Biometrics: the future of information security
Hackers are assaulting business from all sides. Increasingly, technology is needed to prevent them from stealing passwords and hijacking the credentials that can provide easy access to sensitive data. Biometrics, has been advancing steadily for many years, and can now offer methods of authentication that can’t easily be stolen or replicated by those with malicious intentions.
Biometrics can be classified as the automated recognition of individuals based on their behavioural or biological characteristics. The main advantage of physiological biometrics is permanence: most of the features it draws on are stable and do not vary with time. Fingerprints, for example, don’t change. Neither do the unique, scannable patterns of our eyes. Most commercial applications adopt the physiological format – think of the fingerprint scanner on a smartphone or Apple’s new FaceID.
But, our physical traits are not the only things that make us unique. In fact, research suggests that routine tasks such as the way we speak, write or type are governed by a set of actions that can be just as unique. That’s why behavioural biometrics are arguably ‘more secure’ as these traits are significantly harder to steal or replicate. Some common examples used by commercial applications include, signature recognition, mouth movement analysis and typing rhythm - which can even be extended to an individuals’ most common spelling mistakes.
Where we currently stand, there is no single universal biometrics solution that works for the whole population. Especially when it comes to the physiological biometric options – some individuals’ fingers don’t possess the usual friction ridges required for a fingerprint system, similarly irregular shaped irises can make using this method of authentication problematic.
Biometric use in Information Security
Authentication is becoming increasingly difficult to maintain in our digital world. No matter the field or use, all authentication systems use one or more of the following factors of identification; something you know (i.e. a password), something you have (i.e. an ID badge or mobile device through 2FA), and something you are (i.e. a fingerprint, or your typing rhythm).
Part of the reason why the first two are becoming less effective, and hence, a greater security risk, is they are becoming increasingly easy for cybercriminals to steal, learn, or replicate in order to impersonate an individual. The strongest levels of authentication will utilise all three factors of identification.
A large majority of data breaches result from weak authentication protocols – cybercriminals are able to obtain the credentials of users and gain access to an organisations’ most valuable assets within their IT infrastructure. In fact, some reports suggest that four fifths of hacking related breaches involved the leveraging of either compromised or weak passwords. Like any security solution, biometric technology offers no guarantees when defending against a data breach, they are inevitably fallible – however, the goal here is to reduce the possible risk. Biometrics measure similarity, not identity. So, a match represents a probability of correct recognition. Likewise, a non-match represents a probability, rather than a definitive conclusion.
Measurements from an individual that meet a certain threshold compared to the reference data are considered to be a match. And even the best-designed biometric system can theoretically yield incorrect or indeterminate results. But when incorporated into other systems, it does increase an organisations’ level of defence when reducing the number of stolen user credentials due to a number of factors:
- Real time detection: Although in most cases, criminals spend days, weeks or even months in the IT system before being detected, they sometimes access the most critical data in the first few minutes. This is why it’s crucial to detect attackers as soon as possible.
- Continuous monitoring in a non-obstructive way: One-off authentication is useless if an external attacker has compromised user credentials. Users find multiple authentications cumbersome and annoying so they are likely to circumvent them wherever possible. Continuous, behaviour-based monitoring offers the best approach to authentication.
- Reasonable accuracy: With security teams already overwhelmed by thousands of false alerts, a technology producing even more false positive alerts is not a practical option.
Considering these requirements, mouse movement analysis and keystroke analysis are the only options that provide real time, continuous accurate authentication.
Mouse movement analysis - the basic principle of mouse movement analysis is not the position of the mouse cursor, but the relative extent of position as it changes. The most obvious factor is the speed of mouse movement. The idle time between a mouse movement and a click is as typical as the elapsed time between two clicks of a double click. Through analysing these traits, you can gauge if a users’ mouse movement deviates from their baseline behaviour.
Keystroke dynamic analysis - analyses the manner and rhythm with which a person types on a keyboard. The most typical values regarding a keystroke are dwell time (the time a key pressed) and flight time (the time between releasing a key up and pressing the next key down). What’s more there are other useful methods to identify patterns regarding the usage of a keyboard as well. Special function keys are used differently by each user. One person might favour the right shift button over the left or the backspace button over the delete button. The time taken to press a key also varies, as it depends on the size of the individual’s hands. Based on that information, it is possible to create a group of keys that are also unique to each user.
One of the first things every IT security professional needs to know is that there are no “silver bullets” in cyber defence. But through introducing layered security mechanisms, with biometrics at their heart, they can increase security of the entire ecosystem. If an attack causes one security mechanism to fail, other biometric mechanisms will kick in to protect the system.
Organisations can introduce these behavioural and physiological solutions easily, without subjecting their employees to obtrusive examinations. More importantly, they provide results in real-time, so IT security teams are able to monitor the activities of users continuously and accurately all day, all year round.
Csaba Krasznay, Security Evangelist, Balabit