Biometrics, once considered a cutting-edge security measure, has become a widely adopted form of authentication, thanks to its integration into smartphones and the ease of use it provides. However, not all biometrics are created equal in terms of accuracy and convenience, and different settings options can have a significant impact on their effectiveness.
While many of the risks associated with biometrics, such as data breaches, are not a concern for enterprises that rely on third-party vendors to handle and store the data, there is still a level of responsibility that falls on the Chief Information Security Officer (CISO) if a breach occurs. If the biometric data gathered by the vendor is stolen and makes its way to the Dark Web, the CISO may face blame for the insecurity of the authentication system.
The consequences of biometric data theft are also significant. Unlike a stolen password, which can be changed and replaced, stolen biometric information cannot be easily refreshed. Once a person’s biometrics, such as fingerprints or retinal scans, are compromised, any system that relies on those biometrics for authentication becomes inherently insecure for the rest of the individual’s life. This raises concerns about the long-term security of biometric-dependent systems and the need for additional measures to protect them.
Some experts in the field of cybersecurity argue that biometrics are not as accurate as they are often claimed to be. Roger Grimes, a defense evangelist at KnowBe4, states that none of the algorithms used for biometrics come close to their advertised accuracy, and false matches are not uncommon. This highlights the importance for CISOs to carefully consider the pros and cons of each biometric method and determine the most effective way to implement them.
One of the main challenges with biometrics is finding the right balance between accuracy and ease of use. The least intrusive biometric techniques tend to be the least accurate. For example, voice authentication, which is popular in the financial sector, has been found to be vulnerable to attacks. Researchers from the University of Waterloo discovered a method of attack that can successfully bypass voice authentication security systems with a 99 percent success rate after only six tries. This raises concerns about the reliability of voice recognition as a secure biometric measure.
In comparison, facial recognition is often preferred over fingerprints due to higher privacy protection and accessibility. However, facial recognition can suffer from issues with system friction, requiring multiple attempts before the system recognizes the user’s face. Vein recognition, although more expensive, is considered secure and difficult to fake, making it a preferred choice in the healthcare industry.
The accuracy of biometric methods is a significant factor to consider when implementing a multi-factor authentication (MFA) strategy. While some biometrics, such as voice, are weaker and easier to fake, no authentication method is entirely foolproof. Layering different biometric measures can help close the gaps and enhance security.
It is vital for CISOs to carefully evaluate the accuracy, convenience, and cost of each biometric method before implementing them. Biometrics should not be relied upon as a single factor of authentication, and additional security measures should be in place to protect against potential data breaches. By understanding the strengths and weaknesses of different biometric options, enterprises can ensure a more robust and secure authentication system.