According to the National Academies Press, “biometrics is the automated recognition of individuals based on their behavioural and biological characteristics.” Increasingly, these characteristics - rather than more easily compromised passwords and codes - are being used to secure and enable access to a growing number of digital systems and objects such as applications, data sources, mobile phones, PCs and buildings.
Whereas passwords have a fundamental flaw in that they can be compromised by being stolen, or in some cases, simply guessed and used to impersonate another individual, biometrics is a far more secure technology. This is because biometrics rely on an individual user’s idiosyncratic appearance or actions to grant them access to a device, database or system.
The two types of biometrics
There are two main types of biometrics: physiological and behavioural. While the former is based on physical traits and adopted by most commercial applications, the latter is based on a behavioural trait of an individual and far more difficult to appropriate.
The key advantage of physiological biometrics is that an individual’s physical traits, which are typically stable and constant, are used as a means of identification. However, in instances in which a person’s physical appearance does change, due to an injury or surgery, it can be difficult to modify expensive sensors and devices that comprise the physiological biometrical infrastructure to recognise their changed features. Moreover, they are usually only used once (one-off authentication), so continuous monitoring is not possible without disturbing the user.
One of the most prominent and well-known forms of physiological biometrics is fingerprint recognition. It works by examining the small details which are found in the breaks and discontinuities located in the whorls, valleys, and ridges of the fingerprint of the user to grant them access to their smartphones and laptops or to verify payments on app stores, for instance. Although the idiosyncrasies and distinctness of these physical criteria enhance security, finger scanning systems can still be imitated and compromised by worn-out or cut fingerprints.
Another commonly-used example of physiological biometrics is voice recognition, which examines the changes in the inflections and pitch in an individual’s voice, as he or she speaks. One key drawback of this form of biometric is that its functionality can be impaired by several factors, such as background noise or the emotional state of the speaker.
Our physical traits aren’t the only things that make us unique. Psychological experiments demonstrated that routine tasks such as speaking, writing, walking, and typing are governed by a set of actions, which can be predicted – this discovery is the basis of behavioural biometrics systems.
Behavioural biometrics overcome the most important limitation of physiological biometrics systems: they can be collected even without the knowledge of the user and are suitable for both continuous monitoring and authentication without disturbing the user. However, some of the behavioural features are unstable, and can be influenced by stress, illness, weather-related health issues and other transitory factors.
One of the most exciting and potentially game-changing behavioural biometrics technologies is mouse movement analysis, which measures the relative extent of position of the cursor as it changes and moves. The most obvious factor is the speed of mouse movement. The idle time between a mouse movement and a click is as typical as the elapsed time between two clicks of a double click. What’s more, the angular velocity (the rate of change of angular position of a rotating body – i.e. the mouse cursor) can also be a useful characteristic with which to identify a user.
Behavioural biometrics are often the overlooked form of biometrics but can be the most useful. Because while it may be possible for attackers to breach a system, impersonating an administrator to carry out bad actions, with behavioural biometrics in place, it’s possible to detect and stop the impersonator in their tracks before s/he can cause real damage.
Biometrics in IT security
As our world becomes digitised, authentication has become an increasingly significant and challenging issue. A large majority of data breaches, for example, originate from stealing the credentials of users, which allow cybercriminals to access the most valuable assets in the IT infrastructure of multi-national companies. According to Verizon Data Breach Investigations Report 2017, “81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords.” This vulnerability can be secured through the effective application of three key biometrical practices in tandem.
Continuous monitoring on a non-obtrusive way
One-off authentication is useless if an external attacker has compromised user credentials. Users
find multiple authentications cumbersome and time-consuming, so they are likely to circumvent them where possible. Continuous, behaviour-based monitoring offers a new approach to authentication.
Although in most cases criminals spend days, weeks or even months in the IT system before being detected, they sometimes access the most critical data in the first few minutes. For this reason, it is crucial to catch the criminals as soon as possible.
As security analysts are already overwhelmed by thousands of false alerts generated by their existing security solutions, a technology producing more false positive alerts is not an option. Therefore, by combining a number of biometrical data points, the accuracy can be improved to confidently prove that yes, this is the correct person it is providing access to.
One of the first things that IT security professionals need to know is that there are no “silver bullets” in the IT security field – biometrics, although an advanced technology, still possess flaws when used in isolation. Defence in depth - that is, layered security mechanisms increase security of the system as a whole - is one of the oldest IT security concepts. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system.
Paul Walker, Technical Director, One Identity
Image source: Shutterstock/Anton Watman