Just when we thought the OPM breach couldn’t get any worse, OPM disclosed that approximately 5.6 million fingerprints were stolen as part of the hack. While it remains unclear if these fingerprints can be leveraged by fraudsters to do account takeovers, we know with certainty that cybercriminals will go after everything and anything that could be of value. This incident is definitely a reminder that we must limit exposure to our private biometric data, especially if we are to use it as an authentication device.
Almost all of the top banks now support TouchID fingerprint recognition. The good news is that some of them have deployed fingerprint recognition in conjunction with other strong security features such as mobile token, PKI, and encrypted messaging. With layered security in place, fingerprint data alone won’t be enough for fraudster to gain access to your accounts on mobile banking. The bad news is two-fold. First, fingerprints are no longer a fool-proof authentication measure. And second, when something is massively adopted, there is inevitably an increased number of attacks that target that technology. Apple Pay and EMV are perfect examples. We saw a large number of attacks targeting Apple Pay and we will see a more and more attacks affecting EMV chip and pin technology as it continues to become more widely adopted.
Fingerprint authentication has shown quick adoption as one of the most convenient of all biometric factors, but they still have some issues. Unlike usernames and passwords, fingerprint cannot be replaced. Also when fingerprints are locked down on personal devices, like TouchID, fraudsters can simply inform the software remotely that the user’s fingerprint has been successfully matched locally. Other biometric authentication mechanisms like voice, face or iris recognition, while not as widely adopted as fingerprints, can be seen as viable biometric alternatives. However, these also present some challenges. Face recognition provides a fast user experience but is susceptible to expression, lighting, glasses and positioning. Voice has some advantages, especially for the IVR channel. Additionally, a voice print can be easily revoked in case of a breach, but could create a very awkward user experience on a mobile phone, and a longer time to process. Biometric methods should be deployed and offered depending on the use case and the situation. For example, facial recognition might be easier to do in a public place instead of voice, while voice is acceptable in private settings.
The industry is still looking for alternatives to passwords and biometrics remain a good option. The OPM breach and its consequences reinforce the need for layered security. Banks, governments and businesses cannot rely on single factor authentication. Multi-factor should not be a password followed by another password, like SMS One-Time-Passwords, both of which could be compromised. An effective approach is to validate the device and the identity. Innovators in the security space are already rolling biometrics in conjunction with token code and anomalies detection, which is the correct approach of deploying biometric methods of authentication.