Monday, May 08, 2017
Lost passwords can be changed, but lost biometric identity ?
Everyone hates passwords but uses them as a necessity to protect corporate digital assets, personal information, and financial assets. Complexity level has increased with time and so has the ability to crack them. This resulted in multi-factor authentication with various means, the most popular being OTP (One Time Password) delivered to the mobile phone as a SMS. The insecure delivery channel susceptible to MITM (Man In The Middle) attacks poses challenges to almost all communication including the OTP as recently discovered with SS7 vulnerability.
Appification offers alternatives claiming higher grade secure solutions to solve the problem by consuming some of the available solutions; adoption has been slow and efficacy dependent on device features and action from the consumer. The slow pace of change in the ability to rise to the security challenge has resulted in multiple breaches, financial and reputation loss. As a result there is an attempt to raise the bar and deploy biometric solutions as the final measure of security which is perceived to be difficult to replicate.
In the early days of science fiction and world of espionage the highest level of security depicted was biometric control; starting with fingerprints to hand scan, facial patterns, voice recognition, and finally iris scan. These were immutable and secure that saved the protagonist or defeated the antagonist in movies. With imagination overtaking reality, these were also compromised with recorded voice, lifted fingerprints and face masks; real world mimics fiction in many ways and replay attacks overcome security barriers.
Ingenuity to stupidity and everything in between has played a role in creating the fragile walls around physical and digital assets that need protection. Governments are capturing biometric data for basic identity creation and management of citizen services; enterprises capture fingerprints and more – largely for access to physical premises and attendance recording. Within an enterprise all the data gets replicated across servers and locations to seamlessly allow access and convenience to employees and partners.
Enterprise security has faced challenges with data protection and leakages – intentional or by error and omission. Widespread use of biometric data now raises concerns for individuals when the data is dispersed across multiple access points for authentication by the enterprise. Should the information be compromised, the repercussions for individuals can be far and wide. Masquerading and false identities from the data now used with Government services leads to seriously scary scenarios for individuals and more.
Fingerprint data is the most commonly used form factor and we have just 10 of these unique identities available to us. While they can be altered to some extent with cuts and or abrasions, they cannot be changed; and therein lies the challenge for individuals who are now being asked to provide their bio-identities across the board with no recourse, stored, retrieved and used to verify the person. Widespread use poses significant risk, their propagation on channels – secure or otherwise increasing the attack surface.
What are the alternatives ? Do we need additional factors of authorization for use of biometric data ? Do we need federated identities which subsume other forms of identity to create better alternatives ? Identity based cryptography and encryption has been a theoretical solution to the problem though not much headway has been made in this direction due to underlying complexity and the large set of identities to be provided in the now hyper connected digital world where the need goes beyond human identities.
Use cases explode with IoT and other devices – all of which need unique identifiers and private keys; the resultant solution however fails if the Private Key Generator is compromised or subject to quantum computer attacks. M2M communication is on an exponential growth path requiring a different level of thinking to solve the problem. Limitations of current PKI (Public Key Infrastructure) are well known and need to be addressed for a viable alternative to succeed and overcome the growing problem.
Coming back to biometric authentication and authorization, it is imperative that it be used in an encapsulated form without transmission or storage of the data. Individual consumers too need to be educated and made aware of the fallacies of the current structure; enterprises should review the capture and use across the enterprise to safeguard interests of their employees. After all once the data is compromised, there is little that a person can do with his fingerprint identity and that is a scary place to be.
PS: Happened to meet with a startup which claims to have solved the problem; more as I get to the bottom of this !