Patrick Lambert looks at the current state of biometrics in security systems.
We've talked a lot about passwords and the many ways they can be compromised. Everyone agrees that a better way to authenticate users is needed but there is always the conflict between usability and complexity. So it's no surprise that many companies and security researchers have been looking at various other means, either to replace passwords, or to add something to them. The use of biometrics isn't a new idea, but it has been evolving greatly over time. Just like passwords, the technology has its pros and cons. Let's examine some of the ways biometric authentication is being used for security purposes.
First, it's important to remember that no security system is perfect, even something that requires a part of your own body in order to unlock the device. Biometrics are nothing more than security systems that ask you to identify yourself by using a part of yourself. This is typically done via a fingerprint scanner, a retina scanner, a hand scan, or with voice- and face-recognition software. At first glance, this seems like a very solid security measure, and can be. But it's not without problems. The first major issue is that unlike a password, a security card, or a PIN, you cannot change your eye or your fingerprint. If, at any point, the data corresponding to your physical attributes were to get loose, that means you would never be able to use that type of biometric ever again. The second issue is that while it's hard to reproduce your fingerprint or your iris, it's not impossible. Many researchers over the years have shown various ways to bypass some of the biometrics used in security systems, whether it's by creating fake hands using a mold, or tricking iris scans.
Of course, that doesn't mean research in this area stopped. Biometrics have come a long way, and companies are constantly making new products that can provide better security, while hopefully being more convenient for the user. One example is with mobile payment systems. Paying with a credit card has always been somewhat of a fertile playground for thieves. Stealing credit card numbers isn't hard, and when the only type of security includes your signature, visible for all to see, it's no wonder that companies have had to adopt a policy to take care of any bogus charges, because otherwise, it would be a completely untenable system. So now that many companies are moving to the next-generation payment systems, such as paying with your phone using an NFC chip, they are trying to increase the security at the same time.
Most NFC payments right now rely on a PIN, which is alright but not great in terms of security. So some companies have been working on fingerprint scanners to replace this. Just think if you could go out to the cashier, take your phone out, and then press your finger on the screen, and you would be authenticated right there. One company is even building devices that include pressure sensors so it can know whether you have a living finger or if it's a fake.
So what about biometrics in the enterprise? While you may currently be buying a laptop that includes a fingerprint scanner, and soon your payment systems may also use some type of biometrics, what solutions are there for you to implement in your business? Right now, there's no question that fingerprint scanners are the most popular devices. These have become commonplace and can be added to almost anything. If you have a door that has to be kept secured, such as the one leading to the server room, there's no good reason why it should have only one factor of authentication, such as a keypad or a card scanner. You can add a second one such as a fingerprint scanner at a very low cost. Some devices are so small that they can be bought for $10. The same is true with modern computer systems, which can all be outfitted with a fingerprint scanner. By tying it to disk encryption, you increase security by a lot. BitLocker, for example, can be tied into your computer's fingerprint reader, if it has one, simply by going to the Control Panel and enabling it. You can also do so through Group Policies.
A recent report shows that the market for biometrics will increase by 21% over the next two years. Like any other security measure, nothing is perfect, but in this case, it can actually increase security dramatically over simple passwords, and make it easier for users since they don't have to actually remember their fingerprints! But there are still challenges ahead. Right now, biometrics are used for local systems almost exclusively. That's because even if you transmitted a hash corresponding to your fingerprint over the Internet, it could be intercepted and replicated. Worse, you couldn't change it anymore. Because of these challenges, it's unlikely that biometrics alone will replace passwords or other factors any time soon. Still, there are clever ways to use biometrics to enhance current systems. Think for example, if you could call a company, and on top of identifying yourself through your access code or date of birth, a system was running in the background that would listen to your voice patterns and identify you. This is something Nuance is offering. But again, it can't be a unique solution, because what if the person has a cold? Suddenly, any voice-based identification could be thrown out of the window.
Does your organization use any type of biometric authentication? If you have any experience with any of these systems, share it with us in the Comments.