Meeting Evolving Security Challenges With Biometric Authentication

The SolarWinds hack demonstrates how bad actors were able to bypass multi-factor authentication (MFA) to gain access to corporate networks and workstations. Here, Jim Sullivan, Chief Legal Officer and SVP of Strategy and Compliance at BIO-Key, says for all its promise, multi-factor authentication (MFA) is soon becoming a bottleneck and can create a whole new wave of advanced attacks. He recommends biometric technology that allows security teams to deliver robust, proven access control to employees and customers.

Cybercriminals are not only improving their social engineering skills but are also using more advanced strategies to uncover weak links in the enterprise cybersecurity infrastructure. The fallout of the SolarWinds breach is but one of dozens of serious breaches reported every week. 

It goes without saying that enterprises, agencies, and institutions must be on guard and ready to defend against targeted cyberattacks. For some, including those in the financial industry, regulations have already forced them to enhance their security measures seriously. Others are being directed by their leadership, boards of directors, insurers, or financial auditors to comply with multiple overlapping data protection regulations such as GDPR, CCPA, PCI DSS, NIST 800-171 while implementing a rest-of-enterprise security framework such as NIST Cybersecurity Framework, ISO 27001 or SOC-2 for services. These regulations are strict, enforced with 20/20 hindsight, and they will likely become more onerous over time.

It is incumbent on CISOs and cyber risk professionals to identify and meet these directives head-on. Still, strategic cybersecurity teams do so with strategic empathy for their business constituents’ goals, drivers, and constraints. Cybersecurity teams that exhibit this trait are thinking differently about their role and the types of solutions they offer their business partners. It is vital to deliver solutions that secure and appropriately limit access to valuable information assets and sensitive customer data and streamline the access experience so business users get their jobs done and don’t have a reason to circumvent policy. The authentication user experience a company provides its customers and workforce can mean the difference between success and irrelevance in today’s digital economy.

The Danger is Real 

Users need access to systems to do their job, and few are measured on their cybersecurity hygiene. Mainstream user authentication approaches make a fatally-flawed assumption about these users. They place too much reliance and responsibility on those end users to comply with policies to keep attackers at bay. Maintaining unique and complex passwords and never sharing a credential are two foundational axioms of authentication. Yet, we continue to hear about breaches arising from ghost accounts, shared credentials, or weak, guessable passwords. 

The Oldsmar, Florida water treatment facility breach investigation found that all operator workstations had TeamViewer running, with a single common password across all workstations, and were directly connected to the internet, without a firewall. The mistake has been to presume that end-users passionately share an enterprise’s goals of preventing unauthorized access by someone besides themselves. In one recent email spoofing attackOpens a new window , employees of an organization were asked to respond with their username and password. Out of all employees, 60% of them compiled and sent their information. 

The combination of ever-more clever attacks and human nature’s weaknesses means organizations that require a high level of security have a problem. Enterprises need to remove the risk and human error from the equation.4

Learn More: Cyberattacks on Critical Infrastructure to Worsen in 2021: Here’s How to Protect Your Data

Backdoors and Supply Chain Attacks

Some cyberattacks are performed through “backdoors” or applications used to obtain remote access. With backdoors, hackers gain access to the network by bypassing frontline detection systems. Backdoor attacks are not user authentication attacks per se but can be facilitated by infiltrating a supply chain vendor and gaining access via their trusted pathways into the enterprise, where credentials theft and data exfiltration follow.

Two major examples of this kind of attack are the 2020 SolarWindsOpens a new window and lesser-known 2017 ShadowPadOpens a new window attacks, both significant supply-chain attacks that originated in compromised legitimate software. Cybercriminals opened a backdoor through malware delivered as part of an update to the software. They were then able to expose thousands of customers to serious cybersecurity attacks, including advanced, persistent threats that “live off the land” within the victims’ systems. 

When these advanced, persistent threats gain a foothold, one of the objectives is to obtain administrator credentials to infiltrate the enterprise further. 60 MinutesOpens a new window recently reported that FireEye discovered the SolarWinds breach because an alert security staffer noticed an intruder had added their own phone number as a second authentication factor for a legitimate user. Further investigation found that many imposters were roaming freely in FireEye’s network using phone-enabled multi-factor authentication (MFA) to assume legitimate users’ identities.

Third-Party Vendor User Risk

Similarly, weaknesses caused by the poor cybersecurity hygiene of third-party vendors can result in a data breach. These outsourced vendors often have adverse interests in the security policies of the principal enterprise. For example, if they are paid for transactions or completed tasks only, their focus is on throughput instead of the more intangible security requirements. Through careless or expeditious third-party vendors, hackers can access sensitive organizational or customer information and systems.  

In the Target breach case, it was a third-party support vendor whose credentials were compromised to allow the breach of the retail point-of-sale systems and steal credit card data. When a vendor is provided a direct connection to get their job done, bad actors can also get direct access to corporate systems. 

Dealing with a third-party is often a fact of business life, and they can and should be held accountable for maintaining the enterprise’s security and risk posture. Yes, they must agree to protect the organization’s information and implement the proper cybersecurity controls. Still, a relying party can make the process simpler by using MFA and SSO that incorporate a biometric authentication factor, so there is no excuse for policy subversion.

Learn More: 5 Key Differences Between Consumer and Enterprise-Grade Biometric Authentication

Employee User Risk

Sadly, many of the attacks that significantly affect an enterprise come from inside the company. Statistics tell us that blame for 60%Opens a new window of all cyber attacks can be laid at the feet of employees. There are two types of employee-related cyberattacks: unwitting and intentional.

Just 25% of insider-derived attacks are the result of unwitting human error and are unintentional. Phishing scams, social engineering, using the same passwords across systems, downloading malware through email, and logging into the network through a public computer are just some of the ways that employees unintentionally create account takeover vulnerabilities for an organization. Adding MFA to the enterprise greatly reduces account takeover risk, but the wrong MFA solution may add friction to the authentication process and affect productivity and the user experience.

Of bigger concern is that the vast majority of employee-related breaches — 75% of them are intentionalOpens a new window . These involve employees who have gone ‘rogue’ or have been co-conspirators with criminals or competitors. The reasons vary – sometimes, it involves a recently-fired or past employee whose credentials are still valid within the network or a disgruntled or compromised current employee. One rotten apple insider can perpetuate the attack or provide their authentication credentials to a hacker, enabling them to access the server, systems, and data. How can an enterprise stop a willing co-conspirator from the threat of account handover?

Enter Biometric-enabled MFA Solutions

Many organizations address the challenges of novel and complex security threats and user experience concerns with the strategic use of biometrics.  By incorporating biometric authentication as a secure factor for single sign-on and self-service password reset, an enterprise’s security posture is strengthened against phishing.  

Biometric identity is tightly bound to the individual and is implemented as factual physical feature measurement comparisons that only one user can match.  As factual measurements, biometrics cannot be lost or shared and represent the only method that positively identifies the individual, not a device or a secret they carry or know.  One-touch biometric authentication provides “who you are” security while delivering a streamlined workflow, allowing employees, vendors, and customers to get past proving who they are and on to what they want to accomplish.

Consider the reported breach at FireEye described earlier.  There, attackers were able to register additional phone devices to real users’ accounts, allowing them to roam FireEye’s networks undetected as if they were users because the phones, not the user, were verified at authentication.  In contrast, biometric authentication directly authenticates the user, not just their device, and is impervious to phishing, keyloggers, and SIM-swapping or adding phones.

Retailers and bank staff often rotate among several active workstations as part of their work – they are “roving users.”  A knee-jerk reaction would be to have these users authenticate with phones or tokens, but consider these options’ drawbacks. Employee phones may seem to be a zero-cost factor, but labor laws in a growing number of states require fair compensation for employee-paid phone use, and the liability is retroactive and available for a private class-action suit. Phones are a constant distraction from work, and cameras can be used to capture sensitive screenshots. Cards and tokens are expensive, need backups ready when lost, and can be compromised by sharing because they don’t actually identify the user.  In these scenarios, biometrics eliminates the excuses and removes the temptation to undermine policy while providing an effortless authentication experience at any workstation, with nothing to carry at all.

Conclusion: Better Usability, Cost Savings, and Reduced Liability

Strategic CISOs are collaborators with their business partners and aim to provide security solutions that enhance, not diminish, productivity while preventing both insider and external bad actor threats.  Accommodating a wide variety of use cases and thinking beyond the limitations of mainstream MFA approaches to accommodate a wide variety of factor options is critical to accomplishing these goals.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!