From fingerprint readers to Apple’s Face ID, there’s been a steady move toward biometric login methods for smartphones and applications over the last several years. But these authentication methods have their own set of weaknesses, which often create a false sense of security in users. WatchGuard CTO Corey Nachreiner’s latest guest column in SC Magazine argues that hackers will take advantage of this false sense of security and target biometric login methods more heavily in 2019.
Password security overall is quite poor, since it’s difficult for humans to remember long, complex strings of characters for each of their dozens of online accounts. Using a fingerprint or a face scan to unlock a phone or log into an application is more convenient and secure than using weak passwords, or passwords that have been reused across multiple sites. However, biometrics can be hacked too. Here’s an excerpt from Corey’s article with some examples:
“Back in 2002, a Japanese security researcher was able to achieve 80 percent success fooling biometric authentication using melted gummy candies to replicate lifted fingerprints. While fingerprint reader technology has improved over the last 15 years, it isn’t without fault. Just last year, researchers from New York University and Michigan State University used machine learning to create a fingerprint “master key” with reasonable success in a simulated environment. Attackers might not even need to use AI to generate valid fingerprints. In 2015, foreign hackers breached the United Stated Office of Personnel Management (OPM) and made off with troves of data, including 5.6 million sets of fingerprints from US intelligence agents and other government employees.”
A better solution is to pair biometric login methods with a strong password or another authentication method – in other words, to use multi-factor authentication (MFA). This mean attackers can’t breach an account if they guess or steal one factor. MFA used to be impractical for smaller organizations because they usually relied on expensive, hard-to-manage hardware tokens, but cloud-based, smartphone-enabled MFA is now making this technology accessible to organization of all sizes.
Read the full article on SC Magazine and check out WatchGuard’s 2019 predictions about biometrics. You can also watch our post-apocalyptic predictions video and see all of WatchGuard’s 2019 predictions here.