All the passwords have been hacked and keyfobs are expensive and easily lost. But new biometric identification technologies are filling the gap, and many of them are inexpensive, easy to use, and even built into the devices most of us carry in our pockets.
Credential breaches keep hitting the headlines. So far this year, just one hacker has stolen and published nearly a billion user records from 44 companies; Facebook exposed nearly half a billion passwords; Microsoft confirmed an email breach; hackers published the info of thousands of police officers and FBI agents; Georgia Tech had a breach of more than a million records; FEMA leaked 1.6 million records as a result of a phishing attack, and the bad news keeps coming.
IdentityForce handily keeps track of all the latest breaches.
If you're in charge of security for a data center, there's a good chance a key employee has fallen victim to one of these breaches, and their credentials have been compromised. Whether they're reusing one of their passwords or hackers leverage the leaked credentials to get access to other accounts, authentication systems based purely on passwords are not enough.
Biometric authentication might one solution. Fingerprints, faces, iris scans, voice recordings, walking gaits, even the way someone moves a mouse, types on a keyboard, or holds their phone can all be used to help confirm someone's identity.
But there are security issues there as well.
You can't issue your employees new eyeballs if your database gets compromised – or if some other database somewhere else gets compromised.
"You can keep generating new passwords, but biometrics are limited," said Shantanu Rane, research area manager for cyber-physical systems security at PARC, the Xerox subsidiary that brought you the laser printer, the graphical user interface and the mouse, Ethernet, object-oriented programming, and other key foundational technologies.
PARC has been keeping up with what's happening in biometrics, including the theoretical research coming out of academia, he said, and there have already been breaches of biometric credentials.
Three years ago, for example, a database of six million fingerprints was breached at the US Office of Personnel Management. Last year, more than a billion records were stolen from the Unique Identification Authority of India, which includes biometric data like fingerprints and retina scans.
For data centers relying on biometric authentication, there are two major areas of risk here.
The first danger is of employees’ biometrics scans being leaked somewhere else, and attackers using them to access a data center's systems or physical facilities.
The other risk is of the data center's own biometric database being hacked, putting all its users and employees at risk of having their accounts compromised if those same biometric identifiers are used anywhere else.
Hashes and Encryption
One possible way to protect biometric credentials from being hacked is to hash or encrypt them and only work with the encrypted version, said Rane.
For example, the server-room door camera could scan your face, encrypt that scan, and send the encrypted image over to a central database where it would be checked against a picture of your face saved – and encrypted – when you were first hired.
The unencrypted version of your face is never transmitted or stored, so there's nothing for hackers to hack.
The problem is, said Rane, is that no two pictures of your face look the same.
In fact, if the camera sees an image identical to your official company photo, that's probably a sign that someone has printed out that picture and is holding it in front of their face. Real faces always look a little different each time.
"When these features differ slightly, then, when you compute the cryptographic hash, the hash is intended to amplify the differences, and the corresponding hashes will be completely different," he said.
Researchers are now working on this problem, trying to create a way to encrypt or hash an image so that the encrypted versions can be compared even if they're not identical.
"But we're still not at the stage where we can achieve high levels of accuracy," Rane said.
Local Hardware-Based Authentication
One way to avoid the risk of keeping a database of fingerprint scans around entirely is to switch to local authentication.
Here’s how it works. When you get hired, the door lock learns who you are through your fingerprint, face scan, or some other biometric method used either by itself or in combination with a PIN code, employee ID card, or password.
The biometric data is only stored by that lock and nothing else, and when you go through that door again, it checks you against that previously stored scan. This technology is expensive and difficult to use if there's more than one door, rack or computer to secure.
However, a device that almost everyone already carries has a built-in biometric authentication system. Today's smartphones come with a secure enclave where the biometric information is stored. That information never leaves that enclave, so even if phones are hacked, the data is secure. And it's never shared online or with any centralized database. The phone just sends a confirmation that the person is who they say they are.
Those secure enclaves aren't just used to unlock phones with your face or fingerprint. Yes, that's convenient, but it’s not the most important aspect of this technology for data center security.
This system is the universal standard for contactless payments, and third-party apps can access this authentication system.
The fact that supermarkets around the world let you hold your phone in front of the payment terminal to buy groceries means that there's a lot of pressure from retailers and financial companies on Apple and Google to get this right.
And the fact that it can be used by third-party apps – such as PayPal or Dropbox – means that it can also be used by security apps that allow access to data center facilities or computer systems.
In fact, earlier this month, Google announced that it is making it easier than ever for enterprises to use the built-in authentication on Android phones.
"Uber has no idea of what your fingerprint looks like," said Rane. "They're just a customer of the system. That is one good way of implementing biometrics that prevents or significantly mitigates the risks."
If a company goes this route, there are some things to watch out for, he warned.
First, you have to make sure that employees have up-to-date, modern phones that support the level of security that a data center needs.
Second, employees shouldn't be sharing their phones with others.
"One problem that might happen is that my spouse has access to my phone with her fingerprint as well," Rane said. "If she comes in, the security system asks the phone to do the biometric authentication, and she provides the biometrics, and the system says 'yes'."
There have also been cases where smartphone fingerprint or facial scans have been spoofed, he added.
But those are relatively low levels of risk and can be mitigated if a data center uses some second factor in combination with the biometric mechanism, such as PIN codes, passwords, or behavioral analytics.
Rane said he doesn't know why more data centers aren't using smartphones as an added security control.
"It's not out there yet as much as it should be," he said. "A lot of the biometric authentication on smartphones has been used primarily for consumer apps."
One potential problem with using consumer-focused technologies like smartphones for enterprise authentication is that sometimes companies may opt for increased convenience over security.
For example, Apple's new FaceID is inferior to its older TouchID technology, said Asem Othman, team lead of biometric science at Veridium, a Boston-based security vendor.
"The accuracy of most facial recognition systems can be largely degraded due to variation in age, facial expressions, facial hair, or even wearing heavy makeup," he said. Some systems also have gender or racial biases, he added.
Convenience might be more important than security in consumer contexts. Say, if using a phone for payments was very easy, users might spend more money, and even if it's not perfect, the facial ID system is still better than the old signature-based method. But for highly sensitive enterprise environments, that might be too high a level of risk.
"We need to consider security ramifications along with the usability and convenience," said Othman. "Especially in a world where hacks on enterprises and individuals alike are increasing in both frequency and severity."