As companies are trying to cope up with the threats from both the inside and the outside, another area which is receiving attention are the various ways in which people, whether they are employees, customers, end users, or even just the retired person, are ways in which they can positively confirm their identity. 

As we all know, it has always been the password (or even a PIN Number) that has been the primary means, but ever since last year the Cybersecurity industry has been lamenting the use of Two Factor Authentication (2FA).

As I have written about this before, this is essentially using two mechanisms in which to positively confirm your identity.  For example, the first layer of entry could still be a password, and after that has been confirmed, the next layer would then be using some kind of token or FOB (such as that of an RSA Token). 

Once these two layers of defense have been successfully passed, then of course you are granted access to whatever you wanting to get access to in the first place.

Another tool which has become popular in this 2FA approach has been the use of Biometric technology.  For example, your fingerprint, your eye, or even your face could be used to confirm your identity.  In theory, this is one of the best methods, as everybody’s physiological structure is unique in some sense, and of course cannot be stolen, like a password.

Biometrics as received a lot of attention as part of a 2A solution, but people still have their doubts and fears about using it.  This is according to a survey entitled “Lost in Transaction:  The End of Risk?”  Here is what they found in regard to this fear factor:

*56% of both Europeans and Americans are fearful of using Biometrics;

*Surprisingly, an overwhelming 81% of the respondents still favor using passwords despite its inherent flaws;

*37% of consumers believe that biometrics are more secure than other verification methods;

*66% of consumers said they would be greatly concerned if they were able to make online purchases without being prompted for a password;

*33% of the respondents will not consider using voice-activated technology for any type of payment to be made whether at a physical store or online;

But as a total contradiction (which makes no sense to me here) is that although people are fearful of using Biometrics, they still view it as a convenient and quick way for authentication, for instance:

*61% of the respondents believe that using biometrics is a much quicker and more efficient way of paying for goods or services than traditional online payment methods;

*57% of the respondents agree that being able to verify their payments using Biometrics will make shopping on their smartphone more convenient than traditional eCommerce;

*53% of the respondents believe that voice-activated payments are quicker and more convenient versus the other forms traditional online payment methods.

Also, survey discovered that when it came to use IoT related devices, people are more open to using Biometrics, especially when it came to using Biometrics:

*When it came to purchase an IoT device, 51% of the respondents would prefer to use Voice Recognition;

*4% of the respondents would pay for groceries if Voice Recognition was deployed as a means of authentication.

My thoughts on this:

First, the fears about using Biometrics does not all surprise me.  This was the first security field I started in before venturing into Cybersecurity and have written three books on this matter.  In fact, I conducted a podcast interview with a graduate student from Poland on this very same subject manner.  Really, there is nothing to be fearful about Biometrics, just like anything else, it is garbage in and garbage out. 

The images of your face, eyes, and fingerprints are never permanently stored – rather, they are converted over to mathematical files, that really make no comprehensive sense, not even to a Cyberattacker.  The only thing that these files make sense to are the Biometric devices which captures the images of your physiological features.  These files are also called the “Templates”.

I very often get asked the question, what happens if this template gets stolen?  Really nothing, because as just previously mentioned, there is really nothing at all that the Cyberattacker can do with them.  It’s like they have intercepted a bunch of encrypted PII, but don’t have the keys to unlock it.  So, it is not even the same as credit card theft (I get this question asked all the time also).

But what I found quite surprising is that people, despite their fears, still think that Biometrics is a convenient tool.  I mean how can they find this to be possible if they are too fearful to even use the technology?  Truthfully, Biometrics is a much more convenient tool to use, especially when it comes to replacing your password (this is known as a “Single Sign Solution”).  In this regard, it is the eye and the fingerprint that the are most widely used.

As the Internet of Things (IoT) start to proliferate, vendors will be scrambling new ways to secure all of the interconnectedness that will be occurring.  For instance, if a “Smart Home” has a lot of gadgets that are connected with each, this only increases the attack surface for the Cyberattacker.  So, once again, Biometrics will more than likely be called upon once again to secure all of these unsecured lines of communication.  This is at least confirmed by the survey.

I have always advocated this cardinal principle to people when it comes to using Biometrics:  Yes, it is a good tool to use when confirming your identity, but it should not be the only tool that is used.  Rather, it is most effective when it is used in conjunction with other security tools, especially when it comes to using a multilayered approach, such as that of 2FA.

Just like anything else, Biometrics has its flaws just like any other technology.  It is not perfect by any means.  But for that matter, neither is using 2FA.  What if somehow the two lines of defense get broken through by a Cyberattacker?  Then what do you do?  Then you add another line or two defenses.  But in the end, how much is enough?  Unfortunately, that question will never be answered, as long as Cyberattackers still persist in their ways.

The link to the survey can be seen here:

https://www.paysafe.com/lost-in-transaction-the-end-of-risk/