By: Sami Elhini, Biometrics Expert, CISO Global, Inc.
Try talking to a cybersecurity expert about a passwordless future without biometrics coming up. Not possible — and the reason couldn’t be simpler: Biometrics are the best forms of user authentication to come down the cybersecurity pike. So where are they at? Where are they headed? What questions are they raising?
What are biometrics used for?
Daily — that’s how often we use biometrics instead of passwords in 2023. Our phones, laptops, and virtual assistants accept our fingerprints, faces, and voices as keys.
Great for consumer-grade cybersecurity? Yes. But for business-grade cybersecurity? No.
Why? Because biometrics are probabilistic, like an image, not deterministic, like a password. And when it comes to business, “probably” loses to “certainly” every time.
Still, biometrics in access control are headed for what’s poised to be one of the greatest password-free keys of all time: the iris.
“Game changer” somehow doesn’t seem to cover it. It will be transformative for authentication — both consumer and business. A high-quality iris scan speaks volumes about the authenticity of its owner. It very reliably tells a system that this person is who they claim to be. Plus, iris scans aren’t exactly a cinch to collect, a fact that’s more of a feature than a bug by easing the surveillance fears of facial recognition.
Where do we see strong passwordless biometrics tech today?
So, what passwordless option do we have until irises fulfill their promise? We’ve got the personal identity verification (PIV) card, a U.S. government favorite that matches a fingerprint, iris, or facial scan with a fraud-resistant smart card.
But adoption outside the U.S. government is minimal because it’s too inconvenient. (And doesn’t that characterize a cybersecurity challenge? A trade-off between security and convenience?) A non-regulated business would use it only if it really wanted to.
More of a stretch for new password-shirking biometrics tech: rapid DNA. It’s accurate. It can’t be spoofed. The probability of a false match is zero. It doesn’t need a DNA lab or human intervention.
But as of today, it takes one to two hours to work. So that’s a no-go.
How might AI affect biometrics in cybersecurity?
It’s not like AI won’t add an arms-race twist to this biometrics-over-passwords story, either. Fooling facial scanners with 3D masks and synthetically generated irises is one thing. But bad actors are about to start using AI-operated deepfakes, too. And presentation attack detection (PAD) systems are likely already using AI to execute those deepfakes (though — outside of research — no one will divulge the intrusion detection or prevention techniques they use). Will it all come down to who has the most processing power? How will a mix of analytical abilities and creativity further develop exploits and defenses? How will that one-upmanship resolve?
Will good prevail like last time, when artificial fingerprints with realistic ridges fooled fingerprint scanners, and fingerprint scanners improved quickly enough to keep users confident?
What about any minute now, when AI with a minimal voice sample fools a voice-recognition system’s biometric liveness check — a verification that the voice being presented belongs to an actual living subject — and undermines confidence in it as an authentication factor?
How is Big Tech preparing for a passwordless future?
Avoiding dings to biometrics’ reputation sounds like it would call for novel ways of protecting the biometrics data itself, too. But aside from standards like rotating keys and certificates at set intervals and complying with NIST, I’m not seeing it, not even with the biggest companies, and that’s OK. Abiding NIST is, frankly, probably enough.
So much so that it’s encouraging Google, Apple, Amazon, and other tech giants to ditch passwords for biometrics soon. Does that mean we’ll be logging into our healthcare or financial services portals with a biometrics-backed OAuth (e.g., “Continue with Google,” “Sign in with Apple,” etc.) soon, too? Probably not. But portals for less regulated industries? Bet on it.
Speaking of regulation: Will biometrics in cybersecurity be the tipping point for U.S. regulators to insist Silicon Valley swaps out proprietary identities for non-proprietary ones?
It might not have to be. With the upcoming Improving Digital Identity Act, that option’s probably already on its way anyway.
What are a few unexpected consequences of biometrics in cybersecurity?
Inbound, too, is a renewed appreciation for VPNs, thanks to biometrics. VPNs are incredibly valuable tools — unless thousands of annual data breaches keep leaking VPN logins. Leveraging biometrics credentials — and obviating the need for passwords and the possibility of compromising those passwords — will keep confidence in VPNs up.
Once we arrive at this passwordless future, how do we ensure its survival when devices can be spoofed? How do we avoid being forced to regress back to some form of password, like a PIN? One idea, once iris recognition is common: The cryptography functionality of the modern smartphone. The smartphone (1) exists and generates immutable keys (something the user has), while the user (2) provides a unique iris (something the user is).
Now that’s the sort of mix of existing and incoming technologies that will let biometrics finally relieve the cybersecurity industry of the folly of passwords.
Are you interested in learning more about biometrics’ role in protecting your organization’s data and reputation in a passwordless world? Let’s talk. Contact CISO Global, Inc. today.