Beyond the Password

Enhanced biometrics solutions boost security through stronger authentication.

The password has been a linchpin of security for millennia, a common way to demand proof of identity in order to control access to an area. It may have been effective for medieval castle sentries, but the password has become notoriously inadequate for protecting modern IT environments.

Former Homeland Security chief Michael Chertoff says the password is “by far” the weakest link in IT security today, and the statistics back him up. Sixty-three percent of all confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s 2016 Data Breach Investigations Report. Many of the most high-profile data breaches in recent years have resulted from compromised passwords, including attacks on the Democratic National Committee, Yahoo and Sony Pictures.

What’s worse, security experts believe these attacks will spawn an inevitable series of aftershock breaches in which passwords sold through “dark web” markets are used in new attacks — possibly several years after the original theft. Experian reports that credentials stolen in a 2014 Yahoo breach that exposed 500 million accounts were subsequently resold and used by other criminals to compromise accounts across a wide variety of services where consumers use the same username and password.

Unfortunately, there’s no sign that understanding the danger changes user behavior. When it comes to passwords, convenience still trumps caution. For five years running, “123456” and “password” have ranked as the most commonly used passwords in an annual study by SplashData.

“Passwords are broken. They have become one of the weakest links in our security chain,” said David Ferbrache, technical director at KPMG’s cybersecurity practice. “People are being forced to adopt more and more convoluted passwords while simultaneously trying to avoid the temptation to reuse (them). It is high time we moved to a more sophisticated approach.”

Getting Physical

With the shift to cloud and mobile technologies amplifying the nature of threats, the demand for strong authentication capabilities has never been higher. There is near-unanimous support in the security industry for increased use of multifactor authentication solutions that require a combination of two or more verification factors — something the user knows (a password or PIN code), something the user has (a security token or mobile app) and something the user is (a biometric identifier).

Two-factor authentication, typically combining passwords with security tokens, have been required for years by financial institutions, government agencies, healthcare facilities and more. However, there is increasing support for systems that also require the third factor — biometrics.

Biometrics measure and analyze an individual’s unique physical and behavioral characteristics and use this data to verify the user’s identity. Physical biometric authentication can include everything from fingerprints and facial recognition to retina scanning and odor. Behavioral biometric authentication could involve voice recognition or the real-time monitoring of typing rhythm, device usage patterns, gait or gestures.

While most people associate biometrics with physical characteristics, behavioral biometric software has advanced dramatically in recent years. These tools can analyze how users pinch, zoom and swipe the screen on a mobile device, how they move a finger on a screen, how much of the tip of the finger is used, how hard they press, and how they hold the device. These behaviors are virtually impossible to replicate. When suspicious behavior is detected, a number of actions can be taken automatically. The user could be required to use another form of authentication, or an administrator could receive an alert that would necessitate a call to the user for verification.

Mainstream Applications

The rapid rise of smartphones and mobile applications have encouraged the development of more lightweight biometrics. Software developers can often add biometrics to their apps by including just a couple of lines of code. Leveraging the front-facing camera and microphone built into most handsets, applications can create voice and facial recognition capabilities even on older devices that don’t offer built-in biometrics support.

MasterCard recently rolled out its “selfie pay” Identity Check solution, which uses facial biometrics for payment authentication. Using a mobile application, users simply show their face to their smartphone camera to confirm an online payment. To prevent hackers from using a static photo, the app requires users to blink. MasterCard also provides the option to choose fingerprinting for authentication.

Microsoft pushed biometrics further toward mainstream usage with the launch of Windows 10. A key feature of the operating system is Windows Hello, a biometric security platform that allows users to securely access Windows 10 devices without a password, using either facial recognition, iris scanning or fingerprints. Microsoft Edge, the new browser bundled in Windows 10, natively supports Hello and makes it possible to use biometric authentication to log into web sites. To date, there aren’t many web sites that support biometric authentication, but Microsoft’s strategy seems likely to encourage continued acceptance.

The need to improve authentication is driving biometrics into consumer, industrial and government systems at an increasing pace, according to the market research company Tractica. The firm forecasts that annual biometrics hardware and software revenue will grow from $2.4 billion in 2016 to $15.1 billion worldwide by 2025, representing a compound annual growth rate of 22.9 percent.  During that 10-year period, Tractica anticipates that cumulative biometrics revenue will total $69.8 billion.

While passwords aren’t going away any time soon, organizations need to take a hard look at their authentication tools and processes and move away from password-only data protection. With more than half of all data breaches linked to misused or stolen user credentials, it is clear that passwords no longer provide sufficient defense. Strong multifactor authentication systems that incorporate new biometric tools can significantly elevate the overall security posture and dramatically improve an organization’s ability to protect its data, customers and reputation.