As the use of biometrics becomes increasingly mainstream, businesses have sought to reap the benefits of this powerful identity detection technology. But some scepticism remains. Can facial recognition be faked to overcome security controls? As the journey towards complete digitisation accelerates, it’s reasonable for organisations to question the security of biometric programs, but they also need to challenge their assumptions about its efficacy as an identity verification tool. And it’s the responsibility of vendors and solution providers to ensure biometric programs are as secure as possible.
How easy is it to trick biometrics?
The most obvious way to try and spoof a biometric device is by providing a facsimile of a real person. For example, using a picture or a video of a person instead of their actual face. It’s a scenario that has been contemplated by the makers of biometric systems for some time.
The internationally recognised standard ISO 30701 has been created to address this very issue. The standard covers Presentation Attack Detection (PAD) – that is, attacks presented to a sensor like videos, images or masks to fool biometric detection. When a biometric system is ISO 30701 compliant, the algorithms used to detect whether the system is seeing a real person in a live situation must be able to reject when video or a photo are presented. That can be further bolstered by asking the person to carry out a specific activity such as moving their head or eyes in a particular way. This can thwart more sophisticated attacks where threat actors inject video directly into the application, bypassing the camera completely.
There’s been a lot of talk in the media about the threat posed by deep fakes but from a presentation attack perspective, deep fakes are just another type of video. They’re subject to the same PAD algorithms and protections as any other attack type. Organisational security is ultimately about managing risk. The question to ask when considering and deploying biometrics is whether the risk of a deep fake or other spoofing method is greater or less than the risk of other, less secure authentication methods.
There’s no point authenticating if you don’t know who’s authenticating
Since the start of the pandemic, businesses have increasingly relied on online tools to manage remote teams, from recruitment and staff onboarding to accessing privileged assets and information. The paramount question that needs to be asked is whether the person on the other end of the video call or instant message is who they say they are. Even if you’re 100 percent sure they’re a real person, how do you know they aren’t faking an identity?
This is why any biometric solution needs to be based on a foundation of robust identity verification. Think of this as being the 100-point check we do when opening a bank account. When a new employee is being onboarded, it’s important that their identity is properly validated before they are given a biometric credential. Biometrics massively reduces the risk of user accounts being compromised as it is extremely difficult for a verified biometric identity to be compromised.
A true and trusted digital identity
We don’t often think about it, but when we meet someone and they identify themselves, our default position is to trust that they are who they say they are. Trust is at the heart of every business interaction. The systems that control access to everything from the front door of the office to company bank accounts rely on technology to determine that trust.
In most organisations, people have at least two, and often several, credentials they use every day. These can take the form of access passes to enter buildings or protected areas, and passwords to access different applications and systems. Each of these needs to be maintained and is a potential point of ingress for threat actors. Verizon’s annual Data Breach Investigation Report finds the majority of information security incidents start by compromising the identity of a single user with the proportion of attacks initiated this way increasing every year.
Biometric credentials, backed by a robust identity verification process, gives businesses a trusted and secure way to verify identities and provide access to both physical and virtual environments.
Deep fakes might be of concern to celebrities and others whose likeness may appear in unwanted situations. But for businesses seeking to improve their security posture, biometrics reduces the risk of a compromised identity resulting in unauthorised access to your premises or systems.
