Physical biometrics can be stolen; behavioral biometrics not so much...
By Nelson Santini, BSI
Multifactor Authentication (MFA) is the law of the land when it comes to cybersecurity protection. Whether it is "2FA", "Adaptive MFA", "Advanced MFA" - name the variation thereof; access to digital assets is controlled by a process that requires the satisfaction of challenges that are met by multiple factors controlled by the user.
MFA solutions rely heavily on the use of physical biometrics to satisfy the "something I am" factor of MFA challenges, and advances in sensor technology have made their use a frictionless convenience.
That frictionless convenience to the MFA process may come at an imperceptible, but very real price to businesses and other entities overly relying on them.
Before you loosen your top collar button and need to breathe into a paper bag, let me state for the record - I am all for using physical biometrics; but not for all situations. We are nowhere near Mike Werb's and Michael Colleary's "Face/Off" level of reality, but also not that far from it.
In December 2022, databreaches.net reported the sale on eBay of fingerprints and iris scan data of some 2,600 unsuspecting users. This is just the tip of the proverbial iceberg, and there is not enough rudder you can throw on the "R.M.S. MFA" to avoid colliding with the fact that physical biometrics are routinely "stolen". (Let's think of "stolen" as "shared without authorized permission". I'll come back to this definition on another blog...)
As such, authentication processes that overly rely on physical biometrics may be a hidden risk of your business' cybersecurity plan.
Whether maliciously or innocently, our personal identifiable information (PII) is being collected, handled and routinely used by identity and credentials management systems. Physical biometric parameters are 100% PII, and thus, they are great targets of opportunity for malicious actors to steal and exploit. I have no doubt that our PII is being handled with the most stringent protection protocols and sophisticated encryption algorithms though; just like radioactive materials from spent nuclear fuel rods are handled.
All that said, when used properly and correctly, physical biometrics are an excellent and usually frictionless (haven't seen yet the portable, cheap, and ubiquitous DNA scanner) way to validate identity and satisfy MFA requirements.
High Level Comparison of Physical and Behavioral Biometrics
Physical Biometrics | Behavioral Biometrics |
Are 100% PII | Are PII Free. |
Require the use of special and/or expensive hardware. | Leverage user's readily available hardware like a smartphone, tablet, or PC. |
Can be stolen / replicated | Do you have an AI supercomputer handy? |
Can be exploited by BOTs | Stop BOTs |
User can be absent | User must be present |
User may be incapacitated | User must be "of clear mind" |
Behavioral biometrics are used less frequently, and present their own set of challenges and benefits. For one, they purposely introduce prudent friction into cybersecurity identification and MFA processes. I wouldn't use them everywhere, but I'd definitely use them when ensuring that the one and only human who created the credentials, wishes to use them with clear and specific intent.
Say for example that you are Delta, United or American. and you want to verify that the pilot doing the pre-flight on a commercial jet is in fact who they say they are; and that they are not inebriated. Definitely not the same level of security called for while using your smartphone to authenticate the purchase of a meal at the terminal's lounge; where a facial or thumbprint scan suffices.
Beyond their potential to validate the user's state of mind at the time of authentication*, behavioral biometrics can't be shared, stolen, or replicated by man or machine, when used in conjunction with some of the latest and available productized security algorithms.
I'm inserting here a pause to let those who are screaming "what about AI (ML)??" catch their breath. We can have the conversation when the US's Frontier Super Computer System becomes "pocket sized". Because of their nature, and today's available technology, reproducing behavioral biometrics is infinitely more difficult than their physical counterparts. Replicating your retinal patterns are one thing; duplicating human thought process and mindset of "on the fly" a completely different beast.
So about that imperceptible but very real price of overly relying on physical biometrics...
As I mentioned above, I'm all for using physical biometrics; as well as behavioral biometrics. Each play an instrumental part in meeting MFA requirements, which are embedded in every critical business process. My point is simple:
Employ biometrics for MFA depending on the security level, and in accordance with the business purpose of the process you are protecting/enabling.
Citibank estimates that over $25BN are lost every year to credential sharing. We know for sure that Netflix is feeling the pain. And to clarify, that was just looking at entertainment; I'm not getting into FinTech and eBanking just yet.
Leveraging the combined and best attributes of physical and behavioral biometrics is far better than picking "one school" and having them "Face/Off". In real life (and Hollywood) the tells that save the day come from those elements that are the hardest to steal, duplicate or replicate; and behavior is top tier in the cybersecurity cat and mouse game.