors, even if the biometric factor has been compromised, the other factors can change. If the only factor being considered is the biometric, that is not safe. But even when a compromised biometric is used with two other factors, they all together can produce a strongly authenticated result, even if none of the individual factors by themselves can be fully trusted.

"All these things together by themselves aren't super secure. But if you put them together, they're fantastically secure," he said.

Another way to do biometrics security the smart way is to decentralize storage. If you don't, Englander said, "you're putting your users at risk," because attackers would rather breach a centralized store of biometrics than try targeting individuals one at a time.

Decentralizing means "spreading out the risk" to prevent the possibility of stealing a million IDs at once. If an organization still stores credentials centrally, Englander said, "I as a consumer must trust that you are storing them well." Another way to decentralize biometrics is to use the FIDO Alliance new WebAuthn API for web authorization, which is already supported in browsers to provide secure MFA.

Finally, Englander recommended using machine learning to be smart about determining the risks and what level of authentication is needed for different authentication attempts. In other words, when authenticating a user who is attempting to make a financial transfer, the system should require a much higher degree of confidence in the authentication and use three factors. On the other hand, granting access to a piece of paid content to a user who just authenticated five minutes before from the same device might not call for any further authentication.

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about the risks of using biometrics for authentication?
Early in the article it says that Biometrics can't be stolen. Than later in the article it talks about fingerprints being stolen.
Good point -- thank you! (and the article has been edited to make it clearer)

The point was that you can't have your biometric stolen and then lose access when you try to use that same biometric in the same way that an attacker who has access to your password can use your credentials to take over access to your account.

In other words, an attacker with a copy of your biometric data can access your account, but shouldn't be able to lock you out of that account as they could do if they have a copy of your password, which they can use to change the password without your knowledge.
There are so many things wrong with what was presented by Englander. Don't even know where to begin. The fact is biometrics are evolving quickly, particularly Face, and some have already provided *standalone* ultra-secure login authentication: no passwords or PINs, no legacy biometrics, like fingerprint, 2D face and eye scans - all of which can very easily be spoofed.

No, Adam, you can't really steal a person's finger (though there's an argument against that), but you can indeed get a non-live facsimile, even from a photo several feet away. The key to successful biometrics is human liveness detection - not blinking or nodding; those are very easily reproduced artifacts - which is the ability to verify several factors like skin reflections and textures, passive movement of all sorts, and many other uniquely human traits that can only be validated *during* a login session.

The security industry has been peddling false promises for many years. MFA, for example, is not inherently more secure: if you have two weak modalities, all you've done is increase your attack surface. And even the very definition of liveness has been so badly maligned as to mean nothing. A nod or blink can be spoofed in - literally - ten minutes with *no* special tools. Check out CrazyTalk, the free software that can take a static image and make it talk, frown, sing, name it. Almost (not all) systems can be very easily spoofed with this software toy.

One last point. If a modality is actually secure, there is no need for additional measures, like ML identifying a higher-level transaction. The reason the industry - including Adam's company - is because they don't have a better solution. But with AI-developed software, alternatives are already out there.
Are you suggesting biometrics are evolving to the point that there are new authentication methods that will be sufficiently secure without additional factors?

What I do know is that I wouldn't use my social security number (or any other value I cannot change and which is irrevocably linked to my identity, like my fingerprint) as a password to authenticate myself. I'd be fine with using it for identification, though.

What kind of authentication method would you suggest as being sufficiently secure?
A biometric that *actually* verfies liveness, and - encrypted and managed properly (no magic, but using current methods) that cannot be phished, borrowed or stolen. No passwords, no PINs, no additional unique identifiers. Companies outside the US (not a surprise) are already using some.

I'm interested in hearing more specifics of these non-magical, single-factor biometric authentication methods that are encrypted, properly managed and fully secure AND reliable.

Security is always an arms race. Just as fast as researchers find ways to secure an authentication method (for example) the attackers are finding ways to defeat it.
Cancel It's being used by several companies already, and for some it is the only factor.

So, you're depending on an-device camera with software capable of determining the user is the user and is alive.

And that's the only authentication factor?

That's fine, and I'm not an expert, but wouldn't an attacker be able to defeat this by mugging me and authenticating me under duress just by scanning my own face with my own phone?
You just described a scenario that NO biometric or any other security method will guard against. A gun to a head is no match for any type of authentication modality or method.