The lesson from the latest OPM revelation: Biometric security doesn’t cut it (on its own)

2015-09-24_WashingtonPost

NEWS

This week, the Office of Personnel Management announced that the scope of their recent data breach was even larger than reported. Originally, OPM had said a mere 1.1 million people had their fingerprint data stolen; but the reported number of victims has now climbed to 5.6 million.

Victims of this kind of theft might wonder if they’re stuck with useless fingerprints, unable to log in to any network, ever. Maybe, but not if administrators take a close look at the value of biometric security measures and heed some critical advice about them.

Are biometrics useful for data security?

The latest OPM news is a reminder that any kind of data can be stolen, even fingerprints. This poses a huge problem for security protocols that use biometrics for authentication. Body parts can’t be changed. Unless you live in a futuristic, Spielbergian-movie world, you can’t swap your eyeballs or your fingertips after thieves steal a usable image of them.

Once criminals have your fingerprints (or a digital representation of them), they can use them to breach any security system where fingerprints are the only authentication required. That could be a problem considering how popular biometrics have become.

But some people see biometrics as the solution to digital security

The benefits of biometrics seem self evident to most of us. After all, fingerprints and optical scanners don’t suffer from the shortcomings of passwords, which can be forgotten or stolen or smart tokens which can be lost or man-in-the-middled. People don’t need to remember their fingerprints, and barring a bizarre accident, they aren’t going to lose them.

But we’ve known for a while that hackers can bypass biometric security.

Back in 2013, when fingerprint ID was becoming the latest, trendiest way to access mobile devices, hackers openly flaunted the exploits they’d found. Clearly, biometrics aren’t a panacea to stopping cybertheft.

Biometric vulnerability problems are exacerbated when they are used as the sole login credential for network access. In those cases, one hacked fingerprint opens a breach to the whole data candy store. However, there is a way to take advantage of biometrics’ benefits while avoiding its shortcomings.

The key is multifactor authentication.

Fred Schneider of Cornell has written a handy assessment about the main categories of multifactor authentication. He defines them by the things that a person knows, has, or is.

  • The “knows” category refers to user IDs, and passwords -- things that people carry around in their brain briefcases (aka skulls) and reveal when prompted.
  • The “has” credential includes material things that people keep externally like key cards (magnetic strip, radio frequency, etc) or digital devices.
  • The “is” authentication applies to biometrics -- fingerprints, optical scanners, etc.

The upshot of Schneider’s article is that multifactor security will be the most effective for the foreseeable future. We agree. Multifactor authentication takes advantage of each of these authentication categories’ benefits and offers robust security.

The next question is: Where do you use multifactor authentication?

While many services are implementing 2-factor authentication - like Google and others, it is impractical to think that all web services will follow. That’s why we think the browser is the logical tool to build a multi-factor framework around. If you can validate a user and their device through various factors before they can access the browser and you manage users’ access to website via an integrated single sign-on capability, you take a huge step toward eliminating the single biggest area of risk in a business.

Since your most vulnerable entry point is your browser, that’s where you should implement multifactor authentication.

Our browser, Silo, can enlist dozens of factors to verify the identity of the user and the validity of the device before they connect to your data. All factors may not need to be implemented for all users, but you might want to ratchet up the validation requirements for users accessing sensitive data.

An effective security system will have layers.

Any one authenticating factor on its own, even unique fingerprints, can’t defend against the array of cyber threats to your data. Layering multiple authentication factors lets you make the most of biometrics and any other access credentials you want to use.

In addition, administrators should have the ability to log online activity, including logins. It’s your best tool to identify risks and to remediate if there are problems.

And if your fingerprints (or other data) were stolen in the OPM hack...

There are a few things that you should do to change your online exposure. We wrote about it a few months ago when news of the breach broke, and it’s probably a good idea to re-visit it now.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: News