But biometric authentication doesn't necessarily mean better security
Passwords continue to be a nightmare for the security conscious, with some organizations beginning to turn to biometrics for a solution to prevent systems from being exploited.
And it’s getting easier to make that change.
At the end of last month, Google released Chrome 67 – the latest version of its browser for Windows, Mac, and Linux, which now supports a password free sign-in.
Users can now effectively login to their web accounts through a connected device secured with a PIN or biometric data, be it a fingerprint or face scan.
Aimed at heightened convenience, but also as protection against password reliant phishing attacks, the change is the result of the newly approved Web Authentication (WebAuthn) standards – a secure way to verify credentials over web browsers that were developed by FIDO Alliance and the World Wide Web Consortium (W3C).
The standards were announced in April and are expected to be built-in to all major browsers, completely altering how the internet is accessed and, more importantly, secured.
Discussing the release in a Google developer blog, Pete LePage, developer advocate, said: “The Web Authentication API adds a third credential type, PublicKeyCredential, which allows browsers to authenticate a user with a private/public key pair generated by an authenticator such as a security key, fingerprint reader, or any other device that can authenticate a user.”
LePage added: “Chrome 67 enables the API using U2F/CTAP 1 authenticators over USB transport on desktop.”
More and more companies are adopting biometrics in products and making the switch to systems where consumers can login with identifiers completely unique to them and without much hassle.
While the biometric take-up in 2016 still only represented 20% of firms globally, according to CEB research group, user preference points to a growing demand for it – 88% of New Zealanders, for instance, favor biometrics over traditional passwords to authorize payments.
“Biometrics are identifiers tied to a person and not to a static alphanumeric string, making them better since they present a much higher barrier for those attempting to use them fraudulently,” George Avetisov, CEO of HYPR, told The Daily Swig.
HYPR assists companies in securely storing a users’ biometrics or passwords on their personal devices, having worked with the likes of Mastercard, Samsung, and Irish health insurer Vhi.
“Passwords can be used by anyone, and their weakness creates vulnerability that security teams spend a lot of time and money on to prevent,” Avetisov said, reiterating how users tend to adopt the same username and password across different services, which help cause the 81% of data breaches, as stated in the 2017 Verizon Data Breach Investigations Report.
The development of biometric sign-in, however, shouldn’t signify the death of passwords as we know it, particularly when cases of attackers bypassing these systems seem to appear with every new feature that’s introduced.
“Biometrics aren’t secret,” said Matt Lewis, research director at NCC Group, while speaking about spoofing biometrics at the Cyber UK summit in April.
“So, for example, you can record my voice, anyone can take a picture of my face, I leave my fingerprints lying around, and it’s these properties that we exploit in spoofing attacks against biometric systems to try to find ways to defeat them.”
Unlike passwords, a user’s fingerprint can’t be changed, and for a company holding biometric data, irreversible implications can arise that data is breached and ends up on some underground marketplace.
SecurityScorecard is a firm which measures an organization’s level of cybersecurity, calculating the risk of a future breach based on what systems and practices are in place. The company recently teamed up with AXA to assist the insurer with appraising cyber premiums.
But biometric authentication isn’t a major factor in assessment, Aleksandr Yampolskiy, SecurityScorecard CEO, told The Daily Swig.
“The reason for this is that if an attacker compromises a computer of an employee remotely and sees all of the employee's keystrokes, he still wouldn't know what the second factor is - and that could prevent him from stealing sensitive information.”
Yampolskiy added: “However, 2FA needs to be properly configured.”
It’s too soon to tell whether future interaction with the internet will look like a simple gesture made into a mobile phone, but WebAuthn’s open-ended credential creation and strong cryptography certainly seems like it’s here to stay.
“There’s a lot more networks coming into play on devices and spoof detection is quite good,” said Lewis.
“We’re seeing more behaviour biometrics as well, so the handset learning how you use it and using that as an identifier. So I think, generally, it’s going to get harder.”