+
EDITOR’S QUESTION
MOREY J HABER, VP OF
TECHNOLOGY, OFFICE OF
THE CTO, BEYONDTRUST
/////////////////
Can biometrics replace any existing
authentication technology today?
Yes, biometrics can replace existing
authentication technology today,
but there is a lot of work to do and
additional security layers are needed to
be commercially viable. For example, I do
not regard FaceIT from Apple as secure
due to twins and printed masks that have
been proven to thwart the technology. In
addition, biometrics should only be used for
authentication or authorisation but never
both at the same time.
Biometrics alone, without a pin or other
verification media is insufficient. The policies
and technologies need to evolve to ensure a
fingerprint or faceid alone can not jeopardise
the integrity of the system and that security
policies for storage, encryption and even
biometric rotation (like password rotation) can
be successfully implemented and enforced.
When should biometrics augment
existing solutions?
Consider any security model that is easy
to document or communicate via paper,
verbally, electronically, or even a text
message. A username and password or pin
is a traditional example of this. Both strings
are easy to document. Biometrics is a great
addition to this type of technology and
ensures the proper identity is actually the
one trying to authenticate since biometrics
can not be communicated; only spoofed.
When should biometrics never
be used?
Biometrics should never be used alone
for access, regardless of authentication
or authorisation. Door locks are a perfect
example of this problem. A stolen fingerprint
can easily be manufactured to bypass
the physical security of the device and
compromise the contents behind the door.
A second example is your mobile device.
www.intelligentcio.com
A fingerprint is used for authorisation and
authentication in the case of logging in,
potentially accessing a financial mobile app
pay. While this is not as risky as a biometric
door look, since it assumes you have
possession of the device, it represents an
unacceptable risk for entities securing more
information than just a consumer’s device,
personal financials and information. I would
never allow an application on a mobile device
that uses its local biometric system alone to
access sensitive data within an organisation.
There should always be a second mechanism
on top of that to prove the user’s identity.
This could be Multi-factor Authentication
(MFA) or even a basic pin. Biometrics should
never allow full access alone without another
form of challenge and response.
Are there processes in place to purge
or archive biometric data? What is
the data retention policy for it?
The introduction of biometrics is beginning
to challenge our current security policies for
password retention and password age. For
example, how often should a user change
which fingerprint is stored in the system
from thumb to pinky and the other hand.
How do you address injuries or handicapped
individuals? Does rotating your fingers
periodically actually make you more secure?
I would argue it does. With that in mind,
how do you accommodate biometric history
similar to password history?
There needs to be policies developed per
organisation that store biometric data for a
finite time and then purge when obsolete.
Modelling the data after current policies
every 30 days for a new finger makes
sense, but exceptions will always occur and,
as discussed above, the pin or password
associated with the biometrics should be
rotated as well.
All of these need to be documented and
incorporated into existing security policies and
propagated to the end users in the form of
employee handbooks and security training.
INTELLIGENTCIO
37