Biometrics – 10 strikes & your Out!

Posted on September 12, 2013


Much hype is being touted about Apple’s new iPhone 5S and its Biometric fingerprint capability, and is being heralded as a new wave of security for consumers and the increased challenges of BYOD (Bring Your Own Device) for businesses. Whilst the convenience of biometrics in these form factors may encourage those users idle enough not to use any security on their smartphones to at last adopt the semblance of a security protection for their smartphones/tablets/notebooks, it is not improving security over the conventional password and more worryingly broadening the compromise surface area of an individual’s biometric information.

Firstly the Apple Biometric innovation is not new in portable device. In fact Windows Mobile had this built into the Compaq iPac’s over 6 years ago! It did not work consistently and whilst at least Microsoft’s new Biometric stack built into Windows 8 is showing how it can be done credibly the jury is out on Apples implementation I remain sceptical but hope to be proven wrong for the user’s sake.

The main point of this blog is to rip down the curtain of falsehood that shrouds the security benefits of Biometrics. Biometrics on their own as a ‘security’ measure are severely limited. As a security token, correctly implemented they purvey the dangerous aurora of being a security authentication and validation panacea that of convenience and uniqueness. In today’s world users are the weakest link in any computing/information environment or access to communications channel because they inherently are lazy and despite the rigours of the most diligent IT department will find ever more creative ways to weaken security for their own convenience. This is not always done intentionally never the less it is endemic and a reliable weakness that hackers of all classes relay on and take advantage of. This is not the fault of the IT department they have to walk a torturous line as they weigh in the balance productivity and usability of IT systems against the landscape of Advanced Persistent Threats that exist today, whatever your computing environment be it consumer or business. I address the subject of Advanced Persistent Threats in the context of Cloud computing in my earlier blog ‘Security 365 – Toilet Paper & Tea bags’ 

Back on point, biometrics, the problem with Biometrics is they lack the flexibility of a password or other token because Biometrics are fixed. If a password is compromised you can change it, individuals do not enjoy that luxury with the Biometric information be that fingerprint, retina, DNA, facial, thermo profile or other, until such advanced cosmetic procedures become the norm! This means IF or should I say WHEN your Biometrics are compromised they then become useless. Not completely useless but as a single token of authentication and validation they are redundant, so ten fingers and that’s your lot for Biometric finger print security, or will it be off with the socks!

What Biometrics have in bucket loads is convenience, (OK not if you have to take your shoes and socks off). You don’t leave home without them and they are always conveniently to hand, or blink of an eye …. OK enough of the puns! They also are uniquely YOU. So Biometrics, and even a compromised Biometric, represent a good validation of your identity, BUT a poor authenticator. To gain access to computing systems and or anything for that matter, there should be two criteria met:

  1. Identity Validation – Something you are is ideal, something that is very hard to forge ie: Biometrics.
  2. Identity Authentication – Something you know, and can be changed regularly to increase security, ie: password or random number generator.

This is the direction most system are moving, but in itself whilst enhancing the security around information and systems accessibility still fails to address the core problem, and that is Data Security itself. Despite the increase access that a 2 factor authentication process introduces, once that system is accessed the content is as vulnerable as if there was no security. The issue here is that many portable devices can have their ‘front-door’ security compromised by alternative ‘side channel’ attacks that in effect break in via a back-door or to extend the metaphor even removing slates form the roof and coming in through the attic.

Apples iPhone implementation of Biometrics has some worrying aspects to it that risks user Biometric data, from their hardware implementation which is a technology fusion risking compromise where the technology is stitched together to their implementation across devices, which ensure the multiplication of user biometrics across every one of their biometrically enabled iDevices. Apple is gambling that their implementation allows them to tap the convenience factor of Biometrics without risking user data. Biometric data which ones compromised can never be changed, not to mention undermining confidence in the role Biometrics can offer as a factor in the security validation and authentication landscape.

Security is a moving landscape and with the increased consumerisation of IT driving wedges into Businesses the risks are getting higher and potential fallout more costly to valuable corporate brands. A smartphone or other portable device represents a huge risk surface that Businesses are struggling to get to terms with but the demands of users seem to be drowning out common sense as IT departments break police to attach a CEO’s iPad or other personal device of preference. This latter point is exacerbated by a bigger challenge, one that traditional organisational speed of change hits daily, that of delivering a compelling end user experience now that users are better exposed and conversant with technology and what they can expect from their own consumer experiences. A subject for another day.

For now the first and most productive step and organisation can take, whether their IT is up to scratch or in need of remediation, is EDUCATION. Deal with the user threat and weak security of information systems can be massively supported by a diligent and security savvy workforce. This is the air cover under which any IT security remediation can take place, be that introduction of new policy, process and controls or more fundamental systems upgrades. An educated workforce is better adapted to accept such changes and be more engaged and supportive during the challenges of systems upgrades.

Lesson 1. – Can you answer YES to this question – Are you running current in support vendor software across all systems and platforms that process or hold customer data or data that could be classified as personal identifiable information (PII)? If you have bespoke custom written software then does that software adhere to and is it maintained to the current guidance from OWASP (Open Web Application Security Project)? If the answer is no then your attempts at user authentication and validation mechanism are largely a fig leaf, out of date software will always have security holes.

Lesson 2 +
Give me a call 😉