Understanding Biometric Security — by Nils Gerhardt, Chief Technology Officer at Utimaco
The age of the password is over – they have shown themselves to be too easily exploited to form the backbone of digital security. Passwords can be stolen, brute-forced or guessed, and, given that 70% of people reuse passwords, guessing is very easy.
Typically, bad actors can buy a list of email addresses and, after gaining access to a site’s shadowed password file, try each password against the encrypted passwords until they get a hit.
When they do, they can use the password on the site – trying each password on the sites themselves is likely to result in a lockout, so this is rarely used.
However, new hardware devices are making it possible to avoid using passwords for anything from logging into websites to accessing restricted areas.
Combining biometric security with smart design and the latest authentication protocols, they could become part of everyday life for millions of people as we move out of the age of passwords and into a new age of much stronger security.
The password age
Passwords create a major problem for online businesses and an even larger problem for businesses and government organizations that handle sensitive information.
It has been known for a long time that foreign espionage groups use free USB sticks and phone chargers to install keylogging software on target computers, and this technique would only work if passwords remain the most important means of validating users.
Alphanumeric passwords are the standard not only for logging into websites, but in thousands of other places, the most notable being the PIN numbers used in bank cards, to unlock phones and in entry keypads.
A person looking over your shoulder could quite easily access your bank account, phone (and with it every other password stored on it) or even your home or office.
It is far more likely to have an alphanumeric password compromised by an eavesdropper or ‘social engineer’ than it is to have a password ‘hacked’.
Common encryption standards like RSA would take trillions of years to ‘brute-force’, so techniques like phishing were used in high-profile penetrations like the 2016 DNC hack. Increasing the complexity of passwords and mandating that each one be unique will only make passwords so complex that most people won’t be able to use them.
Two-factor or multi-factor authentication increases the security of password-based systems by adding other factors, but because of the effectively doubled complexity it is rarely used, leading to the fact that almost every compromised Microsoft account was one that didn’t use multi-factor authentication even when it was available.
Passwordless Security as it stands today
The concept of biometric security has been around for as long as alphanumeric passwords – you could argue that recognizing somebody by their face predates writing, and quite possibly humans themselves.
Modern biometric security such as fingerprint security, facial recognition and behavioral biometrics have become integrated into everyday life.
Although they are easier and more secure than alphanumeric passwords, the various kinds of biometric authentication still rely on information being sent from one place to another (a fingerprint reader sending a user’s fingerprint to a cloud server where it will be verified), and although it will be encrypted during transit, there is still the possibility that it could be intercepted at either end – if the fingerprint reader or even the cloud server is compromised, for example.
Many of us will already be using fingerprint security to unlock our phones, and an increasing number of us will use Near Field Communication (NFC) at least somewhere, whether that is using your phone to pay for a purchase, unlocking a door with a key fob or logging into sensitive systems (the NHS uses NFC cards to log users in to their computer network, for example.)
The FIDO security standard allows users to use NFC or USB keys to log in to websites, meaning that only a key holder would be able to log into an account.
Of course, an NFC key card can be used by anyone, and there is no way of verifying that the person using a key is its correct user without another form of verification.
These developments are coming at a time when quantum computers are being developed that may be able to break the cryptography used in passwords in a way that contemporary computers cannot.
This would mean that every piece of data not secured by one of the newly developed quantum-resistant algorithms would be insecure, and bad actors wouldn’t even need to use phishing or social engineering to break passwords — they would only need access to a quantum computer and time.
What biometric security in cyber space could look like
So, both of the potential replacements for passwords have downsides, but Nordic, R&D driven cyber tech company, Pone Biometrics, has developed a card-based biometric security system that removes both of these limitations and gives governments, companies and individuals a very powerful way of verifying their identity, on and offline.
Their solution is to have a fingerprint reader on a card that acts as a microcomputer, with its own operating system and the ability to add embedded applications to extend its use.
If a user wants to log into a website or open a door, they tap the card while pressing their thumb or finger on the reader.
The onboard computer checks their print and transmits the encrypted verification to the device securely, meaning that very little is sent between devices.
The cards themselves are only active when in use, so there is no possibility that they will be ‘skimmed’ while a user believes that they are inactive and a visual display that shows if it is in use.
The internal battery can last 2-3 weeks between charging, and it even has a failsafe system in place that protects users from being forced to use it- they can have a ‘failsafe finger’ that will wipe the device if used.
These cards could end up being used wherever there is currently the need for authentication – a government employee could use the same device to access sensitive information while at work and use it to open the door to their home and log in to accounts on their home computer.
Of course, quantum computers could break even the heightened cryptography used to protect biometrics, meaning that it needs to be integrated into any new security systems from the start.
This is something we at Utimaco have been pursuing for several years, becoming one of the key hardware companies that is developing technology to counter quantum computers years, perhaps even decades before they are widely available.
By combining next-generation biometric security cards with future-proof quantum resistance we can enter a post-password world.