When is It Okay to Accept Risk?
Learn about the importance of accepting risk in vulnerability management.
This post covers the impact of biometric authentication on security and discusses the benefits and risks of biometrics in security.
TL;DR:
In security, two questions always remain constant:
These questions and finding their solutions go around in an endless loop. One of the security aspects that’s been a part of this loop is authentication. Having passwords as the only authentication mechanism is not the baseline anymore. In the quest to find secure authentication mechanisms, one of the solutions that came to light was biometric authentication. Exploring the risks and benefits of biometrics in security, one of the solutions that came to light was biometric authentication.
Biometrics has been around for a long time but it was most popularly used for federal purposes or supreme security systems. But that’s not the case anymore. The use of biometrics has recently also become popular in common security systems. So in this article, we’ll discuss different aspects of biometrics in security. We’ll start with understanding what biometrics is in security and its impacts, and then discuss the risks and benefits of biometrics in security.
Firstly, let’s understand what biometrics are and how they’re used in security.
Biometrics is personally identifiable information (PII) that can be used to identify an individual. As biometrics are unique to an individual, it’s very difficult for another individual to mimic them. For instance, let’s say you are using password authentication to log in to a system. When you enter the password to log in, the system checks that the password is valid. However, it doesn’t check if it was indeed you who tried to log in. So anyone with your password can log in as you.
However, things are different when you use biometric authentication. When you try to log in to a system using biometric authentication, you use something that is unique to you. Therefore some other individuals can’t mimic that. That’s how biometrics in security make things more secure.
Since we’re talking about biometrics in cybersecurity, let’s see how it impacts cybersecurity.
The use of biometric authentication has increased vastly in recent years. Biometric authentication is not just limited to getting into a highly secure room anymore. From getting into a server room or unlocking a safe, to simple daily use cases such as attendance and unlocking your phone, the use of biometric authentication has spread across applications.
Depending on the use case and criticality, some systems use biometrics as one of the ways of authentication, and other systems use it as mandatory. Either way, biometrics has made security better. Most businesses go with the latter because it needs something you know/have (passwords, authentication devices) and something you are (biometrics) for authentication. This adds another layer of security and ensures the stern identification of an individual. As a result, it limits breaches. For example, some highly secure server rooms use facial recognition and a password to be able to enter the room.
The ease of use and “difficult to break through” qualities have made biometrics in security one of the most revolutionary adaptations. Here’s a fact to support that statement - the use of biometrics in the last 5 years has increased by 90%. So, there’s no doubt that biometrics in security has become the new standard.
Biometric systems are mainly categorized into 2 types:
Physical biometrics uses the physical characteristics of an individual such as fingerprints. When using physical biometric systems, a device collects the physical characteristics, converts them into digital form, and stores them in a database. And the next time an individual tries to authenticate, the system checks their input for a match in the database.
Behavioural biometrics on the other hand use patterns of one’s activity for authentication. Some examples of behavioural biometrics include voice input, speed of typing, cursor movement, and finger pressure. The process of behavioural biometric authentication is similar to that of physical biometric authentication. However, it’s relatively more difficult to convert behavioural input into digital form than physical biometrics.
Having distinguished the main types of biometrics, here are some of the most common biometric authentication methods:
Now that we’ve gone through what biometric authentication is and how it’s used, let’s try to understand the pros/cons of biometric authentication in the form of the risks and benefits of biometrics in security.
Biometric authentication saves more time for a user than traditional authentication. It also eliminates the hassle of remembering different passwords for different systems (which is always recommended) and carrying access cards. In some cases where behavioural biometrics such as gait is used, you don’t even have to do anything for authentication. For example, if you’re walking towards a secured room, the system verifies your identity and opens the door for you automatically. Therefore, biometrics in security improves user experience.
A real-world example of biometrics making user experience better is how American Airlines uses facial recognition. American Airlines uses facial recognition at Dallas/Forth Worth International Airport where the system verifies the traveler’s identity using facial recognition so they don’t need a boarding pass to board the plane. This makes the boarding process quicker.
Biometrics is non-transferable making it impossible to share authentication information. This reduces proxies and unauthorized access.
You’ve probably seen in lots of movies how fingerprints, voice, and face of an individual are replicated. Although it might look like an “only in the movies” thing, it can also happen in the world we live in. However, it takes a high amount of skills and access to an individual’s biometrics. Therefore, it’s very difficult to spoof biometrics.
No doubt biometric authentication increases security. However, biometrics are not immune to data breaches. If a malicious actor manages to get access to the database, then they get hold of your biometrics. This not only is a risk to the business you’re a part of, but it’s also a risk to your identity as attackers can steal your biometrics for illegitimate purposes.
Biometrics is a characteristic of an individual. Therefore if an unauthorized person gets access to your biometrics, it might breach your privacy. This impacts facial biometrics the most because if someone gets access to the database, they get to know how you look and that can be used to know who you are.
Most biometrics do not use complete biometric data. Although they store complete data, they use partial data for authentication to make the process faster and to leave room for unexpected minor discrepancies. This means that these systems use specific parts of the biometric data. As a result, there can be inaccuracies in authentication and if someone figures out what parts of data the system uses for authentication, they can find a way to fraudulently get around it.
We don’t live in an ideal world. So there’s always a chance of things going wrong. In the case of biometric authentication, system failures might cause great inconvenience. It might not be a big deal in cases where it’s one of the authentication options. For example, if the fingerprint scanner on your phone is not working, you can use facial recognition or a password to unlock your phone. However, the problem comes when a system fails where biometric authentication is mandatory. For example, if fingerprint authentication is mandatory to get access to a room and the scanner is not working, there’s no other way for you to get in until the device is fixed or the system is overridden.
Centralized databases storing biometric information become attractive targets for malicious actors, potentially compromising sensitive data for life. Unlike passwords, biometric data cannot be reset if breached, creating long-term vulnerabilities for individuals. The use of biometrics can reveal sensitive personal information, such as healthcare visits, religious practices, or political affiliations, raising privacy concerns. Additionally, the storage and protection of biometric data present unique challenges, as traditional hashing methods used for passwords are ineffective. Organizations implementing biometric authentication systems must carefully consider these risks and ensure robust encryption and security measures to safeguard user data. The potential for bias and discrimination in biometric technologies further compounds these concerns.
Biometric authentication has become a major part of security in this era. It has set a new baseline for security systems making it more difficult for an attacker to break in. In this article, we’ve discussed what biometrics in security means, how it impacts security, types of biometric systems, and finally went through the risks and benefits of biometrics in security.
There are pros and cons of biometric authentication. The impact of cons can be minimized with smart strategies and implementation. Considering that, the pros outweigh the cons. The use of biometrics in security has become more popular than ever. And it won’t take long for every business to have biometrics-based security systems.
very business to have biometrics-based security systems.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support