Biometrics: Physical attributes vs. behavioural patterns – the privacy debate

Robert Capps, VP, business development,
NuData Security

Account takeovers are increasingly affecting a growing population of online user accounts due to a confluence of threats, such as weak consumer password practices, frequent mass data breaches and brute force attacks against web properties. The scope, scale and frequency of these online attacks against user accounts has demonstrated time and again that companies can no longer rely upon authentication methods based on static elements that can and will be stolen, traded and sold to the highest bidder in underground markets.

These trends have recently led organisations to consider the use of human biometric characteristics to supplement standard, but weak, single factor authentication schemes that have historically relied on a shared secret, such as a password, to validate that the rightful owner of an online account is the one who is accessing it, says Robert Capps, vice president of business development at NuData Security. As these organisations investigate advanced authentication methods, they face an environment where the term “biometrics” has become an industry buzzword that encompasses a number of human second-factor solutions from “selfie” based facial recognition, to fingerprint and iris scans, behavioural patterns, voice – even the human heartbeat.

As such technology is increasingly proposed and used in online and offline transactions; the use of biometric factors is rapidly becoming an area of concern from a data privacy and security perspective.

When most people who do not live and breathe online security hear the word “biometrics”, they immediately think of Tom Cruise in Mission Impossible, using physical attributes such fingerprints, handprints, retinal scans, voice print and facial recognition to secure access to some highly protected asset or location. For some reason, they don’t generally link the use of these elements to facilitate a secure login to an ecommerce, banking, or social media website.

Tom Cruise in Mission Impossible
Tom Cruise in Mission Impossible

While the use of these physical biometric factors has been a boon for physical security, where the person to be authenticated is physically presenting themselves for enrollment and subsequent authentication – many factors quickly loose effectiveness in an online world, where the user is physically enrolling and authenticating themselves through a consumer grade device that they own and control.

There are several factors companies must consider before relying on physical biometric technology to authenticate users in an online environment. The first consideration is that using only one physical biometric data point to authenticate a user at the time of login, is essentially the same as adding a static second password – albeit one that can never be changed if compromised.

Perhaps the most significant issue with relying on physical biometrics for online authentication is that they can be captured, and in some cases reused. Let’s take a fingerprint as an example – use of such a physical biometric attribute is akin to when an employee was caught writing a password on a Post-It note, but instead of it being pasted on their computer screen, they simply leave a copy behind everywhere they go. Humans leave behind biometric traces with every glass they pick up, every piece of gum they discard and every camera that records their image.

Unlike passwords or credit card numbers, a person’s physical biometric attributes can never be changed, resulting in privacy and identity concerns if a high quality reproduction of a biometric element were to be obtained by a malicious actor. Just this past September, 5.6 million fingerprints were stolen from the office of Personnel Management. From a security perspective, there are several possible use cases where compromised biometric data, like that of the OPM, can be used to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.

Alarmingly, as authentication of high value transactions is increasingly moving to multi-factor authentication using some form of physical biometric, there is a real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of utilising physical.

With this in mind, not all biometric factors have the same risk of impersonation or lack of effectiveness when used to authenticate online interactions.

A much less invasive, and more consumer friendly technique, leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioural signals are highly effective at identifying repeat good users, are self-enrolling, and are tolerant of changes in the patterns presented as a users’ behaviour naturally changes over their lifetime.

For an example of how behavioural data is useful in identifying a legitimate account holder, think about how you use your Smartphone to interact with a website or application. Do you realise that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?

This method, dubbed “behavioural biometrics”, aggregates hundreds of these human and interaction signals, creating a unique signature for each authentic user.

Using these subtle signals and unique signatures, organisations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.

Unlike physical biometrics, behavioural signals that make up a behavioural biometric profile cannot be stolen, duplicated, or reused – so they have no value to criminals. In the event that a high fidelity copy of an authentic user interaction was made, the mere attempt to replay the past interaction would in itself, be an anomaly that is out of pattern for any human user.

Collecting behavioural biometric data is non-invasive to the consumer, as they do not have to enter, enroll in, or provide any additional information to a website or application. They simply keep doing what they are used to doing, interacting with the sites and services as they always have. As human and interaction signals are collected, instead of physical biometric characteristics, it is far more privacy-friendly, than some physical biometrics.

As organisations consider layering additional authentication technology and methods to secure their users’ accounts, they must select methods that reduce friction for their good users, reduce risk to the organisation or the consumer, and are sensitive to the privacy concerns of their users – all the while making the reuse of compromised authentication and identity information nearly impossible.

With appropriate protections in place, online businesses can continue as usual, and with great confidence – even in the face of frequent data breaches and poor consumer security habits.

The author of this blog is Robert Capps, vice president of business development at NuData Security.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Yellowfin explores the future of data storytelling and reveals the impact narrative and automation will have on business analytics

Posted on: October 27, 2021

London. 27 October, 2021 – Yellowfin, the analytics vendor that combines action-based dashboards, automated discovery, and powerful data storytelling, launches a white paper exploring ‘The Future of Data Storytelling: how narrative and automation will redefine the next decade of analytics’, offering valuable insight to organisations on the power and potential of future augmented and automated

Read more

Renesas and wolfSSL enable ready-to-use IoT security solutions based on embedded TLS stack

Posted on: October 27, 2021

TOKYO, Japan and EDMONDS. Washington, October 27, 2021 ― Renesas Electronics Corporation, a supplier of advanced semiconductor solutions, and wolfSSL, a provider of embedded security solutions, announced a multi-year licensing agreement whereby customers of Renesas’ 32-bit MCU offerings can obtain a free commercial license for the wolfSSL TLS (Transport Layer Security) stack with integrated Renesas hardware

Read more