Reliance on biometrics security controls may be the new hot thing — especially for the way a thumbprint or glance can eliminate the friction of consumer transactions. But relying on them without understanding how they work is a misguided strategy, according to Adam Englander.
Englander, chief architect for multifactor authentication products at Iovation Inc., a fraud prevention and authentication company based in Portland, Ore., put it more bluntly in his session at RSA Conference 2018, titled “Biometrics: Sexy, Secure and … Stupid.” In the course of explaining why biometrics are suddenly so popular, he also offered a counterpoint to some of the enthusiasm generated by the mainstreaming of biometric authentication by the likes of Apple, Microsoft and Samsung.
“Most people are probably here because biometrics are sexy. It’s the hot new thing,” Englander said. Biometrics are “sexy like a Tesla,” because “electric cars have been around for over 100 years, but nobody wanted them until the Tesla came out,” he added. While previous electric cars worked, they didn’t work that well for most users. So, it wasn’t until Tesla came out with a car that was effective and attractive that the market for electric cars took off.
Unlike electric cars, Englander noted that archeological finds of clay tablets with thumbprints demonstrate that biometrics have been in use for about 4,000 years, when ancient accountants pressed their thumbs into the clay tablets to indicate they were the ones who did the work.
What’s made the difference for biometrics? Englander argued it is their recently discovered utility for enabling payments through mobile devices that has made biometrics “really sexy.”
If a transaction requires entering a password, which on a phone can be time-consuming and requires concentration to get right, the transaction gets slowed down to the point that the person doing it might think twice about completing it. “On an impulse buy, I had that extra two or three seconds to think, which is not what retailers want,” Englander said. Retailers want you to just make the purchase, and if you can do it just by looking at a phone or pressing a thumb, that’s “really awesome.”
“Another nice thing about biometrics is that they can’t be unknowingly stolen,” Englander said. “They can be copied, just like many other things, but they can’t be stolen. I would probably notice if my thumb was missing; I would probably notice if my iris was missing.”
Security tokens or passwords that have been written down can be stolen without the owner noticing. Just as they can’t be unknowingly taken, biometrics can’t be transferred: A user can’t share her thumbprint or face with other users.
Biometrics security: Inherently stupid
Englander said biometric factors are “inherently stupid” for a number of reasons, starting with the fact that the “biometrics don’t evolve.” While one of the strengths of biometrics is they provide enough complexity to be useful for authentication, there is no way to increase the complexity of a biometric factor like a fingerprint. “There’s no way to get more swirls on your thumb,” Englander pointed out. Furthermore, biometrics can’t be changed short of a “catastrophic event,” like the loss of a finger or hand, or facial disfigurement from some injury.
What it means, Englander said, is “the net value of biometrics increases over time.”
Unlike with passwords, which system administrators can change after a breach, biometrics data can never be changed; thus, it continues to grow in value, even if encrypted.
“Biometrics has a significant flaw: There’s this thing called Moore’s Law that says that computing power is going to increase by a percentage every year, but your biometric does not,” Englander said. And the people whose fingerprints were compromised in the 2015 breach of the U.S. Office of Personnel Management can never depend on their fingerprints to be a secure method of authentication. “Until you die, the credentials are now compromised.”
How to do biometrics the smart way
Given the static nature of biometric factors, it may be foolhardy to depend entirely on them for authentication. But doing biometrics “the smart way” by understanding their strengths and weaknesses can pave the way for more secure authentication.
First, Englander recommended using true multifactor authentication (MFA), incorporating biometrics as one of three factors for authentication. But true MFA, he warned, requires at least three factors:
- Inherence. “What you are,” or biometric factor;
- Knowledge. “What you know,” usually a password; and
- “What you have,” usually a token of some sort.
“Without all three, it’s not true MFA.”
“Three is better than one,” Englander said, noting that if you have three factors, even if the biometric factor has been compromised, the other factors can change. If the only factor being considered is the biometric, that is not safe. But even when a compromised biometric is used with two other factors, they all together can produce a strongly authenticated result, even if none of the individual factors by themselves can be fully trusted.
“All these things together by themselves aren’t super secure. But if you put them together, they’re fantastically secure,” he said.
Another way to do biometrics security the smart way is to decentralize storage. If you don’t, Englander said, “you’re putting your users at risk,” because attackers would rather breach a centralized store of biometrics than try targeting individuals one at a time.
Decentralizing means “spreading out the risk” to prevent the possibility of stealing a million IDs at once. If an organization still stores credentials centrally, Englander said, “I as a consumer must trust that you are storing them well.” Another way to decentralize biometrics is to use the FIDO Alliance new WebAuthn API for web authorization, which is already supported in browsers to provide secure MFA.
Finally, Englander recommended using machine learning to be smart about determining the risks and what level of authentication is needed for different authentication attempts. In other words, when authenticating a user who is attempting to make a financial transfer, the system should require a much higher degree of confidence in the authentication and use three factors. On the other hand, granting access to a piece of paid content to a user who just authenticated five minutes before from the same device might not call for any further authentication.