9. Do’s and Dont’s of Biometric Security
Do encrypt everything
Do device tracking
Do behavioral analysis
Do require 3-factor
security
Don’t do Client Side Verification
Don’t store biometric data in a
centralized repository
Don’t rely on passwords
Don’t do verification of template
data remotely
Do
Don’t
10. Free tools for your consideration
Fast Identity Online (FIDO) alliance
Read it
Learn it
Love it
Open Web Application Security Project (OWASP)
Read the top 10 – Especially authentication
Join and participate
Dozens of free tools and documentation
Join pilot programs for new biometric tech
Notes:
Introduction to myself
I’m the CTO of Hypr Corp
I worked as a cyber security consultant at governments, financials services, and healthcare sectors.
I have an interest in biometrics and a vendetta against weak security
Notes:
What’s this talk about?
The talk is about the fact that we are very very terrible at doing information security.
We have been doing physical security using things like tall walls, bank vaults, and weapons for a very long time.
We’ve only been doing information security for 60 years and we’re terrible at it.
And why is that?
Notes:
It’s because our existing methods of proving “Am I who I say I am” have failed us time and time again.
Every time you turn on the news you hear about some new security breach about how millions or billions of passwords, SSNs, or credit cards have been stolen.
We have had nothing but catastrophic security failures day in and day out for as long as I can remember.
And in a world where everything is becoming digital, we need a solution.
For God’s sake, the top 15 passwords used in 2015 are embarrassing. And over 90% of us have a password that’s in the list of top 1000.
We have made certain steps to reduce our dependency on passwords with 2-factor authentication. This includes SMS messages or security tokens that many of you have where you need to punch in some digits to gain access to things. But recently even those have proven to be compromised more and more.
So what do we do?
Notes:
Cue the emerging technologies that are biometrics.
Retinal Scanners, Fingerprint readers, voice analyzers, facial recognition. All new ways of answering “am I who I say I am?”.
In previous decades, such methods of authentication were extremely expensive and an engineering nightmare.
However, recent advances in technology have enabled us to put biometrics in things like our phones, on our laptops, and even our door locks.
We are finally at a point where it’s technologically and financially feasible to secure our data with biometrics.
Awesome, right?
Notes:
Not so fast!
There are countless sophisticated attacks that have bypassed every type of security control we have ever put in place. What makes us so sure that it won’t happen with biometrics.
One thing that I really hope you all take away from this talk is that biometrics are NOT a silver bullet!
They are merely another cog in a great big machine that we need to place properly in order for it to be successful.
Existing cyber attacks such as Man in the Middle, Malware (Trojans), and several others can bypass biometrics just as easily as passwords or 2-factor tokens.
Furthermore, unlike a password that I can change whenever I want, my biometric never changes. So storage and management of biometric data is critical.
With our dependence on personal devices and with 75% of employers allowing employees to use these personal devices at their jobs, it can be difficult to put proper security controls in such a fragmented environment.
So let’s look at some ways not to do biometric Authentication.
In this scenario we have to take into account malware. Why do we have to do this? Because almost 40% of the devices in this country have some sort of malware on them. If it’s not your laptop, it could be your child’s or spouses that runs on the same network as yours.
This image depicts a common biometric implementation such as the iPhone or Android phone you have in your hands. There is a biometric sensor such as a fingerprint and when you touch your finger to the sensor, your phone determines whether or not that fingerprint is valid.
---- AFTER Transition ----
Where is the problem here?
Well, take into account the scenario where your phone is compromised and gets a malware Trojan. That malware simply says the fingerprint is “valid” every time an application requires a fingerprint. This renders the biometric sensor worthless.
In this case, the fingerprint reader on your phone is purely a convenience feature instead of a security feature. And that’s not good enough.
Another way of doing biometrics the wrong way.
Scenario where a biometric device takes a template and stores it on a remote server and then verifies the template on there.
---- AFTER Transition ----
This is susceptible to replay attacks from man in the middle vectors.
If the validation server is compromised, biometric data is compromised and that’s a problem because biometrics cannot be changed.
Do’s and don’t’s
- You should encrypt everything. It’s critical that this is done in transmission AND at rest.
Do device tracking so that if a authentication request comes from a device for a user that it usually doesn’t come from, that’s a red flag.
Analyze the behavior of your users. If Bob always accesses his bank account between the hours of 8 AM and 9 PM, and suddenly he’s trying to access it at 4 AM from Nigeria, that’s an issue.
Require 3 factors of security – If you have a biometric available, don’t think passwords are unnecessary.
Free Tools
Here are some free tools for you to use for reducing the likelihood of falling victim to cyber attacks.
FIDO – Fast Identity Online – I hope that most of you are familiar with it. If not, be here tomorrow morning for the Keynote. Read it, learn it, love it. It will make your life a lot easier.
OWASP – The open web application security project – The worlds of hardware and software are being merged like never before. Now we have biometric devices interacting with the web. Familiarize yourselves with common attacks that can come from the web.
Join pilot programs for new biometric tech. There are many new biometric technologies coming out all the time. Try them out!