Wednesday, October 21, 2020

Authentication Factor 3: Something you are, like your thumbprint (Cybersecurity Awareness Month, Day 21)

(image credit: engin akyurt at Unsplash)

To protect your digital devices and private data from unauthorized access and/or abuse, you need to use technology known as authentication. In the context of computing devices and online services, authentication is typically taken to mean "making sure people are who they say they are." 

In the preceding articles for Cybersecurity Awareness Month—Authentication 1 and Authentication 2—I explained that there are multiple ways for computing devices and online accounts to authenticate people. They can ask you to provide one or more of the following, shown here with their technical category names:
Today's article is about the last category of "authentication factors," commonly referred to as biometrics. Broadly defined, biometrics are measurements of human characteristics. However, in the context of computer science and security, a biometric is defined as "a measurable physical characteristic or personal trait used to recognize the identity, or verify the claimed identity, of a person through automated means." 

That particular definition of a biometric comes from the International Biometric Association, which I quoted in my 1991 book on security. Believe it or not, biometrics were already being used back then, sometimes to control access to computing facilities. Today, they are in much wider use and may even be built into your phone. tablet, or laptop computer. 

Biometrics include your fingerprints, your face, the sound of your voice, the veins in your hands and eyes, and behavioral traits such as your signature, handwriting, and typing rhythm, all of which can be recognized "by automated means." For example, I am writing this on a Macbook and to prove that I am the authorized user, Stephen Cobb, I let it scan one of my registered fingertips (there is a special key on the keyboard that is actually a fingerprint reader).

We have seen fingerprint readers on smartphones in recent years, but the technology has been available as an added level of security for laptop and desktop computers for many years (for example, integrated into a mouse, or a USB stick). Some laptops now let you use the integrated camera for authentication by means of facial recognition.

In general, I am a fan of biometrics as an authentication factor tied to a specific device or account. Unlike tokens that might be stolen or passwords that might be shared, biometric identifiers cannot be transferred either by theft or gift. A properly implemented biometric authentication system offers a fairly positive identification of an individual person. 

(I am not a fan of broad uses of biometrics, such as facial recognition, in public places, at scale, but I don't have time to get into my thinking on that right now.)

Unfortunately, basic biometric access controls, like those on your phone, are not without problems. For example, facial recognition can present practical challenges, some of which the COVID-19 pandemic has revealed. For example, put on a mask and your device may not recognize you. That means you may need to full your mask up and down several times a day. 

Another important pandemic precaution, washing your hands, can introduce another wrinkle, pun intended. Do you sometimes find that your phone won't recognize your fingers when you're soaking in the bathtub? It has definitely happened to me. That means you have to enter your passcode, hopefully without the phone joining you in the tub. Other scenarios, like wearing gloves and having to bandage fingers, create problems when a device won't unlock without reading your fingerprint. 

While biometric authentications are likely to evolve quite quickly in response to these issues, any given authentication systems based on biometrics needs alternative 'emergency' authentication processes. For example, if we're all going around talking to our phones, why not add an element of include voice recognition to make sure we are the rightful owner of the phone? Apple was actually filing patents on this idea a couple of years ago.

The bottom line is that using two authentication factors makes it less likely that someone can access your devices or accounts by pretending to be you. Using a biometric as one of those factors may be more appealing to some people than tokens. 

Let me end with something I wrote 25 years ago: Whatever you use for authentication, it is important to bear in mind that security problems go beyond proper user identification. Authorized users who are corrupt is a prime example. User integrity cannot be programmed or scanned. If authorized people log on and then share their account with others, the best biometrics are defeated. Proper data security, user education, and transaction tracking are equally important.

No comments: