Biometrics and Multi-Factor Authentication

As computing power increases and bad guys are looking for ways to steal things like usernames and passwords, it’s natural that the technology industry has been looking for new ways to make it more difficult for unwanted parties to gain access to information and resources (such as personal finances).

Today, Citibank made an announcement that it will roll out voice biometrics over the next few months to a select group of customers for its telephone-based services. For the non-technical, this means that Citibank will capture a voiceprint for each customer that can uniquely and reliably identify one person from another (even identical twins in most cases).

So why is biometrics a great solution in multi-factor authentication?

Authentication that relies on “something you have” (like a username or password) can be considered weak as people can either guess or steal it without providing some sort of proof that they are genuinely you. Whilst stronger passwords may go some way to prevent casual or brute force guesses, authentication methods that rely solely on usernames and passwords are susceptible to these sorts of attacks.

Multi-factor authentication introduces an additional means by which to prove your identity such as “something you own” and you may already be using something along these lines. For instance, many corporate VPNs provide a security token to its staff to use in conjunction with a username and a password. Unless an attacker has physical access to the token the chances of being able to break in are greatly diminished but not completely eliminated (as the chance for guessing the hash on the token correctly as well as the username and password still exists – albeit slim).

This is where authentication against “something you are” or biometrics comes in.

Things like a voiceprint and fingerprints go some way to prevent impersonation as an attacker can’t “guess them”. Either a person has exactly what is being sought for successful authentication or they don’t possess the  correct input. For all but the most determined hackers and criminals, this significantly increases your security.

However, whilst guessing is out of the picture, emulation is another issue altogether.  For example, a voiceprint could be provided by means of a high quality audio recording of the targeted individual covertly captured at a prior time. In terms of fingerprints, play dough and cadaver fingers have been proven to work with a success rate of up to 90% on basic readers that don’t pay attention to other qualities of the provided input (such as moisture patterns, temperature, etc).

By no means is biometric security a silver bullet but when used in conjunction with other means of authentication, such as a username or password or more modern methods such as security tokens, it does up the ante against traditional attacks that aren’t expecting anything more than the basics.

4 comments

1 ping

Skip to comment form

  1. Great article Boydo,

    Do you have any other examples of large companies, such as Citigroup, incorporating biometrics into their network security scheme?

    1. Hi Plurilock. At least in Australia, Citigroup appears to be on the cutting edge when it comes to biometric security. Most other commercial entities still resort to derivatives of usernames and passwords with a smaller number employing one time passwords with tokens or SMS.

      Australia does use ePassports used in conjunction with eGates allowing citizens with compatible passports to pass through immigration with biometric authentication. I’ve yet to try this myself as my passport still has a couple of years left on it!

      Looking globally, I am also aware of theme parks like Disneyland using biometrics to tie a person to a ticket to prevent multiple people from reusing the same ticket. Technically, it’s not for the security of the users but it secures revenue for the theme park.

  2. Thanks for sharing Boydo.

    It will be interesting to see the implementation cycle for biometric technologies in the marketplace. The main issues seem to be reliability, as companies need them to be extremely accurate before implementing them, intrusiveness, as many of the technologies rely on a hardware component to authenticate users, and of course cost. It is interesting to follow which companies are using these technologies and what type of biometric application they are using.

    Our company’s flagship biometric application, BioTracker, uses individual keystroke and mouse dynamics to continuously authenticate users, and made its first appearance in the marketplace this year. It appears that a growing list of organizations around the world are poised to integrate biometric applications into their security scheme over the next few years, especially given the large number of breaches we have seen recently.

    1. No worries, thanks for your feedback – biometric implementations certainly are an area of growth and I am fascinated by the various methods authentication can be achieved. As you mentioned, accuracy and reliability are key in order to support a positive user experience as well as being consistent in correctly authenticating users.

      To draw a parallel, many companies in Australia were deploying voice recognition systems in place of traditional touch tone implementations used for guiding a phone call to the correct queue. However, many voice recognition systems were poorly trained and unable to cope with the native language let alone accents from the multitude of cultures in our society.

      Security is certainly a key focus for businesses these days so it’ll be interesting to observe the innovation in this particular area.

  1. […] while ago, I wrote an article about multi-factor authentication and how it can be used to add another line of defence to your personal information and accounts. […]