Biometrics have become the de facto standard for secure consumer authentication. Even among employers, the belief that biometrics, in conjunction with strong passwords, ensure security is common. While it is true that the use of biometric data in the authentication process significantly decreases the likelihood of credential theft, recent events have exposed some disadvantages of biometrics. This month a major biometrics database breach occurred exposing fingerprint and facial recognition data of millions of people. As reported by the Guardian, Israeli security researchers Noam Rotem and Ran Locar discovered the physiological biometrics of millions of individuals on a publicly accessible database. Suprema, a self-described "global Powerhouse in biometrics, security, and identity solutions" responsible for the web-based Biostar 2 biometrics lock system, faced scrutiny as it came to light that Biostar 2’s database was unprotected and mostly unencrypted.
Biometrics are simply the utilization of key physical features on your body to serve as unique identifiers of yourself. These features are components that are unique to yourself, such as fingerprints, facial structure, and palm features. All of which are easily read by external devices without being significantly invasive.
Two-factor authentication is a great way to increase security. Using biometric authentication is a way employers can reduce risk without adding increased difficulty for employees. It helps companies ensure that clients are protected. Much of today’s personal technology uses some form of a biometric identifier such as fingerprints to secure everyday devices. Phones, tablets, laptops, as well as banks and health care facilities, make use of biometric authentication.
However, a biometric identifier must be something that only the intended users can produce. Fingerprint scanners are useless if someone has a copy of your fingerprints or if for any reason the fingerprints that identify you are altered.
This is precisely what researchers reportedly were able to do according to the published report. Researchers were about to effectively take over individuals accounts and identities by editing an existing user’s account and add their fingerprints or facial recognition data. All of that user's access is compromised. Furthermore, researchers were able to simply add themselves as a user with their photo and fingerprints to grant them building or account access as they wished. In spite of an organization taking steps to protect its assets, those assets remain at risk when trusted partners fail to secure their assets.
Suprema is reported to be one of the world’s top 50 security manufacturers, and yet, even they failed to secure biometric and authentication data from over 1.5 million locations globally.
Biometric records, unlike passwords, are a considerable risk if they are exposed. Biometrics, much like your Social Security Number, aren’t likely to change. Once biometric data is compromised, the individual remains perpetually compromised. The fingerprints and facial markers generally do not change throughout a person’s life. So in the event of a breach, these records are no longer a viable method of authentication, even as a second factor because they are virtually public knowledge.
When a breach of this magnitude occurs, not are individuals impacted, but all organizations that they have worked with or are working with now face increased risk. Businesses whose employees use biometric data as a second form of authentication, now have several users who in reality only have a single-factor authentication. Their password is the only valid authentication because their biometric data may now be out in the wild. Biometrics don’t change, and now that second factor is no longer secure.
One way to deal with this situation is for businesses to go through a lengthy and expensive process of removing biometrics as a second factor of authentication. Another, equally protracted and time-consuming process would be to replace biometric authentication with another factor such as a digital fob or app on the user’s phone. Still, each of these options carries risk.
Companies must accept the new paradigm that even biometric authentication carries with it a risk of disclosure. In this case, Suprema’s clients face having some employees with less secure credentials. Smart companies understand the threat landscape continues to change and evolve, and cyber attackers regularly adapt their approach, thus finding new holes.
To mitigate this risk, some companies offer cyber insurance. Cyber insurance, much like personal identity theft insurance, can offer assistance dealing with the challenging reality that no authentication method is entirely secure. Zeguro understands that even the best security is never perfect. This is why we offer a cyber insurance policy that is customizable to every client's unique risk profile. Start your cyber insurance quote now.