To Secure the Biometric, You Must Secure the Device

To Secure the Biometric, You Must Secure the Device

The use of biometric data in security is emerging as the leading replacement for the broken password system.

When that transition happens, neither security professionals or users are likely to mourn its demise. Passwords are problematic for two reasons; they are easily compromised by fraudsters and difficult for users to remember. The system has been regarded as “the weak link” (to use Bill Gates’ phrase) in security for a decade.

The use of biometric data (i.e. identification based on unique human characteristics) promises to change all that. No longer will users be forced to remember a hundred different passwords. Rather, through the use of biometric technology such as fingerprint recognition software, users will, in effect, carry a personalized key to all their accounts with themselves at all times.

Further, because each person’s fingerprint is unique, it is difficult, if not impossible, for fraudsters to crack. An encrypted fingerprint is infinitely more complex and specific to individual users than passwords like “password” and “123456.”

However, using biometric data for security is not, in and of itself, a silver bullet. Rather, the use of biometric data is only one aspect in a multi-pronged approach to security. A biometric login by itself only proves it’s the enrolled user interacting with a business. Unfortunately, this login gives no insight into the relative security of device itself—in other words, the environment in which the biometric is operating.

Lurking unknown to both user and businesses, the device housing the biometric data may be infected with unseen threats such as application hooking, malware, and crimeware that are designed to bypass the biometric or compromise the information after the biometric authentication is performed.

This form of theft is unseen by both the user and the organization. Malware and other threats operate quietly in the background, siphoning funds and information away from users without them even being aware of it.

For transactions to occur without threat, the environment surrounding the transaction must first be secured. It is only when one can fully trust the device and confirm the user’s identity that the ultimate device security weapon against fraud—a trusted security token—can be created.

Trusted security tokens work because they use of two-factor authentication (2FA), a widely used and accepted security protocol for establishing a a user’s claimed identity by using two different attributes—a combination of something the user knows (for example, a PIN number), possesses (for example, an ATM card) or is inseparable from them (for example, the user’s fingerprint).

A person’s fingerprint is, obviously, a unique attribute for 2FA purposes. But the device housing the biometric data can also be used as an attribute for authentication. Mobile devices contain within them a multitude of different characteristics (for example, the device’s operating system, approximate location, and others) which can be combined to form a unique permanent ID. These two attributes—the mobile device ID and user biometric data—can then be joined to create a unique credential that is close to impossible for fraudsters to duplicate.

When a device ID is coupled with biometric identification, it allows for the formation of a trusted connection between the business and the user. Transmissions and data can then be transferred along a secure channel with absolute confidence that it will not be compromised or intercepted. In this type of environment, every communication is encrypted end-to-end, digitally signed, and protected against replay attacks. Using this method ensures the intended device is the only device in the world that can read the sensitive information passed between business and user.

Further, technology exists that checks the integrity of the mobile device by performing app validation, advanced malware/crimeware detection, and root/jailbreak and cloaked root/jailbreak detection to identify potentially risky devices. This analysis neutralizes threats such as application hooking, malware, crimeware, and others that seek to bypass or ignore the biometric authentication.

Because biometric data is unique and cannot be changed by users, it is imperative to protect this sensitive information from interception. For this reason, it is best if biometric software never passes the fingerprint biometric. Instead systems should rely on a secure key pairing process that never exposes the data itself. Using this method ensures biometric data housed on a user’s mobile device will never be intercepted or improperly relayed.

Biometrics offer tremendous promise in improving security, but they are only one component. True security is achieved only through a multi-layered approach that employs a combination of solutions, both biometric and device authentication, to ensure every transaction is conducted with absolute confidence of its integrity.

Photo source: Flickr

NORTH AMERICA

Headquarters

367 Boylston Street, Suite 501
Boston, MA 02116
+1.855.801.0774

West Coast Office

227 Broadway, Suite 200
Santa Monica, CA 904011

EMEA

80 Coleman Street
London, EC2R 5BJ
+44 (0) 0207 489 6425