Biometric authentication is often thought of as nearly impossible to steal or fake, a perfect addition to your cybersecurity arsenal. While it is tough for a threat actor to replicate a physical attribute of a specific individual, biometric authentication is not foolproof.
In the context of computers, a biometric sample is a physical or behavioral attribute scanned and encoded within data. Not only are there ways around biometric authentication, but not all biometric methods are created equal.
Understanding How Biometric Scans Work
Whether physiological or behavioral, the software captures the biological input that a user provides. For example, the fingerprint or face scan. The image that is captured creates a baseline data point template.
The captured data is now stored in internal hardware on the device used, or on a cloud platform. That data is actually code that’s generated describing the biometric features of the captured image for the specific biometric technology.
For optimal security it would be ideal for biometric systems to require a live biometric to be presented at each access point. Additionally, biometric identification solutions shouldn’t be the only step in point of entry.
Setting up a multi-factor authentication system that blends biometric characteristics like fingerprint readers in combo with more traditional items like 2FA or passwords would provide optimal security.
Increasing Security with Biometrics
In movies, the villain often guesses the password to gain entrance or the action hero uses someone’s fingerprint who is unconscious to gain access. Copying biometric authentication is far more complex. In real life, a stolen or guessed password is far easier to acquire than a person’s fingerprint.
Unless a threat actor can lift a fingerprint from a coffee cup, print a silicone fingerprint out, and access the scanner, they will not quickly gain access to secure data. The amount of effort required is leaps and bounds above what the average attacker will expend. In that sense, biometrics is far more secure as you need the individual’s physical presence or an excellent copy of their specific attribute.
Not all Biometrics are Created Equal
Biology is finicky, and the same is true for any biometric authentication. A sweaty hand may mean that a scanner cannot read a fingerprint.
Most biometric authentication systems have a fallback to a password or PIN code. Windows Hello for Business backs up biometrics with a PIN code (tied locally to the device). The primary method to gain access is the fingerprint, but if that isn’t working for whatever reason, enter your PIN code to see the desktop.
As an attacker, one could swipe the wrong fingerprint a few times to gain access to a simpler PIN code. As traditional methods, such as passwords and PIN codes, provide fallback methods for biometrics there is a potentially insecure way in for the attacker.
Until now, fingerprint biometrics have been exclusively mentioned because that tends to be the most commonly used method. But, there are various types available, both physical and behavioral. Each method has its pros and cons, and a few are listed below to get a sense of the method variety.
Physical Biometrics
Most physical biometrics are specific interactions triggered when a second or primary form of authentication is needed. The downside to physical biometrics is that a user must actively participate.
|
Method |
Pros |
Cons |
|
Fingerprint |
– Familiar method used on many different devices – Cheap scan technology – Fast scanning ability |
– Injuries can interfere with a scan – Can be bypassed via fake fingerprints – Reliance on partial fingerprint data reduces accuracy |
|
Facial |
– Widely used method, especially on phones – Requires Minimal Interaction – Contactless |
– Lighting affects accuracy – Facial accessories affect the accuracy – Potentially bypassed via an individual’s image |
|
Voice |
– Natural communication method – Unique method, hard to falsify |
– Changes in the voice decrease accuracy – Background noise can affect performance – Recordings could potentially be used to bypass |
|
Retina/Iris |
– Naturally well-protected against damage – High level of randomness between individuals |
– Invasive as most scanners require close contact – Low light affects performance – Scanners are more expensive |
|
Palm Vein |
– Contactless due to scan from light – Unique method unaffected by hand state |
– Expensive scan technology – Some fevers can affect the ability to scan |
Behavioral Biometrics
One aspect of behavioral biometrics is that they tend to be passively collected. Data collected in the background means that behavioral authentication can be transparently added to a normal password interaction, providing a second factor without additional user work.
|
Method |
Pros |
Cons |
|
Touchscreen Use |
– Good for mobile devices – Accessible for folks that may not use a keyboard |
– Not all devices have touchscreens – Condition of the touchscreen may affect the quality |
|
Typing Dynamics |
– Useful for those working primarily with a keyboard – Familiar form of entry for many |
– A louder form of entry – Required to enter in some amount of text entry – Not all devices have keyboards – May not be as accessible as a touchscreen |
|
Mouse Activity |
– Less intrusive than the use of a keyboard – Mostly passive data collection |
– Not all devices have mice – May not be as accessible as a touchscreen |
The Consequences of Compromised Biometrics
A stolen password can be changed, but the same cannot be said for a fingerprint. Encoded within the computer is the unique fingerprint distilled down into data via an algorithm. As the fingerprint is represented and stored as data, it can be stolen.
Once stolen, a person’s fingerprints cannot be changed, the same as a retinal scan or palm geometry. This means that stolen biometrics are permanently compromised. The consequences of a compromised biometric means that the data can never be clawed back once stolen.
Layering Passwords and Biometrics for Increased Security
Since most biometrics are part of multi-factor authentication and often backed by specific passwords, how does an organization secure its data? Layering the biometric authentication with a strong password policy will ensure that more than a compromised biometric is needed to gain access to secure resources.
As noted earlier, if a PIN code is available as a fallback method, it is likely far quicker to crack than a truly strong password following length and complexity requirements. In the case of Windows Hello for Business, an attacker would need access to a specific physical device. But, if an additional authentication metric of a password were added, then this would make the job of an attacker exponentially harder.
All this implies that without a requirement for a password, a biometric authentication method is not enough.
Enforcing Stronger Security with Specops Password Policy and Specops uReset
Biometrics alone cannot fully secure a system as falling back to an insecure password provides a gateway to a threat actor gaining access. Not to mention the cost to move to that model is higher than the average IT security budget allows.
However there are tools to strengthen password security that won’t require a system overhaul. Specops Password Policy integrates with Active Directory to offer targeted policies containing flexible rulesets to conform to your organization’s needs.
With the Breached Password Protection add-on, ensure that no previously stolen password is used. Plus, keep your users secure and aware of needed tweaks to their passwords during password change with the integrated password requirement screen during Windows login.
There may come a time when a user needs to reset a lost password, and to make this process easier and more secure,Specops uReset offers multiple weighted authentication providers. Not all methods may be seen as equally secure so layer several together to ensure that a user can get back to work quickly.
With the importance that passwords still play with biometric authentication, a flexible reset process is necessary to ensure a locked account does not stymie your users. This is especially true for the work-at-home user and hybrid offices to avoid constant helpdesk calls!
Stronger Together, Biometrics and Passwords
As strong as biometrics are, more than they are needed to secure access to resources properly. In addition, the risk of stolen biometric data is far longer-lasting than a password.
Therefore, layering biometrics with strong passwords ensures a high probability of security.
With Specops Password Policy and Specops uReset, give your users the best experience possible by keeping them secure through flexible policies while ensuring that even if they become locked out, they will get in through various authenticated methods while reducing calls to the help desk.
Sponsored and written by Specops Software
