The Chinese government is one of the organizations most interested in facial recognition technology – as biometric technology-. For this government its utility lies not in its application in authentication, but in tracking citizens. But its plans have been thrown into disarray by initiatives such as one developed by Leonardo Selvaggio, an artist who decided to launch a hyper-realistic mask of his face with the aim of tricking facial recognition algorithms.
These actions were political in nature, but there are more examples in cybersecurity. Three years ago, Carnegie Mellon University also showed how it was possible to circumvent this kind of algorithm. With a tool as simple as a pair of glasses, the institution managed to trick a recognition system into thinking a middle-aged man was the actress Milla Jovovich, laying bare the flaws in the system.
Is biometrics really infallible?_
All of this poses a reasonable question: Is biometrics really a completely efficient technology when applied to cybersecurity? And can it guarantee authentication with no risk of fraud? The industry shows considerable optimism regarding its adoption: According to a Juniper Research study, mobile biometrics will grow around 2,500% until 2023, and will be a feature over over 80% of smartphones.
In this context, the consultancy believes that this technology is vital for the protection of organizations. In fact, it predicts that companies that use biometrics will experience over 50% fewer cyberattacks.
The weaknesses in biometrics_
Biometrics can clearly represent a leap forward when it comes to stopping identity fraud in authentication, especially when compared to traditional passwords. However, there are still several factors that imperil its security:
1.- It cannot be encrypted. File encryption is one of the processes that every company must implement if it wishes to protect its cybersecurity. Biometric data, however, cannot be easily encrypted, which means that, while it could hinder access to certain files, it can’t render them totally inaccessible. What’s more, in many cases, it is simply the first point of entry towards other processes that do in fact require a password.
2.- It isn’t credentials, it’s a user. When a password’s security is compromised, whoever it belongs to will change it immediately. In fact, many passwords are changed periodically specifically to avoid possible vulnerabilities. Biometrics, however, impedes this process: a person’s face or finger print cannot be changed, which means that it isn’t a password but rather the users themselves. The immutability of this technique therefore makes it more fragile than a password.
3.- Deceit and bias. Leonardo Selvaggio and Carnegie Mellon University aren’t alone in having managed to call biometric technology into question: there are many other cases where this technology has been seriously compromised. Besides, biometric technology can contain biases that, at the very least, hinder its use as a cybersecurity commodity. This was the conclusion reached by three researchers at MIT, who proved that facial recognition biometrics was much more deficient when identifying black people, a flaw that has even affected the FBI’s own system for recognizing suspects.
How to avoid vulnerabilities_
Given that biometric technology isn’t entirely foolproof, organizations with an interest in protecting their corporate cybersecurity must take a series of measures:
1.- Don’t rely exclusively on biometrics. Handing over the totality of cybersecurity to biometric processes would leave several weak points open to future incidents. As such, biometrics mustn’t be the technology in charge of cybersecurity strategies.
2.- Two factor authentication. If biometric technology is to be implemented in this strategy, it must be complemented with other technologies. Biometrics can be made more efficient if it included in a double, or even triple, factor authentication process. In this case, a password would also be used as part of employees’ credentials.
3.- Monitoring and profiling. Biometrics will never be completely safe from impersonation. This is why it should be used in conjunction with user, machine and process profiling, as well as monitoring to predict future behaviors and get ahead of possible vulnerability scenarios. At Cytomic, we have a zero-trust philosophy to monitor and profile these parameters so that, in the event of a possible risk, it can be detected and mitigated before it can cause any damage.
In other words, the important thing is to be aware of the fact that no technology is in and of itself infallible. In order to protect an organization’s cybersecurity, it a combination of the most advanced control technologies and processes will be vital.