Over the past decade, technology giants like Microsoft, Google and Apple have been raging an all-out war against the use of passwords with new applications for biometrics.First came the emergence of fingerprint readers on smartphones, designed to replace PIN codes. Next came Windows Hello, allowing users to log into their computer by simply looking at built-in cameras. Then in 2017, Apple rolled out Face ID, the most sophisticated biometric authentication method for consumer devices to-date. All these technologies came to fruition with one goal in mind – killing off our reliance on passwords as a singular method of authentication. While these moves certainly improved usability, we shouldn’t be so quick to assume that a biometric is inherently more secure than a password. That’s why, as a part of WatchGuard’s 2019 Security Predictions, we anticipate that a major attack against biometrics will showcase its weakness as a single authentication factor.The push towards biometrics as a replacement to passwords is
at least grounded in logic. According to Verizon’s
2017 Data Breach Investigations Report, 81 percent of breaches leveraged
either stolen or weak passwords. Password re-use still runs rampant and users
are often conditioned to meet the bare minimum requirements of corporate
password policies. The National Institute of Standards and Technology (NIST) even
tried shaking up their
password guidelines recently—removing length and complexity requirements in
favor of passwords that are easy to remember but hard to guess—in an attempt to
combat account takeover attacks. These changes aren’t enough to save password
authentication though, thanks to ever-increasing phishing attacks and
credential database breaches.
With password security at an all-time
low, you might agree that the best move would be to do away with them
entirely and use a biometric alone for authentication instead. Microsoft
appears to be moving that way, announcing “the end of the password era” at its
annual Ignite Conference in 2019, where they released password-less
authentication to many of their cloud services. Instead of typing in a password
to login, users instead just use their fingerprint and the Microsoft
Authenticator app to access supported apps. While it’s true that you can’t choose
a bad password if you don’t have to choose a password at all, biometric
authentication isn’t perfect, which means there’s usually a password saved
somewhere to act as a backup. If an attacker compromises that password, they
can simply bypass the biometric.Biometrics aren’t immune to attack either. Back in 2002, a
Japanese security researcher was able to achieve 80 percent success fooling
biometric authentication using melted gummy candies to replicate lifted fingerprints.
While fingerprint reader technology has improved over the last 15 years, it
isn’t without fault. Just last year, researchers from New York University and
Michigan State University used
machine learning to create a fingerprint “master key” with reasonable
success in a simulated environment.Attackers might not even need to use AI to generate valid
fingerprints. In 2015, foreign hackers breached the United Stated Office of
Personnel Management (OPM) and made off with troves of data, including 5.6
million sets of fingerprints from US intelligence agents and other government
employees. These same hackers likely have access to biometric-spoofing
technology more sophisticated than gummy bears as well. Worse yet, consider the
fact that you can always change your password after a breach. But, how easy is
it for you to change your fingerprints?Apple’s Face ID is a good example of strong biometric-based
authentication for consumer devices. While a Dutch non-profit was
able to unlock 38 percent of Android devices using just a portrait photo of
the owner, Face ID uses thousands of infrared dots paired with an infrared
camera to build a 3D map of the user’s face, thus increasing its efficacy. That
said, even Face ID isn’t perfect. It only took a group of Vietnamese hackers a
few weeks, a 3D printer, and a few other inexpensive tools to create
a mask that fools Face ID.As you can see, biometrics alone, aren’t enough. Just like
the passwords they replace, biometrics have their weaknesses. That isn’t to say
biometrics are useless, just that they suffer from the same flaws as
password-based single-factor authentication. Whether by using a 3D-printed
face, creating a set of fake fingerprints, or simply cracking a weak backup
password, it’s much easier for an attacker to breach an account that isn’t
protected by at least two authentication factors.Multi-factor authentication (MFA) increases security by
pairing two or more different types of factors so that attackers can’t easily
breach an account if one factor is stolen. The different factors should include
something you are (a biometric), something you know (a password), and/or
something you have (your mobile phone, a digital certificate, or a hardware
token). MFA used to be out of reach for smaller, less sophisticated
organizations because they usually relied on hardware tokens that were expensive,
and difficult to deploy and manage. But these days, almost everyone carries a
smartphone, meaning cloud-based multi-factor using mobile apps is within reach for
any company.Unfortunately, a preference for convenience and familiarity
often outweigh security best practices. As such, we believe that users will
continue to rely on biometrics as a single form of authentication, which will
result in a major breach leveraging hacked facial recognition or fingerprint
scanner technology in 2019. This major biometric hack will illustrate the
weakness of single factor authentication in any form, and hopefully usher in a
safer, more secure era of widespread MFA use.When paired with another factor, like a strong password,
biometrics can drastically improve security. That said, one of the most
important aspects of information security to remember in 2019 is that biometrics
are anything but bulletproof, making them potentially just as risky as
passwords when used on their own.Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
