Biometrics is an increasingly valuable option for businesses. The advantage? No more reliance on the workforce to change the default or use easily compromised passwords, such as the employee’s birthdate or kids’ names. The heavy lifting isn’t done by employees; it is done by their bodies.
It is a complex realm. Todd Thibodeaux provides a good overview of what chief information security officers (CISOs) should consider before moving to biometrics at Dark Reading. This is a very important topic for organizations with significant mobile workforces, since tablets and smartphones are more vulnerable than those tethered to a desk. CISOs must understand that while a password is inherently worthless – it’s a bunch of letters and numbers – a biometric marker is protected information about the person. Biometric markers, once compromised, invalidate that element, whether it’s a fingerprint or a voice or retinal pattern, forever. Thus, passwords will always be with us.
Biometrics, he concludes, are not a panacea – but they’re a big step:
Biometrics may not solve all poor end-user security practices, but the right strategy can help organizations seriously address the shortcomings of their existing password use. In an ideal implementation, biometrics can serve as a quicker, more convenient access solution for end users while enabling multifactor authentication and more robust security. Businesses may need to invest in additional capabilities to meet logistical and regulatory demands, but it's clear that passwords alone aren't enough.
The fact that once invalidated, a biometric marker is forever gone is made even more pressing by the fact that this form of security is as vulnerable as any other type of security, according to Hoda Al Khazaimi, the director of the Center for Cyber Security at New York University Abu Dhabi, who says that biometric sensors can be spoofed and cracked in other ways. In addition, aging can affect how well systems operate.
The future of biometrics won’t solely be determined by how well it works. The Illinois Biometric Information Privacy Act, which became law in 2008, says, according to The Chicago Tribune, that “no private entity can gather and keep an individual’s biometric information without prior notification and written permission from that person.” Depending on how the law is interpreted, Facebook and other companies that use biometrics may have to adjust their use. The story says that under the law, the company L.A. Tan Enterprises agreed to a settlement of $1.5 million for providing a third-party software vendor with the fingerprint scans of customers, which it had collected for sign-ins.
Biometrics are used to enable electronic devices to be used, to grant and deny access to physical locations, and for non-security purposes, such as Facebook’s use of facial recognition for photo tags. It seems likely, however, that the legal oversight of one area will affect how others uses are regulated. It will also affect the underlying business dynamic in the biometric vendor community.
Biometrics are clearly a valuable tool. But, like many technologies once thought likely to provide a silver bullet to a particular problem, this family of approaches has its limitations. It also has legal and regulatory complexities absent in the password world. CISOs should consider this all very carefully as they map their security futures.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.