In last week’s blog I explored trends and exciting innovations in the biometrics realm. In this column, I will be taking a more critical look at biometrics and asking whether these technologies and solutions are really ready for prime time. As a refresher, biometrics is the measurement and analysis of a person’s unique physical or behavioral characteristics. This means such things as a fingerprint or voice pattern—which can be used to verify that person’s identity.
Now, given the cybersecurity landscape right now, it’s really tempting to fall in love with the concept of biometrics. Weak passwords can be stolen or guessed, and it’s proving very difficult to get people to select strong passwords. Biometric data, in theory, isn’t as easily stolen.
Companies like Google, www.google.com, and Yahoo, www.yahoo.com, seemed to have signed on to this idea by announcing plans to get rid of passwords in lieu of more secure ways of authenticating users. Google, for instance, through its “project abacus,” says it will leverage various biometric factors to verify an Android smartphone user before unlocking his or her device.
The idea is that the device or application would rely on a cumulative “trust score. This score is calculated by measuring factors such as facial recognition, as well as the user’s typing patterns, voice patterns, and current location. If Google’s investing in biometrics-based authentication solutions, biometrics must be the answer? Or at least many are thinking that way. Well, it’s a little more complicated than that.
In doing my research I actually discovered there is a lot of negative press around biometrics. Perhaps as much negative press as Donald Trump is getting these days. Okay, perhaps I am exaggerating, but I have to admit, I really wasn’t prepared for as much negative press as we found.
Here are just a few of the headlines regarding biometrics technology and security concerns:
- “Biometrics are coming, along with serious security concerns” (Wired)
- “Biometric security poses huge privacy risks” (Scientific American)
- “Biometrics will replace passwords, but it’s a bad idea” (The Telegraph)
Naturally, any new technology will be (and must be) scrutinized before it becomes mainstream.
And discussing biometrics’ vulnerabilities is a healthy way to ensure the space grows without creating undue risk for end users.
The basis of people’s concerns about biometrics is this: you can rewrite a password, but you can’t change your thumbprint/face/voice/etc.
Biometrics data may be more difficult to steal than a password, but if stolen, the consequences could be way more extreme.
Something as personal and unique to an end user as a piece of biometrics data—whether it’s a fingerprint, an iris scan, a heartbeat, or an ear scan—can’t be replaced. What’s more, stolen biometrics data could have really long-term consequences for individuals. That’s means a lifetime of consequences, potentially. Consider for a moment just how scary of a thought that is and for all the more reason to make sure the industry thinks about the risks ahead of time.
In one of the most relevant research reports that tackles this topic, ABI Research, www.abiresearch.com, says cybersecurity vulnerabilities of biometric systems include untrusted user interface and malware for the consumer segment and compromised USB peripherals and encryption for the enterprise sector.
Major concerns for biometric system integrators include incorporating data security protocols, monitoring for incoming threats, and establishing physical and logical integrity of the system. ABI’s report also highlights some “weapons of choice” for biometric systems integrators that want to strengthen their security.
These include data quality assurance, encryption, and “fuzzy extractors,” which convert biometric data into random strings, making it possible to apply cryptographic techniques for biometric security.
ABI calls biometrics a $26 billion industry, but suggests security concerns surrounding biometrics is the primary concern for vendors that would otherwise invest in the technology.
In other words, security concerns are holding biometrics integration back. Maybe that’s ok, as long as it’s not fear that’s preventing integration, but rather an awareness that more security discussions need to take place before we can ditch passwords in favor of fingerprints, eye scans, or whatever else the industry has in store for us.
Last September, the U.S. OPM (Office of Personnel Management) announced the theft of background investigation records for millions of federal employees, and that data included fingerprints. The OPM said in a press release that federal experts believed the ability to misuse fingerprint data was limited at the time, but this could change as technology evolves. Unfortunately, the victims of this breach may yet be at the mercy of criminals who are looking for ways to exploit biometrics systems.
There is no question that biometrics is an exciting field in the IoT (Internet of Things) industry, but when it comes to security, we must not let our guard down. If we do, the consequences could be truly devastating. It’s all about working stronger and harder to secure or world and identity.
Want to tweet about this article? Use hashtags #IoT #M2M #biometrics #connected #devices #data #security #authentication #mobile #OPM, #OfficeofPersonnelManagement #Google #Yahoo