THE SECURITY CONCERNS OF BIOMETRICS AUTHENTICATION

“You are your own key” - Javier Galbally

This principle distinguishes biometric authentication from other traditional forms of authentication e.g. PINs and passwords, making it more reliable, convenient (arguably), and secure. Biometrics is the use of unique biological characteristics for identification and authentication and this idiosyncratic nature of biometrics makes its strengths and weaknesses.

Biometrics has made its way into our daily activities, found its place in the different sectors, and bought over our trust and dependence. It has become the security and authentication backbone in border control and immigration, the leading dog in criminal investigation, the innovation trailer in medicine, the mitochondria of AI cells, the sentinels of the financial industry, the government’s apparel, our surest identity, and our dearest companion in wearable devices. The list goes on and on, and the integration smoother and smoother.

The chants ascribed to biometrics would include its reliability, uniqueness, efficiency, security, precision, integration, convenience, measurability, and much more. But, with all the goodnesses came also peculiar challenges. The towering ones would be:

??Irrevocability, i.e., biometrics cannot be revoked or reissued in the cases of compromise. Simply put, if your password gets compromised, you can change it, but if your biometric feature say your fingerprints gets compromised, there is next to nothing that could be done about it, well, unless God issues you another pair of fingerprints. (I’d be really sorry for you).

??Biometrics are not secret. You leave your fingerprints everywhere you go, for example, your fingerprints are littered all over the device you are reading this article with. However, there is little cause for alarm because the technology for spoofing biometrics is sophisticated and complex, and the process is painstaking, that unless you are a high target, an attacker may be unwilling to go through the stress, but, it still doesn’t eliminate the risk.

??Security and Accuracy trade-off. Over the years, template data have been encrypted and made so secure that it should be close to impossible to revert the protected template to its original data even in the case of a breach. But, the thing is, the more stringent the protection, the lower the recognition accuracy level, and the more the accuracy level, the more original biometric information that can be found on the template data, increasing the likelihood the original data can be generated from these templates. Setting a high threshold to make sure the wrong fingerprints don’t get passed, could mean locking the right ones out, and a low threshold to make sure the right fingerprints easily get passed could also mean letting the wrong ones in too. This security-functionality-usability triangle remains a huge concern.

??Spoofing attack, i.e., a situation where an attacker presents a fake biometric feature to carry out impersonation attacks, once plagued biometric systems (and could still do so if proper countermeasures are not in place). But, there is a more disturbing one, the Side-Channel attack. This is exploiting the physical and implementation-specific details to glean information about what a machine is doing. Many biometric operations are data-dependent, these dependencies can cause observable differences in timing, power consumption, sound, or electromagnetic emissions patterns, which can be used to infer the information being processed by the machine. Side-channel attacks are sophisticated and require detailed knowledge of the system’s hardware and software, but they can be incredibly effective for compromising biometric information if not properly defended.

??If an individual’s biometric trait should get compromised, it becomes a cinch to track this individual over multiple applications the same biometric trait was used. An arch to this threat is the possibility of privacy degradation by an organization or the government; the possibility that the biometric information will be used beyond the original purpose, example, for investigation purposes.

Notwithstanding the glaring risks of adopting biometrics, it is still within the risk tolerance of many organizations because of recent innovations that have made the chances of exploitation slimmer, the likelihood of occurrence lower (given the sophistication of exploitation), and the benefits like convenience, integration and the likes that seem to offset the risks greater.

In conclusion, like with our passwords, we ought to adopt security consciousness towards the use of our biometric features. Considering things like the capability of the organization to provide adequate security, their integrity not to share the information without full consent, the assets being protected, and par alternatives. This is because a biometric feature once compromised is always compromised.

??One more thing, the biometric (fingerprint) template stored locally or otherwise on your phone is fairly secured by encryption, so there is no cause for alarm. Remember though, biometrics authentication is still one of the best out there but not enough reason to take your eyes off your virtual safety.

Stay safe.

#facetsofcybersecurity_1