Passwords, biometrics and multi-factor verification: What businesses need to know

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

identity verificationVerifying identity is a double headache for small businesses.

On the one hand, there’s the question of identity verification within your organization. You need to be sure only authorised staff are conducting financial transactions, and that access to wider business systems and information is for employees only.

On the other hand, there’s the vital matter of confirming the identity of your customers, particularly if you give them an online account and take online orders or payments. Fraudulent payments cost UK industries £755m last year – and the trend is rising.

What do you need to know right now about the future of identity verification?

Passwords have been the primary route for guarding access to digital data for the last 50 years, ever since a team at Massachusetts Institute of Technology decided to use a password system to allow multiple users to access the same computer processor in the early 1960s.

But earlier this year President Obama declared it was time to “move beyond passwords – adding an extra layer of security like a fingerprint or codes sent to your cell phone”. His message holds true for businesses on both sides of the Atlantic. Why?

Firstly, passwords are a primary target for hackers. Some data thefts have compromised millions of passwords.

Secondly, consumers and employees continue to use weak passwords, old passwords and recycle them across multiple online accounts. Passwords that are easy to guess are a gift to hackers and cybercriminals.

And thirdly, we have seen an increase in the use of phishing attacks where cybercriminals attempt to get you to give up your password.
The advent of two-step verification – entering a password and then confirming a transaction by entering a PIN that has been sent to your smartphone has added a new layer of security in recent years.

But two-step verification is still vulnerable to attack especially when a user needs to reset or recover their account. The right process needs to be in place to ensure that not weaknesses are introduced when the account is maintained.

Biometric verification as an additional layer of security

Major ecommerce companies, tech giants and financial institutions are turning to biometric verification as an additional layer of security. Scanning a user’s face, fingerprint or voice to establish their identity will become more prevalent as the primary authentication method or to protect the recover and reset process.

In theory, the strength of biometric security is that it is rooted in something unique to us all: our biology and physiology. So is this the future: asking employees and customers to scan their fingerprint, face or voice before accessing an account or completing a transaction? Not yet. Biometric tests are starting to become mainstream – thanks, in part, to featuring in the latest generation of many Android and Apple mobile devices.

But academics, security researchers and hackers have demonstrated in recent years a variety of simple tricks that can beat biometric verification. Fingerprint recognition systems have been hacked with child’s modelling clay.

High resolution photographs and high definition videos have defeated facial recognition technologies and retinal scanners. Recorded fragments of speech grabbed from voicemail recordings or spam calls have been used to crack voice recognition security, to say nothing of old-fashioned impersonation.

There have also been large scale data breaches that have included the theft of biometric data, such as the Office of Personnel Management (OPM) in the US that included a reported 18 million peoples data.

What does the future of identity verification look like?

Business owners needed to think of identification verification – for employees and customers – as a series of independent steps. Getting identity verification right is one of the foundations of good security. Access to accounts and information needs to be controlled and carefully guarded to keep hackers at bay.

Biometric security has taken a leap from the pages of science fiction to become science fact in recent years and it will play an increasing role in identity verification in future.

But researchers have shown some practical issues and vulnerabilities that need to be addressed. It’s likely that biometrics will become an additional step in a longer authentication process rather than a single-step solution. The technological challenge is to make the verification simple and easy for the authenticating user while making it tougher for cyber-criminals.

The practical takeaway for business owners is to think carefully now about how many steps employees and customers are asked to take to confirm their identity or to complete a financial transaction. Set a password policy so that customers visiting your site and employees accessing internal systems are required to use strong passwords based on passphrases when they are creating accounts or accessing accounts.

Think about the systems you use within your business and the level of verification they demand, it may also be a good time to audit who has access to what system. If there’s an option to turn on multi-factor verification, it’s worth doing.