Americans are growing increasingly comfortable with biometrics as a means of confirming their identity, with a recent survey finding 81% of respondents would be receptive to using biometrics in airports. Many consumers are already relying on biometric authentication to log into various online accounts, and companies are taking steps to incorporate biometric capabilities into more devices and systems. As a result of these factors, the biometric market is expected to reach nearly $33 billion by 2022.
The technology offers a range of benefits for businesses and consumers alike, however, there is a critical misconception that must be addressed: biometric authentication is not immune to the threat of hackers. Over the summer, a security flaw with Biostar 2, a system used to secure commercial buildings, exposed the biometric data of more than a million users. This is a serious vulnerability with lasting, irreversible implications for consumers.
As Enzoic’s COO, Josh Horwitz, wrote in a recent piece for IT Security Guru, “Think about it; you can’t change your fingerprint or your face. If biometric information is exposed, then any account where you use this method of authentication is at risk. There is no way to reverse the damage.”
Josh argued that biometrics must be viewed as part of a company’s identity management security strategy, where other security elements should also be included to mitigate the potential risk. Potential steps include:
- Using biometrics as a second factor of authentication: Rather than being the sole way in which someone accesses their account, NIST 800-63b recommends that biometrics be part of MFA. In this model, the first factor could be username and password login with credential monitoring or password screening running in the background, followed by a second-factor biometric confirmation instead of typing in a code or similar manual action.
- Password-based authentication fall back: Biometrics are based on probability so occasionally they can fail legitimate users. If the biometric fails or is breached, most organizations should default back to password-based authentication. In order to ensure the security of the fall-back option however, it’s important that companies have strategies in place to make sure passwords are not compromised or easily guessable.
- Credential screening: With new breaches occurring regularly and a treasure trove of exposed credentials available on the Dark Web, the only way to truly ensure password security is to continuously screen passwords against a live database. One Enzoic client told us that they discovered that 4% of their uncompromised credentials became compromised within one month—and this is happening every month.
In addition to these considerations, it’s critical that companies store passwords and biometric data securely. As Josh put it, “… password data should not be stored in plain text and a strong hashing algorithm should be utilized to make it as difficult as possible for hackers to crack the algorithm in case there is a breach.” Biometric data should have even more stringent storage security protocols in place.
There’s no arguing that the low-friction nature of biometrics is appealing to users —and to the companies that want to make their user experience as seamless as possible. However, viewing biometric authentication technology as a bulletproof security strategy is a mistake. It is important that organizations are aware of biometrics’ limitations and take steps to ensure both the security of this information and that of their users’ accounts.