Common misconceptions about smart homes and biometrics
Article by FIDO Alliance executive director and CMO Andrew Shikiar.
Smart home integration is gaining popularity – especially in modern times with more people confined to their homes by Covid-19. According to Statista, there are currently 1.1 million homes with smart security systems in Australia - a number expected to double by 2023 – and a further 200 thousand in New Zealand. Smart security systems include network cameras, video doorbells and other security and access control devices designed to safeguard against home invasions and theft.
Smart devices are constantly evolving and offering more features, connectivity and integration with other devices and software platforms. The future smart home promises a seamless, personalised experience. As an example, smart locks provide added home security as well as a means to keep more the vulnerable members of society safe.
Smart locks can ensure that elderly relatives are secure while householders are out of the home and that children can let themselves in after school safely. Biometric digital door locks combat the threat of intruders and negate the fear of a lost key ending up in the wrong hands by ensuring that only pre-identified people can enter.
In addition to smart home innovations, the commercial application of biometrics is also being progressively rolled out in other industries, including digital banking, construction and facility security to name a few. According to IDC, almost a third of organisations in APAC see biometrics for authentication purposes as important or extremely important.
Although APAC is ahead of the curve on biometrics adoption, concerns around security and losses from identity fraud still persist. The global outcry following incidents such as the Biostar 2 data breach merely add fuel to the fire.
The most common misconception is the immunity of biometrics to potential attack. It is critical to disengage the connection between data breach stories and biometrics, by focusing on the fact that the real cause of most attacks is not biometrics itself, but the storage of biometrics data in a centralised database.
Misconception #1: Biometrics are insecure
Contrary to common concerns about privacy, biometric authentication is one of the most secure and usable forms of authentication available today. If implemented correctly, biometrics can actually be one of the few technologies with no tradeoff, offering users both convenience and security.
What is less known, however, is that “correct” implementation – or optimal implementation - means keeping biometric data out of centralised servers and adhering to privacy best practices.
Pilfered passwords – still the most widely used form of authentication today – are responsible for more than 80% of hacking-related breaches, according to a Verizon Data Breach Investigations Report.
Biometrics is one of the best options for replacing passwords going forward, and may even revive two-factor authentication (2FA) adoption – but we cannot make the same mistake we did with passwords.
Look at the model: Passwords lost their efficacy because the average user has over 90 online accounts and, more often than not, uses the same password across several of them. The fact is, a thicket of passwords ends up as sitting ducks on a server somewhere, stolen and then easily used for password spraying, credential stuffing, and other attacks that let cybercriminals into private and sensitive accounts.
The financial impact of each data breach is staggering, costing USD2.13 million on average in Australia, according to research conducted by IBM and the Ponemon Institute.
Biometrics are secure, yes. But if we store them on a server, biometrics data will be as easy to steal as passwords.
So instead of relying on servers, biometric data can and should only be stored locally on the user’s device (e.g., laptop or mobile phone). Tech heavyweights – Microsoft, Apple, and Google – are already taking this approach. Consumers are rightly concerned about their biometric data being safeguarded, and providers must be transparent about using the right approach to biometric data storage.
Misconception #2: Biometrics are easy to spoof
Very early on, biometric spoofing also raised alarm bells. Online coverage around hackers creating sophisticated fingerprint moulds with 3D printers and successfully getting into a device is even more pervasive. While biometric systems are vulnerable to presentation (or spoofing) attacks, in practice they are extremely difficult to implement and – most critically – they are prohibitively difficult to implement at scale.
Vendors are addressing this by coming out with new innovations in both the sensitivity of their sensors, as well as adding new liveness detection capabilities to test for the proper user.
JFK airport in New York recently launched a biometric self-boarding system. With a brief glance at a high-precision camera equipped with next-gen liveness detection, passengers are automatically cleared for boarding.
The spoofing threat does not mean we have to abandon biometrics. We just need to be realists about the cyber arms race and also be sure to follow biometric authentication best practices.
In addition to only storing biometric data on the device, service providers need to take a second step, which is to leverage available technology that verifies the physical possession of the authorised user's personal device every time the biometric is presented.
Take these two steps – store biometric data on the user’s device (and never let it leave) and require irrefutable proof of device possession – and the threat of a large-scale breach of biometric data is gone.
A criminal would need both the biometric data and the actual device to even attempt an attack. If we know anything about hackers, an attack plan needs to be large-scale, or they are not going to bother.
By taking these steps, we can embrace the convenience that biometric authentication offers with no tradeoff.