itb-au logo
Story image

Making biometric technology more secure – One Identity

03 Oct 2018

By One Identity APJ technology and strategy regional manager Serkan Cetin

Signing into mobile phones and laptops with a pin or password is quickly becoming a thing of the past.

Now, physiological biometric technology such as fingerprint scanners and facial recognition are commonplace.

There are some obvious benefits to using physiological biometrics over passwords: convenience and security.

Passwords can be difficult to remember, especially when a user must maintain multiple passwords for a growing number of digital accounts.

It’s hard for users to forget their fingerprints or face.

There are distinct security advantages to using something that’s a unique part of the user, rather than something they must recall from memory.

However, many physiological biometric technologies such as fingerprint recognition and iris scanning are easier to hack than many people may think.

While irises, fingerprints and other human subtleties may be unique, they are not incorruptible.

Hackers have used many different techniques to fool scanners, many related to replicating biometrics.

Tsutomu Matsumoto, a researcher from Yokohama National University, managed to create a graphite mould from a picture of a latent fingerprint on a wine glass.

It fooled scanners 80% of the time.

The Chaos Computer Club, a hacking collective based in Berlin, managed to deceive iris-scanning technology using a dummy eye created from a photo print.

Researchers from the University of North Carolina created a system that builds digital models of people’s faces based on photos from Facebook.

The animation was convincing enough to bypass four out of the five systems tested.

The fact that many of these biometrics technologies can be hacked so easily is troubling but expected.

Biometrics measures similarity, not identity, so a biometric match represents a probability of correct recognition.

Once biometric data is in the possession of hackers, there is always a risk it could be used to compromise personal or professional accounts.

While individuals can create new passwords for their accounts, humans cannot change their retinae or fingerprints.

Solution: Build a security ecosystem with behavioural biometrics in mind

A stronger way to prevent such attacks is to move towards using behavioural biometrics, such as keystroke dynamics or mouse movement analysis.

Each user has an idiosyncratic pattern of behaviour, even when performing identical actions, such as typing or moving a mouse.

As a result, behavioural biometrics are much harder to steal or imitate than physiological biometrics.

Algorithms powered by Artificial Intelligence can learn and analyse these behavioural characteristics to identify inconsistent tendencies quickly and autonomously.

It’s obvious that a hacker looking for sensitive data will behave differently in an IT system than the targeted individual.

Behavioural biometrics can track several tendencies or habits, including a user’s typing speed, whether they use the left or right shift key, how often they use backspace compared to delete, or whether they use shift or Caps Lock to change letter case.

It’s likely the hacker has a different typing speed, moves the mouse differently and executes unusual commands than the targeted user usually does.

When enough anomalies exist, the security system raises an instant alert for the security team and helps them investigate the incident.

While the physiological biometrics in mobile phones and laptops are user-friendly and safe, they are not truly safe.

Fingerprint recognition on phones typically takes multiple images of a finger so it can find a match quickly.

A truly safe physiological biometric authentication takes longer, more like 10 seconds.

Behavioural biometrics is the ultimate customer experience security measure.

Keystroke dynamics and mouse movement analysis help identify breaches and serve as a continuous, biometric authentication.

These behaviours can be continuously monitored and verified without interrupting the user experience, unlike physiological biometrics technology, which requires intrusive one-off authentication.

Building biometrics into the security ecosystem helps in reducing the number of stolen user credentials.

As biometrics can detect inconsistencies accurately and in real-time, they can catch criminals before they spend days, weeks or months sitting in IT systems.

Behavioural biometrics are difficult to duplicate 

While it may be possible to fool physiological biometrics and look like someone, behavioural biometrics makes it much harder to behave like them.

While behavioural biometrics such as keystroke dynamics or mouse movement analysis are ideal additional layers of defence, it is crucial that it forms a part of a bigger security environment that includes multi-factor authentication solutions, consistently updating and patching systems, and educating staff.

IT teams must remember, as with other systems of security, there are no silver bullets in the world of cybersecurity and identity and access management.

Utilising more verification measures in unison gives the largest possible chance to avoid hackers gaining access to sensitive information.

Link image
Network on TAP: Visibility made easy
Test Access Points (TAPS) connect to cabling infrastructure to conduct packet monitoring – and they’re the most effective way to copy traffic across a system. Put this tried-and-true visibility device to work for you today.More
Story image
Australian supercomputer Gadi ranks 25 in Global 500
“Gadi represents a milestone for Australian research. We are pleased to continue our long-standing relationship with Fujitsu and its network to offer Australian researchers world-class computing resources to take us into the next decade.”More
Story image
The need for speed: What if tech could work as fast as your imagination?
Einstein famously said, ‘Imagination is more important than knowledge’. And businesses sure must be imaginative right now, which leads to the question: what if technology could work as fast as the imagination?More
Story image
Former Salesforce, Microsoft security exec to lead Zoom security team
Zoom has announced the appointment of former Microsoft and Salesforce executive Jason Lee as its new chief information security officer. More
Story image
Empired signs partnership with Pro AV Solutions for streamlined collaboration offering
“Empired chose to partner with Pro AV Solutions because of its strong reputation in the market and national presence. More
Story image
Network transformation and remote enablement in times of global change
Remote workforces need to access corporate networks from their homes, which means those networks need to be more flexible and scalable than ever before. More