The Case for Biometric Authentication for Identity Verification
Biometrics are body measurements related to human characteristics. Biometric authentication is the act of using an individual’s biometrics as a form of identification and access control. Of the various biometric measurements used for this purpose, the most popular are: fingerprint, palm veins, facial recognition, palm print, hand geometry and iris/retina.
Advantages of biometric authentication
• Everyone has access to their own unique set of biometrics (you are sure to not forget or lose this password 😊).
• Biometric identification answers the something you have and something you are in the trifecta of security (something you know, something you have, something you are).
• Biometrics are hard to fake or steal (though, there is a criminal element out there working hard at it).
• Convenient and fast (simply look at your phone’s camera or press your finger on the reader and presto, you’re in).
Out with the old, in with the new
The really cool sci-fi flicks of your youth that used biometric authentication to move the plot along, have now come to life. Voice ID, retina scans, facial recognition and the like are no longer science fiction. They are science non-fiction and part of the fabric of human society. Authentication based on one’s biometrics has applications in a myriad of industry verticals from E-commerce (age verification) to E-government (border control), financial services and insurances (KYC).
Even though the password and email combo continue to be the go-to method for authorized access to the myriad use cases that require identity verification, they will soon be a relic of the past. Given the growing number of large-scale data breaches, the password and email combo might soon be relegated to history. A replacement for this dated authorization process could be biometric authentication.
Passwords: an outdated authentication technique
Who doesn’t want to rid themselves of the annoying email/password authentication combo? Sure, autofill is an option - most web browsers and password vaults will complete this tedious task for you. But at an added risk to your online security! If someone is able to get their hands on your device, they could easily access all of your online accounts in one go.
One could try memorizing their passwords, but this is rather difficult unless you have an eidetic memory like that smart guy from Suits, Mike Ross. Many people do choose this route - of course they are not as capable as the Mike Rosses of this world. They might memorize 3-4 passwords usually of the minimum length required (and often based on a slight modification of one password).
It is highly likely though that these password(s) have already been leaked in a data breach at a company of an online service with poor security. Such an occurrence would be totally out of the affected individual’s control and there is a good chance that they don’t even know about the breach. Type in your email at https://haveibeenpwned.com/ and see for yourself whether or not your credentials have been compromised.
Fortunately, in most cases, the login information that a company has on file for you will be salted and hashed. Though some companies might still store their customer’s passwords in the simplest, and most idiotic way ever: in a database. And all it takes is one data breach of one of these companies for your email/password combo to be leaked to the world. In its most simple rendition the database has a table for ‘usernames’ and another for ‘passwords’, and they are just there. The authentication system in place compares your input to these two fields, and if you match them, you are in.
To better understand how widespread this bad practice is look no further than some of the largest technology-focused companies that have been outed for using a simple database to store your password. For example, Robinhood, Google, Facebook, GitHub and Twitter to name but a few.
Hackers are actively phishing for your email/password combos
A company’s internal email/password vault is a prime target for hackers as it contains all the credentials necessary for authentication. If a company’s security configuration has been set up poorly or has flaws, the vault will be vulnerable. Even if the vault is fairly well locked down using industry best practices, it will always have a bullseye on its back as a high-value target.
If hackers are unable to crack the vault itself, they will attempt to get the users into giving up their passwords for them through a technique known as phishing. This style of attack is the preferred choice by hackers. The 2020 Internet Crime Report (PDF) published by the FBI listed phishing as the most common attack performed by cybercriminals, showing more than twice as many incidents of phishing than any other type of computer crime.
It's really a no-brainer for hackers, as they can mass deliver an email to 100s of thousands of people at once and then sit back and wait for the clicks. Instead of working hard to pick one well guarded lock, criminals rather devise schemes to get users to give up their credentials themselves. If a hacker is successful in convincing a user to click on a link in an email or text, they may also inadvertently download malware such as keystroke loggers or screen scrapers. These applications will transmit passwords and much more without detection.
If that’s not enough to give you nightmares there is always network sniffing. This attack occurs when hackers tap into public Wi-Fi networks. Using commonly available software, hackers can grab all kinds of information including credentials, credit card numbers and other private information. Cybercriminals are also known to create rogue access points posing as legitimate Wi-Fi networks, enabling them to intercept and collect the data transmitted by unsuspecting users.
5 ways that passwords can be stolen from the EU cybersecurity agency
The European Union Agency for Cybersecurity shares its recommendations for improving the security of passwords and authentication methods. Today, passwords can be stolen in multiple ways, including:
- Social Engineering attacks such as phishing credentials using fake pages, voice phishing (so-called Vishing), shoulder surfing (e.g. peeping behind a person who is typing their password on a laptop) and even retrieving handwritten passwords from post-it notes.
- Stealing using specialized software or physical keyloggers. Some of these attacks require a physical presence or proximity to a laptop or a device.
- By intercepting communications, using fake access points or by leveraging man-in-the-middle attacks (MiTM) at a network level, more prevalent in public WiFis found in hotels, cafés, airports, etc.
- Brute-force attacks on passwords by trying all the combinations, dictionary attacks or by simply guessing the password.
- Retrieving passwords directly from data breaches and leveraging them using password spraying techniques to other legitimate services.
PXL Vision’s platform for biometric authentication
No security solution is perfect or absolute, but organizations can take a major step forward simply by replacing the weakest link in the security chain: passwords. Spoofing, phishing, keylogging, sniffing and other forms of digital theft all target passwords. They won’t work if there is nothing to steal. Similarly, on the corporate side, doing away with passwords eliminates the need for credential vaults altogether.
PXL Vision is working towards abolishing passwords altogether. Using a combination of computer vision and machine learning, PXL Vision’s technology uses computer vision and machine learning to match the facial characteristics of an authorizing individual to an approved face (after going through an identity verification process) stored in a database.
Many experts believe that two-factor solutions involving SMS codes or image verification solve the password problem. But requiring two forms of verification doesn’t remove the burden on the end user. It amplifies it. In effect, users are being told, “Here’s a one-time token, but don’t get tricked into giving up your password. If you do, it’s your own fault.”
Biometric authentication, however, significantly changes the paradigm. It begins with our smartphones that over 3 billion of us carry with us every day. By leveraging PXL Vision’s identity verification platform via biometric facial recognition, users can immediately satisfy the “something you have” and “something you are” requirements of the security trifecta mentioned above. The 3rd element can easily be a simple username as “something you know”.