Experts are escalating their call for aggressive measures to improve customer authentication as phishers, malware authors, and other criminals develop increasingly complex schemes to gain access to personal credentials. As we discussed in a previous post, the use of biometrics is gaining more attention as technological advances are bringing low-cost, high-quality solutions. In a recent paper ("The Case for Replacing Passwords with Biometrics"), authors Markus Jakobsson and Sebastien Taveau assert that biometric methods such as fingerprinting methods could address a large part of the looming cyber fraud problem.
Matching fingerprints to protection
Fingerprints as a means of identification have actually been used for more than 150 years. However, Jakobsson and Taveau note that lower technology costs may allow fingerprint authentication to become a mainstream risk mitigation solution, in concert with other backup authentication methods. (The Federal Financial Institutions Examination Council's 2011 Supplement to Authentication in an Internet Banking Environment reports that layered security controls go a long way to protecting consumer credentials and high-risk transactions from cyber threats.) According to Jakobsson and Taveau, the convergence of methods used by cybercriminals is driving fraud into the mobile arena, with an increased incidence of dual platform attacks targeting both PCs and mobile handsets. The authors describe how fingerprint authentication can improve authentication effectiveness and enable better risk management.
As more and more data are stored in personal clouds—remote data servers that store digital content for consumers—the security paradigm becomes more critical. Jakobsson and Taveau describe cases whereby fingerprints could effectively serve as a "key" to consumer information. Just authenticating users by asking who they are and what they know—in other words, prompting for name and password—is inadequate in such "remote" data storage environments. Essentially, "the cloud is a storage area with a door, the handset or other device is the lock and the fingerprint is the key."
The authors also describe the challenge of "BYOD"—that is, "bring your own device" to work. Many companies today permit employees to use their own devices. The use of multiple passwords and other protocols can create confusion that can tempt employees to circumvent authentication protocols designed for their protection. As we noted in a June post, one out of every 11 wallets contains easily discovered PINs. The use of the biometric tool of fingerprinting permits a simple authentication method that can be used across applications and devices, with greater assurance that the account or device owner and the device are in the same physical space.
I can't put my finger on it
Despite the promise of fingerprinting as an effective biometric risk management system, a number of concerns remain, according to the authors. Device sharing can be a problem when the device is secured with a biometric unique to a single user. An issue of a more violent nature is the potential of a criminal stealing someone's finger to facilitate a transaction. Jakobsson and Taveau aptly remark, "It is much better to have one's password stolen!"
In the final analysis, the authors note that the benefits of biometric authentication methods outweigh their deployment challenges. Furthermore, their authentication architecture using a "biometrically unlocked password manager" could provide significant protection against phishing and malware attacks—the primary tools of cybercrime. As the incidence of data breaches and account takeovers continues to rise, the argument for more secure authentication methods will continue as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum