Thanks greatly to the consumerization of biometrics within smartphones, biometrics has come to be seen as a low-cost, low-friction means of authentication. But biometrics vary greatly in terms of accuracy and convenience based on the type of biometric and, critically, the strict-vs.-lenient settings options.
Many of the risks of biometrics — such as storing the data and then having the data stolen in a breach — are not an issue for enterprises because they are overwhelmingly using third-party vendors to gather and save the data. Still, if that third-party biometric vendor gets breached and the enterprise’s authentication data finds its way to the Dark Web, some blame will eventually land on the CISO’s desk.
The stakes are also high for biometrics data.
“Look, if my password gets stolen, that’s a bad day, but I can create a new one and move on,” says Sailpoint CISO Rex Booth. “If my biometrics are stolen, that’s it. I can’t refresh my fingerprints or grow a new retina. Any relationship I have with a biometric-dependent system from that day forward is now inherently insecure — for life.”
For his part, Roger Grimes, defense evangelist at KnowBe4, argues that biometrics in general don’t work well.
“The biggest misconception is that biometrics are extremely accurate,” he says. “None of the algorithms comes close to what they claim to be. There are an awful lot of false matches.”
Thus, it behooves a CISO to consider the pros and cons of each security measure, including which biometrics to implement — and how to do so effectively.
Voice Recognition Needs Serious Backup
The most fundamental cybersecurity issue with biometrics is accuracy versus ease of use. Unfortunately, the least intrusive biometric techniques are often the least accurate.
A biometric approach very popular with the financial sector is voice authentication. A team of researchers from the University of Waterloo reported in late June that it had “discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99 percent success rate after only six tries.” The full research report was presented at the 2023 IEEE symposium on security and privacy.
The Waterloo method “identified the markers in deepfake audio that betray it is computer-generated, and wrote a program that removes these markers, making it indistinguishable from authentic audio.” The researchers tested their audio against Amazon Connect’s voice authentication system, reporting a 10% success rate within four seconds; the success rose to more than 40% within 30 seconds.
“With some of the less sophisticated voice authentication systems targeted, they achieved a 99 percent success rate after six attempts,” the report stated.
Face Recognition Edges Out Fingerprints
Mariona Campmany, CMO for authentication firm Veridas, says she prefers facial recognition and voice over fingerprints, for a couple of reasons.
“First, fingerprint readers are more easily interoperable and susceptible to personal data extraction — they do not provide the high level of privacy protection that facial and voice biometrics do,” she says. “Capturing fingerprints also requires higher resolution cameras or specialized software in comparison to facial biometric devices, making them less accessible and universally applicable.”
One of the complexities of a biometrics strategy is that there are two kinds of accuracy. One is the type Grimes was referencing, which looks at how often the system correctly identifies the user. But the second speaks to system friction; it involves how many attempts the user must make before the biometric system even acknowledges the attempt.
Facial recognition suffers from problems in that second area, given that it can only analyze a face that is a precise distance from the screen. With some smartphone implementations, users sometimes have to make two or three attempts before the system even registers the user.
Vein Recognition Is Expensive, but Secure
Gartner VP and analyst Ant Allan says his favorite biometric approach is very popular in the healthcare vertical, but is seen in very few other verticals: vein recognition.
“It’s a more expensive option because you need specialist scanning and infrared equipment, imaging equipment. It is often two, three or four times the price of fingerprint sensors,” he says, adding that most healthcare environments limit the equipment to a small number of shared workstations to lower the cost.
CISOs should “not rely on biometrics as a single factor, with the possible exception of veins because [vein patterns] are so difficult to fake,” Allan says.
Close the Gaps With Layering
Some biometrics are better than others, Grimes days. “Voice is by far the weakest, and then facial recognition. Voice sits in its own class for how weak it is. It is so easy to fake,” he emphasizes.
Grimes has talked about biometrics accuracy issues for years. Late last year, he pointed to NIST’s analysis of biometrics accuracy, which found that facial and fingerprint recognition rarely come close to their claimed precision.
“If I steal your phone, your fingerprints all over your phone,” he says.
And therein lies one critical problem: The easiest biometric methods tend to be less accurate, but they also tend to be much lower in cost and, thus, chosen more often.
A strong MFA strategy is a good way to incorporate biometrics, Gartner’s Allan says.
“Using any single mode is going to give you some gaps,” he notes. “All authentication is vulnerable. There is no method that is bullet proof.”