Follow us on LinkedIn and Twitter

Target Attack Leads to Discussion of Biometric Authentication

Posted on 02/12/2014 by Patrick Botz

biometric authenticationIn the last week or so it has come to light that the way the Target Corporation attackers got into Target’s internal network was by using a vendor’s userID and password.

The attackers first compromised the vendor’s corporate network. From there they were able to steal the vendor’s Target userID and password and then access the Target network through the vendor’s network. Almost certainly, this attack did not require the attackers to have physical access to any of the vendor’s or Target’s locations.

A Better Way to Authenticate

One way to make it much harder to successfully mount these kinds of attacks is to require biometric authentication.

Biometric authentication is better than “something you have” types of authentication because, implemented correctly with the right kinds of devices, the attackers would have to be in collusion with an “authorized” employee. There is no card that can be read, lost, or stolen. No cell phone number that can be subverted with “man-in-the-middle” attacks, etc.

The Privacy Misconception

So why hasn’t biometrics caught on in most IT shops yet? I believe there are two primary factors. The first major factor is one of perceived complexity coupled by lack of expertise. The second, and perhaps the most harmful, is misconceptions of the impact of biometrics on privacy.

In the next newsletter I’ll address the issue of complexity and expertise, and some other factors that have limited the use of biometrics in IT shops. In this issue, I’ll focus on the misconceptions of threats to privacy due to biometric authentication.

Objections to biometric authentication typically boil down to employees not wanting their employers or the companies with which they do business to have their fingerprint/retinal scan/palm vein map, etc. These fears, however, are misplaced. To understand why, we first need to examine the difference between identification and authentication.

Identification is quite different from authentication.

Identification is the process of determining who a person is. Authentication is the process of verifying if a claim of identification is valid.

I’ll use fingerprints in the discussion of the differences, but the concepts are equally valid for any type of biometric used for authentication.

Identification vs. Authentication

When most of us think of biometrics, we often think of law enforcement and how they can identify a suspect through fingerprints found at the crime scene. If law enforcement finds fingerprints at the crime scene, they can identify a suspect by comparing those fingerprints to those in a national database. This database is known as the Automated Fingerprint Identification System (AFIS), which is maintained by the FBI. The database contains the fingerprint images and personal data about the person to whom the prints belong. If a match is found in the AFIS database, law enforcement has identified a suspect. Identification, then, is the process of determining who a person is in the absence of any explicit claims of identity.

IT shops tend to deal only with authentication. Whenever we “login” to a system, application, or website, we provide two pieces of information: a userID and a password. Technically, the userID is a “claim of identity.” You are asserting that the person attempting to login is the person who is represented within the system by the provided userID. The password is used to verify (i.e. authenticate) the claim of identity. The assumption is that only the person and the system “know” the password. If that assumption is valid, then the person providing those two pieces of information must be “who they claim to be.”

This type of authentication is referred to as “something you know” (i.e. the password). The obvious issue with this type of authentication is that passwords can be stolen or guessed relatively easily. Another issue is that with the proliferation of useful websites that we all want to visit, the number of passwords that we have to remember makes choosing good ones nearly impossible without doing something else to remember them. Nearly all of the mechanisms we use to remember passwords also increase the chances of someone stealing them.

There are two other ways to perform authentication. One is “something you have” (e.g. a particular SIM card in a cell phone, a card, or some other piece of hardware. Like something you know, this type of authentication is also susceptible to improper sharing and theft. It leads to problems with efficiency. For example, if you are registered with 10 web sites, your company’s VPN, and two or more internal servers, you could conceivably end up with a mixture of all of these and still have problems with remembering which “thing” is used with which site and making sure you have the “thing” you need for the site you want to access at the time you want to access it.

The last type of authentication is referred to as “something you are.” Biometrics is a form of “something you are” authentication. The primary advantage of biometrics is that they are very efficient for those being authenticated. You always have something you are with you. You can’t forget or misplace something you are. It is more difficult to share something you are with someone else.

Privacy Compromised?

Now we can tie the identification and authentication discussion back to privacy concerns. These concerns are based on the false impression that in order to use a biometric, such as your fingerprint, for authentication, your employer must store an image of your fingerprint. Further, your employer could then share that image with other entities, governmental or private for some nefarious reason.

This concern is invalid. While law enforcement needs to store actual fingerprint images for purposes of identification, companies don’t because they are using biometrics only for authentication. To understand why, we now have to describe how devices used in biometric authentication generally work.

Biometric authentication process

Again, I’ll use a fingerprint device to describe, in general, the business process needed when using any type of biometric device for authentication.

The process of biometric authentication begins with user “enrollment.” This process involves taking several images of one or more fingers. An algorithm is used to measure “minutia” (e.g. curls, ridges, etc.) found in the images. The algorithm changes the minutia data into a biometric enrollment template. The enrollment template is then stored in the company’s authentication database along with your userID. If the company uses centralized biometric authentication, the database is stored on a company server. If device-based authentication is used, the template is stored in the fingerprint reader device. This completes the enrollment part of the process.

Once enrolled, you are now able to do biometric authentication. When you access a system, application, or website that supports biometric authentication, you are asked to provide your userID and to place your finger on the fingerprint device. Again, the device converts the image of your fingerprint to a template. Your userID (i.e. claim of identity) is used to find your enrollment template in the authentication database. The authentication template is compared to the enrollment template mathematically.

While the process appears to be based on an exact match similar to passwords, with biometric authentication there are no exact matches. Matches are based on a degree of confidence and the system can be tuned to require a more or less “exact” match. Tuning essentially allows you to require a high level of confidence or an even higher level (or vice-versa).

The most important thing to understand about biometric templates is that the algorithms that produce them is not reversible; that is, given a template, it is impossible to produce an image that could have created that template.

In effect, biometric template creation algorithms are a mathematical hash of the image. This makes privacy issues associated with biometric authentication no different than any other personal information – your social security number, for example – your company collects and stores. Biometric templates certainly cannot be used to “plant” your fingerprint somewhere in order to frame you for a crime or prohibited behavior.

Summary

The recent Target and similar attacks once again make us think about more effective and efficient ways to authenticate people using our computing resources. This inevitably leads to the discussion of biometric authentication — a technology that provides superior authentication.

However, biometric authentication has not been widely adopted largely due to misplaced concern about the privacy of those being authenticated. In fact, because biometric authentication is done with biometric templates generated from fingerprint images, only the templates are stored, not the fingerprint images themselves. Further, it is mathematically impossible to retrieve an image of a fingerprint from a biometric template.

There are other reasons why biometric authentication has not proliferated in IT shops, and I will discuss those in the next newsletter. But privacy is one of the biggest factors, and that concern is invalid.

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in Biometrics, Botz Blog, Information Security and tagged , , , , . Bookmark the permalink.

3 Responses to Target Attack Leads to Discussion of Biometric Authentication

  1. Pingback: Biometrics and SSO | Botz Security Bytes

  2. Pingback: IT Shop Requirements for Exploiting Biometrics | Botz Security Bytes

  3. Pingback: Secondary Inhibitors to Adopting Biometrics in IT Shops | Botz Security Bytes

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>