Do Biometrics Keep You Safe? Yes...and...No

The “Yes” – Better Than a Password 

Biometrics are a big step forward in authentication. Biometrics uniquely identify the user to ensure they are authorized to access certain information and functionality. 

With the widespread adoption of mobile, and biometric scanners built into smartphones and laptops, consumers are now using biometric access more frequently across all types of applications. And banks, financial institutions, merchants and other industries are aware of the security and customer experience benefits of biometrics and are integrating them into their applications. 

And it isn’t just physical biometrics that are growing in usage. Behavioral biometrics — recognizing how a person behaves when they touch their keypad, move around with their device, make mouse movements, their typing rhythm, etc. — are also gaining more traction. 

Breaches and password fatigue clearly indicate that our password-based security system is failing. Long the norm for years, simple username and password protocols for authenticating users are no longer enough for mitigating financial and reputational damage due to fraud.  And of course, remembering passwords is a continual challenge. 

Consumers who either are tiring of the password overload, or those that understand that passwords are antiquated security, are driving the fair amount of biometric adoption. 

Biometrics are a big improvement in authentication and keeping consumers and enterprises safer.  However, you can’t rely solely on biometrics for user authentication. You have to know that the device itself is trustworthy as well. 

The “No” – Additional Protection is Still Necessary 

While the biometric itself is relatively secure, the environment in which it operates may not be. 

Malware is a major threat. In certain cases, the creator of the malware wants you to authenticate. Malware, such as spyware, is used to capture information after you authenticate, such as account numbers, credit card data, or other personally identifying data that can be used for fraudulent purposes directly or sold on the online black market. Therefore, whether you used a biometric or a passcode is irrelevant if this type of malware infects a device. 

Users can get infected with such malware in multiple ways: 

• Phishing/smishing involves fraudsters sending what appear to be legitimate emails (phishing) or SMS text messages (smishing) from businesses that a consumer may actually do business with in the hopes that the consumer will disclose personal information or take some other action the fraudster desires. 
• Customers also download malicious apps directly from an app store or a third-party site. From the consumer perspective, it is easy to be fooled by apps that impersonate legitimate use applications. Recent malware has disguised itself as weather apps, flashlight apps, and even Adobe Flash Player updates. Millions of consumers have installed these apps that then turned out to be malware targeting bank credentials or account information. 
• Malvertising involves malware which is inserted into advertisements that appear on legitimate websites or appear to be from legitimate advertisers.  It is a particular threat to mobile devices because they contain two possible points of entry – the browser and individual apps. Malvertising also enables cybercriminals to attack end users employing firewalls and other security measures that would normally block malware since the ads appear on trusted sites. 
• Sideloading is another way users get infected. Sideloading occurs when a user thinks they did their due diligence and believe what they are installing is safe, but it’s actually malware. Examples can include games or utilities not found on the app store. Sideloading can be an unsafe practice, as the protection of the store is removed. Tremendous care must be taken to avoid mistakenly installing malware. 

These are just a few of the types of the ways fraudsters can steal a consumer’s personal information. There are many others, ranging from replay attacks, man-in-the- middle, and man-in-the-application attacks, to session hijack attacks. 

The Holistic Solution 

Stronger security necessitates the use of two-factor or multifactor authentication—i.e. using more than one attribute to identify users, combined with sophisticated risk analysis solutions. Using biometric data for security by itself is only one factor, and a single factor is always beatable by fraudsters. It needs to be part of a multi-layered approach to security. A biometric login gives no insight into the security and risk of the device in which the biometric is operating. 

As noted, malware and other threats operate quietly in the background, stealing funds and information away from users without them even being aware of it. 

To remove those threats, and for biometrics to be truly secure, they must be combined with the right device authentication solution.  This delivers maximum trust not only in the user, but also in the device itself. 

If the device can be trusted or has been previously used by a consumer, this meets what is known as the “something you have” factor in multifactor authentication. And the biometric meets the “something you are” factor. When combined, this is a very strong multi-factor authentication solution against fraud. 

Whether PC or mobile, any multi-factor authentication system benefits from comprehensive device integrity screening, where high-risk factors and anomalies can be uncovered that can be clear indicators of a fraudster working behind the scenes. 

In the mobile channel, application validation is especially important in order to confirm the integrity of the mobile app by identifying potential tampering. Besides app validation, analysis such as malware/crimeware detection, root/jailbreak and cloaked root/jailbreak detection are important to identify potentially risky devices. Location triangulation and detection of spoofing tools are other important types of techniques. This analysis neutralizes threats that seek to bypass or ignore the biometric authentication. 

It is also good intelligence to analyze the number of successful or failed biometric attempts, which can help combat fraud. For example, repeated “failed” status and lockouts may demonstrate that there is an attempt by a fraudster to break the sign-in process. 

Device identification and the analysis of high-risk indicators on the device allow greater trust. In turn, greater trust allows businesses to seamlessly authenticate good consumers, make more confident transaction decisions, and expand channel functionality while reducing the fraud risk. 

Biometrics are positioned to significantly diminish the issues we still see today with passwords and credential theft. Combined with next-generation device authentication, biometrics can help facilitate a frictionless and convenient customer experience. In today’s 24/7 environment, it will continue to be necessary for organizations to deploy a multi-modal, multi-layered security stance in order to keep consumers and enterprises secure now and into the future.