Six Questions to Ask When Implementing Biometrics for Authentication

By: Jeremy Grant

Source: The Cipher Brief

Amidst a rash of data breaches where compromised passwords provided the vector of attack – think Target, Anthem, OPM, or more recently the Democratic National Committee – industry and government are working to bolster their defenses. 

Augmenting – or ideally, replacing – passwords with more secure, multi-factor authentication (MFA) is a critical step in protecting against the most common methods of attack.

A key challenge, however, has been the inadequacy of first-generation digital authentication solutions. For years, the market has produced authentication technologies that offered better security, but often at the expense of user experience. For example, technologies that require users to “break stride” to log in – such as those that not only require a password, but then require a user to find a hardware token, copy a number off of it, and then enter it into an application – have failed to win fans or gain enough adoption to effectively guard against breaches.

To get true uptake in the marketplace, a multi-factor authentication solution has to not only be more secure than passwords; it also must be easier to use. 

Biometrics offer significant promise here: rather than require a user to enter a password or insert a token, biometrics enable a device to simply “recognize” a user.

The emergence of reliable, easy to use, consumer-grade biometric technologies has fueled significant innovation in the security and usability of authentication solutions. Ten years ago, biometrics required expensive, specialized, stand-alone hardware, and its deployment was largely limited to high security facilities. Today, however, most devices ship with cameras and finger sensors that can be used to complement, or in some cases even replace, passwords with fingerprint or face recognition.

When properly implemented, this can lead to authentication experiences that are much easier to use. 

All biometrics are not the same, however.  First, some are more reliable than others.  Within different modalities – face, fingerprint, and iris being the most common – the market is diverse, with some solutions that are highly reliable and others that are volatile.

Second, the various ways in which biometric systems are architected and deployed can have a material impact on whether they enhance security and privacy or detract from it. Beyond security and privacy risks, these issues can create compliance and regulatory challenges.

So: how can one determine if a biometric security offering is going to enhance security and privacy or detract from it?  Six key questions around biometric solution architecture can help to ensure the highest levels of privacy, security and performance.

  1. Where are biometrics stored and matched? Will the system create a central database of biometric information?

Some biometric systems are architected to store and match biometrics locally; others are designed to leverage central databases. There are also hybrid systems, where biometrics may be stored and matched in multiple places.

One challenge with biometrics is that they are not a secret. Unlike passwords or security tokens, once stolen, they can never be revoked or replaced. For this reason, the risks involved with the compromise of a central biometric data store are quite material, and require significant effort to mitigate. The 2015 breach of the U.S. government’s Office of Personnel Management (OPM) is a prime example of the risk created by storing biometrics in a central database; more than 5.6 million people had their fingerprint images stolen.

In contrast, solutions that limit storage of biometrics to the device that they are collected on mitigates the risk of scalable attacks, in that any successful attack generally requires that the attacker gains physical possession of the device, with the threat limited only to biometrics associated with that single device.

  1. Are biometrics the only factor required to get access?

Some biometric solutions offer only single-factor authentication, with the biometric being the only factor needed to access a system.Other deployments use biometric as just one layer of a multi-factor authentication solution. For example, biometric solutions designed around the standards from the FIDO Alliance – a consortium with more than 250 members from industry and government – use biometrics only as an initial factor to then unlock a second factor, in this case a private cryptographic key that is used to authenticate to a system through public key cryptography.

Given that biometrics are not secrets, as well as the risks that an adversary may look to spoof a biometric system, it is best to use biometrics as simply one layer of a multi-factor authentication solution.

  1. When biometrics are captured, does the solution store the raw images or only store templates?

Biometrics are generally stored in one of two formats: either as raw images, much as the U.S. government did in the OPM database that was breached, or as templates that are a mathematical “abstract” of the biometric, but that can be effectively used to match a biometric.

The advantages of template-based systems are that the templates cannot generally be reverse-engineered if compromised, greatly mitigating the risk to the consumer if biometric information is breached.

  1. How is biometric information protected?

Whether stored locally or centrally, biometric information needs to be protected. Any device holding biometric information will be a target for adversaries if there are not layers of protection to prevent an adversary from extracting the biometric data and using it for other purposes.

  1. Can biometrics be used to track people across multiple sites or applications?

A longstanding concern about biometrics is that they could be used to track the movements, activities, or behaviors of individuals across different applications or locations.

While there are no shortage of science fiction films that portray biometrics being used in this fashion, the fact is that biometric systems that track people do so because of a conscious design choice in the architecture of the solution – not because of anything inherent in biometric technology itself. 

Ideally, biometric solutions are architected in a way to ensure that there is no way to link the use of biometrics between services or accounts, precluding tracking. Limiting storage of biometrics to on-device – as is done in the FIDO standards, where biometrics cannot be exported from the device – is one way to mitigate the risk of tracking. 

  1. How easily can an adversary spoof a biometric to access the system?

Even the most secure biometric access system may be a target of attack, with adversaries seeking to exploit any attack vector possible in order to compromise a system. A common attack method involves trying to spoof a person’s body part, with the goal of tricking the system into thinking that a fake is real.

The impact of spoofing attacks can be greatly mitigated by architecting biometric access systems in accordance with the ideas laid out above. Most notably, decisions to only store biometrics locally, and in protected areas of a device, make it impossible for any adversary to launch a scalable attack on a broad biometric system; any spoofing attack would first require that the attacker gains custody of the device.

Beyond these layers of protection, many biometric systems today are building in “liveness detection” to validate that a biometric being presented is in fact real.

No authentication system is 100% hack-proof, but the design choices that are made in architecting biometric systems can greatly mitigate the risk that they are compromised.