The Daily Swig Web security digest

Blink to the future: Scanning the biometric horizon

Dave Lewis | 14 February 2018 at 21:07

Biometrics are great for reducing security risks, but only when they are clearly thought out.

I’ve shared this story in the past, but this bears repeating: Back in 2000 I was sitting in a visually indistinguishable office building in McLean, Virginia.

I was slumped in my chair, staring into my cup of coffee and feeling uncomfortable being out of the welcoming embrace of my cavernous darkened office.

The VP of sales sat to my left, fidgeting nervously as we waited for our guests to arrive. A moment later, several uniformed officers walked into the room, and handshakes and pleasantries were exchanged. They took a seat at the table and got straight to business.

They had a biometric device that they were rather proud of, and for which they wanted us to provide a security assessment.

I sat there quietly listening. Slowly, a smile that I was ill-equipped to keep under control crept across my face. I continued to focus on the bottom of my now-empty coffee cup.

The VP of sales turned and looked at me when the presentation concluded and asked: “Is this something we can break?” I nodded to the affirmative.

The senior officer muttered an expletive and started to counter me before I said anything. But, I cut him off with one sentence: “I would need a Bowie knife.”

The senior officer stopped mid-bluster and retreated to the uncomfortable safety of the conference room chair.

Where we’re going, we don’t need passwords

Your adversaries will always come at you from whatever angle they can imagine. Biometrics are great for reducing the risk – but only when they are clearly thought out.

Passwords have been a hobgoblin for us since the beginning. When you add in something such as a piece of information that can be easily guessed or compromised, then the efficacy of the control is suspect at its core.

That’s not to say one should throw out the baby with the bathwater, by any means. We just need to build something better to replace it.

Two-factor authentication has its warts, but it is far better than the simple password, and makes it that much more difficult for an attacker to compromise a system.

Time-based, one-time passwords are a fantastic replacement to the basic password. And with tokens or possession factors, something you have and something you know can also be used to help augment authentication realms.

Scanning the digital horizon

Authentication can be fraught with danger. And although the building blocks are there to improve the situation, we have to be sure it is done safely and securely.

CBC News ran a story this week about a new app that has the potential to affect how travelers cross international borders. The scheme would enable people to travel through airports faster if they create a digital profile.

In addition to providing their personal information before traveling, border expert Bill Anderson told CBC that users’ profiles would be automatically updated as they move around the world.

Of course, the security implications for biometric innovations such as this are huge, and the developers behind the Known Traveler Digital Identity scheme have been working hard to ensure the solution is watertight.

“No personal information is stored on the ledger itself, ensuring that personal information is not consolidated in one system, which would make it a high value target for subversion,” UK technology company Accenture said in a statement to CBC.

Ultimately, however, as more and more data is collected with regards to biometrics and personal data, the problems pertaining to accountability for the control and security of that data will grow.

I recently binged watched the new Netflix show, Altered Carbon, and for a moment I shuddered to think of the dystopian future that might represent with regards to biometric data, as DNA is utilized as authentication and verification of financial data.

There was a point in time I would have laughed it off, but these days anything appears to be possible.