The Real Risks of Biometric Authentication

While biometrics are often promoted as a revolutionary security enhancer, the method is far from bulletproof and could put organizations and their employees at serious risk. Here, Julia O’Toole, CEO of MyCena Security Solutions, explains why.

World Password Day, every year, provides an opportunity for cybersecurity experts across the world to share their wisdom on what organizations can do to improve their digital access security.  

Traditional, employee-generated passwords have long been touted as a security risk for businesses, so World Password Day is a chance to promote alternative network authentication tools, and one of the key themes to once again garner attention this year was biometric security. 

Biometric authentication simply uses a person’s biometric data to identify them, such as a fingerprint, facial scan, voice, or any other unique feature of a human body that belongs to them. Biometric data are unique and indissociable to each individual, so it is not necessary to remember them in order to use them and this type of authentication is often promoted as a secure way to verify the identity of a person. But is this really the case?

Three Possible Fail Points of Biometric Data

While it is indeed difficult for a person to steal another person’s face, voice or fingerprints in the physical world, the reality is quite different in the digital world, and there are three characteristics of biometric data that make them particularly inept to guarantee authentication security. 

1. Biometric data is digital data stored as 1s and 0s

Many people think their biometric data is unique and tamper-proof. But while this is true in the physical world, where it is indeed difficult to falsify an iris, a fingerprint or a face, it does not apply to the digital world. 

Biometric data are digitized data, i.e., stored as 1s and 0s on a server. Once saved, they can be copied into backup files and stored on servers anywhere in the world. The risk is if access to one of the servers is compromised, these files and the biometric data they contain can be stolen and copied without anyone noticing.

2. Biometrics cannot be changed

Because of the inseparability from its owner, biometric data cannot be changed easily, whereas passwords can be changed at will. This makes biometric data particularly sensitive and vulnerable if stolen, as it eternally exposes its owner to identity theft, even after their death thanks to spectacular advances in AI.

3. Biometrics are not private

The highest risk with biometric authentication is that a person’s biometric data is not private but public, since people live mostly in societies with their faces uncovered and communicate with their voice.    

Thanks to technological advances and AI, criminals can easily recreate biometric data from photos or voice recordings of a person, take their identity, scam their loved ones, or access their online accounts. 

In 2014, a hacker reconstructed the fingerprints of Ursula Von der Leyen, Germany’s then defense minister, from a high-definition photo of her hand. With AI tools, criminals can easily and cheaply reproduce a voice with an audio sample of just a few sentences. In 2022,  36 000Opens a new window cases of identity theft scams were reported, where imitations of family members’ voices convinced people that their loved ones were in distress and needed financial help. Many people fell into the trap and lost thousands of dollars, with some receiving ransom demands of up to $1 million.

See More: How To Make MFA Protocol Usage Less Annoying

The Risks of Biometric Authentication in the Enterprise

Organizations that use their employees’ biometrics expose themselves to even more risks.

1. Biometric data is employees’ personal data that does not belong to organizations. If stolen at work, it can cause irreversible damage to employees in their personal lives. 
2. The theft of biometric data outside the workplace can allow criminals to access company data. When organizations ask their employees to use their biometrics for authentication, they suddenly lose control over their security. 

Regain Access Control 

With 95% of breaches caused by human error, it’s no wonder organizations have turned to biometric authentication to address these errors. However, the theft of biometric data has become so widespread that it is no longer a viable methodology for authenticating employees. 

Rather than exposing employees to these exponential risks, it is safer for organizations to regain control of their access and put security back under their own responsibility, not under the control of their employees.  

Organizations can use access segmentation and encryption management solutions that allow them to generate strong, independent and unbreakable passwords from a centralized console and distribute them encrypted to their employees, so that no one ever sees or knows them. 

By keeping the control of their access, organizations ensure that passwords remain encrypted from end to end. All the user has to do is simply find the right password and use it, just as we do with physical keys in the real world. After all, passwords are only keys, but digitized. And no one would think of cutting out their own keys before going home. It’s the same in the digital world.

On top of eliminating 95% of security breaches, which comes from humans handling credentials, this method allows the segmentation of all accesses, preventing a breach of a system from spreading inside the network and leading to a network takeover. Segmentation reinstates internal digital doors and stops attackers from travelling across the network after a breach, therefore limiting the potential damage caused by a breach, while preventing ransomware. This also takes a huge burden off employees’ shoulders, who no longer have to remember passwords or worry about being targeted by phishing attacks, since they can’t reveal information that they don’t know.

Biometrics are often touted as the number one security solution today, but when organizations force their employees to use them, they are exposing themselves and their staff to serious and irreversible risks. Instead, business leaders should look to reduce their exposure to biometrics theft, remove passwords from their employees’ knowledge, and keep full control over their digital access. Only then do they have a chance against cybercriminals.

How are you ensuring better security in your biometric authentication process? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON BIOMETRIC AUTHENTICATION

• Adopting Biometrics-as-a-Service: Key Questions You Need to Ask
• How Multimodal Biometric Authentication Technology Can Benefit Your Company
• Deepfakes: Can Biometric Authentication Defeat the New Cybersecurity Nightmare?