For my long-time readers, here’s a quiz. Read the four statements below and take a guess as to which one of these statements best reflects my views.
- With recent accuracy improvements, facial identification is the only identification method that you will ever need in the future.
- Possession of a driver’s license is sufficient to prove identity.
- Fingerprints are the tried and true authentication method; you don’t need anything else.
- Passwords are dead.
Readers, this was a trick question. I don’t agree with ANY of these statements. It is possible to subvert facial identification methods. Your twin can steal your driver’s license. Fingerprints can be subverted also. And passwords have their place.
If you’ve read my writings for any length of time, you know that I believe that any single authentication factor is not a reliable method of authenticating someone. Multifactor authentication, in which you use more than one of the five authentication factors, is a much stronger method. It’s possible to spoof any single authentication factor (a gummi fingerprint, a fake driver’s license, etc.), but it’s much harder to spoof multiple factors.
Please note that I am referring to multiple FACTORS, not multiple TYPES OF BIOMETRICS (for example, authenticating finger and face and declaring victory). All biometrics fit within the “something you are” category, and it’s much better to combine this factor with one or more of the other four: something you know, something you have, something you do, and somewhere you are. Or perhaps use two factors other than biometrics. The important thing is that you use multiple factors.
What of the vendor that only offers one type of biometric authentication? Or the vendor that only offers biometric authentication? Or the vendor that only processes secure documents? Or the one with really strong password protection schemes? Well, in my humble opinion these vendors need to partner with other vendors who support other authentication factors, to ensure delivery of a robust solution.
Julie Pattison-Gordon made many of these points in a recent GovTech article, “Cyber Refresher: Understanding Multifactor Authentication.” But she made two additional points that are worth mentioning.
Friction and authentication
The first point that Pattison-Gordon makes is the following:
Agencies may need to consider how their selection of authentication methods creates or avoids friction for employees.
Friction, in which a task becomes hard to perform, is bad.
Some authentication methods have, or can have, more friction than others. For example, some password implementations require use of characters from the Roman, Greek, and Cyrillic alphabets and require you to change your password daily. (I exaggerate only slightly.) Older iris readers required you to put your head directly against the reader, like if you were at an opthamologist’s office. Even today, most fingerprint readers require you to touch your finger against a platen. (There are exceptions.)
But why worry about friction? After all, if someone’s required to perform some type of authentication, they’re going to do it regardless of how hard it is.
Oh no they’re not:
Speaking during a panel last month, Delaware Chief Security Officer Solomon Adote said that workers who find MFA processes too cumbersome may adopt unsafe workarounds, such as storing official files on personal devices to let them skip login procedures entirely.
This is worse than an abandoned shopping cart, since it’s the abandonment of an entire security infrastructure. When security is too cumbersome, the result is little or no security at all.
It is possible to improve all authentication methods to reduce friction. Strong yet easy passwords that you don’t have to change all the time. “On the move” capture of all sorts of biometrics, including fingerprints, faces, and irises. The ability to read information on secure documents without sliding them through a card reader (yet incorporating protections against unauthorized reading of the data).
Trust me – frictionless will make people happier and will cause them to use your security methods without objection.
Emerging threats and authentication
Pattison-Gordon makes a second point:
Organizations must also weigh the cyber threats facing each type of authentication, as malicious actors continue evolving their strategies.
No authentication method is foolproof, and every authentication method attracts one or more threats. I’ve mentioned some in passing in this post, such as “gummi fingerprints” in which someone creates a fake fingerprint with the ridge detail from a true fingerprint. Pattison-Gordon mentions another threat, SIM swapping.
There are ways to deal with these two threats. For example, if a gummi fingerprint is literally a piece of non-organic material, there are various methods of liveness detection (tempreature, heartbeat detection, skin features) that can identify the fingerprint as fake.
However, this does not solve the problem, since some day some fraudster will create a fake fingerprint that appears to have human skin, a temperature, a detectable heartbeat, and everything else that a real fingerprint will have.
Security is a constant war between the fraudsters who develop a hack, the cybersecurity folks who develop a block to the hack, and the fraudsters that develop a new hack that avoids the block to the previous hack. No authentication method is foolproof.
This is one of the benefits of multifactor authentication. When this is used, then the fraudster needs to hack something you are AND something you know AND something you have AND something you do AND somewhere you are. MFA hacking is not impossible, but it is much, much more difficult than hacking a single factor.
And you also have to keep up with the latest hacks and continue to research. Don’t quit researching an authentication method just because it seems great now.
(A couple of you may know why I said that.)