In this TechTarget article Adam Englander, chief architect for multifactor authentication products at Iovation, indicates that biometrics are stupid. While the article makes several recommendations that are smart, Adam’s concerns regarding biometrics are misguided because they focus exclusively on physical biometrics and fails to address how behavioral biometrics are shifting the industry. We’ll look at his good recommendations after we review his misguided focus on physical biometrics:
“Englander said that biometric factors are “inherently stupid” for a number of reasons, starting with the fact that the “biometrics don’t evolve.” While one of the strengths of biometrics is that they provide enough complexity to be useful for authentication, there is no way to increase the complexity of a biometric factor like a fingerprint. “There’s no way to get more swirls on your thumb,” Englander pointed out. Furthermore, biometrics can’t be changed short of a “catastrophic event,” like the loss of a finger or hand, or facial disfigurement from some injury.
What it means, Englander said, is that “the net value of biometrics increases over time.”
Unlike with passwords, which system administrators can force to be changed after a breach, biometrics data can never be changed — and thus continues to grow in value, even if encrypted.
“Biometrics has a significant flaw: there’s this thing called Moore’s Law that says that computing power is going to increase by a percentage every year, but your biometric does not,” Englander said, and the people whose fingerprints were stolen in the 2015 breach of the U.S. Office of Personnel Management can never depend on their fingerprints to be a secure method of authentication. “Until you die, the credentials are now compromised.””
It strikes me as odd that Iovation is unaware of the inroads behavioral biometrics are making, given the markets broad adoption of them in products such as ThreatMetrix. Then there is the statement “…there is no way to increase the complexity of a biometric factor like a fingerprint” which ignores enhanced sensors that now including blood veins and other factors that greatly increase complexity and accuracy. Still, Mercator agrees that physical biometrics should be reserved for when a high-risk transaction demands a challenge.
The article next makes several smart recommendations and I hope Englander recognize that these very recommendations can make biometrics very smart, not stupid:
“First, Englander recommended using true multifactor authentication (MFA) incorporating biometrics as one of three factors for authentication. But true MFA, he warned, requires at least three factors: one each of inherence, the “what you are,” or biometric factor; knowledge, or “what you know,” usually a password; and possession, or “what you have,” usually a token of some sort. “Without all three, it’s not true MFA.”
“Three is better than one,” Englander said, noting that if you have three factors, even if the biometric factor has been compromised, the other factors can change. If the only factor being considered is the biometric, that is not safe, but even when a compromised biometric is used with two other factors, they all together can produce a strongly authenticated result even if none of the individual factors by themselves can be fully trusted.
“All these things together by themselves aren’t super secure but if you put them together they’re fantastically secure.””
Mercator urges use of multifactor and fully expects that this concept will ultimately also incorporate more than one biometric, perhaps behavioral that doesn’t require a challenge for a low-risk transaction, behavioral and a fingerprint challenge for higher risk and perhaps even voice or face recognition added for very high-risk situations.
MFA supports Englander’s other recommendations which includes support for FIDO and adoption of machine learning (ML). Regarding this latter use case, Englander recognizes that ML can operate on the backend to gauge the risk associated with a transaction so an appropriate challenge can be issued, he apparently hasn’t considered how ML will be deployed in the FIDO environment to manage the collection and analysis of behavioral biometric information:
“Another way to do biometrics security the smart way is to decentralize storage. If you don’t, Englander said, “you’re putting your users at risk” because attackers would rather breach a centralized store of biometrics than try targeting individuals one at a time. Decentralizing means “spreading out the risk” to prevent the possibility of stealing a million IDs at once; if an organization still stores credentials centrally, Englander said, “I as a consumer must trust that you are storing them well.” Another way to decentralize biometrics is to use the FIDO Alliance new WebAuthn API for web authorization, already supported in browsers to provide secure MFA.
Finally, Englander recommended using machine learning to be smart about determining the risks and what level of authentication is needed for different authentication attempts. In other words, when authenticating a user who is attempting to make a financial transfer the system should require a much higher degree of confidence in the authentication, and use three factors. On the other hand, granting access to a piece of paid content to a user who just authenticated five minutes before from the same device might not call for any further authentication.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group