Multi-factor, not just biometrics.

Biometric authentication is fairly common place today. Just about everyone knows how to use the Fingerprint scanner on most modern smartphones. With the newer phones, facial scanning has started to take the place of the fingerprint. And some Mobile Apps that are trying to up their security beyond the builtin platforms have included iris scanning. Biometrics check off the “ease of use” and “strong security” check boxes most of the time.

Where it starts to fall apart is when application owners start to implement only biometrics. For years security experts have been telling applications that they should be implementing multi-factor authentication. This means they should be pairing two different authentication technologies from at least two different factor groupings. As a refresher, there are three authentication factor groups, “Something You Know”, “Something You Have” and “Something You Are”. Taking two technologies from the same factor does not mean you have multifactor, you must have at least two technologies from different factors. Biometrics fits into the “Something You Are” factor grouping and is a single factor technology.

Today a great write up on the attack vectors that are currently plaguing the most common biometric technologies was published on DarkReading. The attacks have been darkreadinglogo around for a while, but they still work. When you read the article, it impressive as to how simplistic these attacks really. Biometrics are an advanced technology, and yet a piece of paper, or a gummy bear is all that is needed to break them. These attacks will be mitigated and solved and new versions of the products will be released, but then that will just invite new attacks. Nothing is completely secure from some style attack, it just takes longer to find the appropriate attack vector.

Application owners should see these attacks and think back to attacks on static passwords, and on SMS passwords and all of the other authentication attacks. When you take one from of an authentication factor, there are probably a few different attacks against it. However, when you start to combine the technologies across the different factors of authentication, the attacks are much harder and even some of them are next to impossible. The best applications implement multifactor authentication in ways that only call attention to them when it is needed (or detected), and allow a user to continue to do what they need to without being impacted all the time.

This entry was posted on February 5, 2018 at 6:00 pm and is filed under Computers and Internet, General, Security with tags attack, authentication, biometric, facial scanner, fingerprint, hack, iris scanner, Mobile, multifactor, password, Security, two-factor authentication. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

…And Things Like That