Biometrics: A Leading Authenticator Within The Enterprise?



Dan Gunderman
05/03/2018

As more and more digital transformations occur within the workplace, the wider the security surface becomes for security teams.

CISOs and others are now tasked with bolstering the perimeter, ensuring sufficient access, protecting the “crown jewels,” monitoring threats in real time, etc. Identity and Access Management (IAM) is also a pressing issue, as an increasing amount of breaches can be traced to “insider” threats and even nation-state actors working vis-à-vis operatives to lift data.

What this means is that IAM and Privileged Access Management (PAM), or contained access to admin accounts, both take on an entirely new level of importance. The security team – and its platform – is charged with administering proper access; its solutions must detect anomalous activity and be able to mitigate inherent risks.

As multi-factor authentication (MFA) – or the insertion of multiple methods to gain access to a system – proliferates, the password has waned. This is only magnified alongside the emergence of biometrics as an authenticator. Some consumer-facing systems and agencies are using biometrics as means to bring heightened security and precision to the login/access process.

NIST & Behavioral Biometrics

The NIST Cyber Security Framework – and its subsequent revision – takes into account IAM, Authentication and Access Control. According to Frances Zelazny, Vice President of BioCatch, 30% of U.S. organizations use the NIST Framework. That means its principles are applicable to large-scale cyber efforts in the workplace.

What’s more, according to Zelazny’s piece for The Hill, the implementation of behavioral biometrics addresses the IAM/authentication issue that NIST aims to enhance. The VP said that by using behavioral biometrics, enterprises can detect fraud and prevent unauthorized access (with bio-related means to enter, plus ongoing monitoring).

See Related: User Security Begins With Access Management

Instead of inserting static credentials to access a system, or using dated methods to verify personally identifiable information (PII) being entered into applications, behavioral biometrics could be the key. Zelazny said it verifies that online applications are being utilized by actual users and tests for fluency and familiarity.

NIST guidelines suggest that authentication be commensurate with the level of risk associated with the entry. To Zelazny, behavioral biometrics provides an analytical tool to flesh out risk. And that goes beyond MFA. It actually monitors user behavior during the duration of the visit and detects anomalous activity.

The beauty of the “behavioral” aspect of biometrics also comes with the raising of “red flags.” That is to say that this platform can demand additional authentication measures if there is suspicion – entering a password, using a fingerprint or facial scan, etc.

Positively ‘Aadhaar’

For many, reaching the biometric portion of this conversation is a journey in itself (without the real-time, diagnostic capabilities of the behavioral platform).

In a Forbes piece compiled by its Technology Council, Chalmers Brown, Co-Founder and CTO of Due, credited biometrics with being a wave of the future for cyber security. He said, “Biometrics will become a critical part of cyber security and encryption going forward because it’s nearly impossible to replicate.”

Both fingerprints and facial scans – and the difficulty in replicating them – become a true positive for security teams looking to tighten and control access.

Much of the discussion around biometrics can also be credited to an expansive system in India which houses biometric data of citizens to streamline daily transactions – governmental, financial, etc. According to corporate lawyer and TV commentator Adriana Sanford in an episode of “Task Force 7 Radio,” as recapped on the Cyber Security Hub, the Aadhaar Identity Program encompasses 92% of India’s population.

See Related: Insider Threats Are The 'Next Big Wave Of Attacks': Securonix CEO & CTO

The system was initially created to facilitate welfare payments and provide medical services. By 2016, the World Bank’s World Development Report called the system helpful in assisting disadvantaged groups. It has since become a widely accepted system in the nation. It’s used to open accounts, authenticate loans, file taxes, etc. Sanford said the system handles 100 million authentications per day.

Biometrics In The Enterprise

Impenetrable? An Indian Use Case

In fact, India’s Chief Information Security Officer in the Prime Minister’s Office, Gulshan Rai, recently told The Hindu that the Aadhaar biometric system is “100% secure” and that its central part has “maximum security…behind several rings of protection.”

Further, Sanford also pointed out that the Aadhaar system was closely monitored by other nations around the world looking to emulate it. She said countries like Russia, Morocco, Tanzania, Bangladesh and others may be “interested” in the system. France was also looking at collecting a database of passwords and identification cards for millions of citizens, she noted.

So, while this form of authentication proliferates around the world, its applicability naturally transfers over to the business: How effective can it be, though? How realistic can it be?

The Age-Old Password And More

With data breaches escalating and hackers hovering over high-traffic networks, administrators are questioning the password’s effectiveness. Can the static input be present in a space disrupted by new and promising technology? Once a password is replicated, figured out or mined on the Internet/social media, a threat actor could access and tamper with critical data within seconds. In fact, he or she could take down an entire operation in the same timeframe.

Martijn Grooten, Editor of Virus Bulletin, who’s worked in web development, anti-spam products and web filters, told the Cyber Security Hub: “I think passwords are gradually going to become less prominent, certainly, as the sole way of authentication. Biometrics is one way for enterprises to authenticate their users, whether they’re employees or clients.”

With biometrics (and behavioral biometrics especially in the workplace), access controls are naturally fortified (not impenetrable, but fortified). These identifying bits of information, tailored to the individual, cannot be replicated. That means there is a unique profile for each user on a system. So long as its integration is fairly seamless, it can be a top-tier – and required – enterprise tool.

Grooten added: “Of the three possible authentication factors (something you know, something you have and something you are) biometrics (something you are) are the most difficult to either forge or steal, making them ideal for enterprises.”

The cyber expert opined that implementation of a biometrics system is widely supported in third-party software and apps. “Rolling it out would be relatively straightforward,” Grooten said.

“My main concern would be that for various reasons…biometric authentication fails to work and an important user is locked out,” he continued. “And related to that, various ‘backdoors’ built in to let those users in anyway, which then can be abused by malicious actors.”

Nevertheless, biometrics appears to be a trending resource in consumer-facing operations, as well the workplace (though not at such a meteoric pace).

Be Sure To Check Out: GDPR And Cyber Security: A Critical Juncture