Using biometrics to protect crypto currency

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

protect crypto currency biometricsThe rise of crypto currency is something that investors have monitored closely. Whether Bitcoin, Zcash or Ripple, the rise of this digital currency is here to stay. With this boom of crypto currencies and blockchains for asset holdings, currency exchange, retail purchases, and even our digital identity documents, companies will need to require the highest possible authentication and authorization technologies with rock-solid key recovery methods due to recent heists which have rocked the market.

Take for example the recent Coincheck heist of over $500 million in NEM. It was the latest high-profile crypto hack, and the most significant since $460 million in Bitcoin vanished in 2014. It also comes less than two months after hackers pilfered $70 million from a Bitcoin mining site – a sign that crypto continues to attract hackers. This heist was a ripe one for hackers as they stored funds in a “hot wallet” instead of a “cold wallet” offline.

This underscored the need to protect cyber currency holdings by using stronger customer authentication (SCA) technologies. SCA means is that organizations implement two out of three factors for authentication including password, token and biometrics. The new EU PSD2 (Revised Payment Service Directive) requires SCA and explicit customer consent for payments and other authorizations. Passwords and physical tokens are already being used by many organizations at great cost because of password churn, distribution of physical devices and recovery but biometrics are a relative newcomer that adds new benefit. These benefits include: identity verification, biometric signatures, and non-repudiation.

Hot vs. cold wallets

To start, it is important to understand that most companies who have digital currencies have hot wallets and cold wallets.

A hot wallet means that the asset holder does not directly hold the corresponding private key for a crypto currency. Rather, an exchange holds collective private key(s) in their wallet while each customer owns a derivative of that wallet. Hot wallets are connected to the Internet, while cold wallets are not. The protection of “hot” wallets by password alone is in-sufficient and ill-advised. Additionally, even the use of three-factor authentication via SMS coupled with a password is not recommended.

One of the strengths of crypto currencies is supposed to be the decentralized ownership of assets on a blockchain by direct ownership of any private key(s), but “cold” wallets are difficult to manage. This is because there is no remediation for loss or theft of your cold wallet.

Exchanges, due to the hot nature of their approach, can offer account recovery and fraud management as add-value services to the customer who doesn’t want to risk loss of their cold wallets – however, it’s always a tradeoff.

To this end, some coin exchanges have instituted enrollment and recovery processes that involve identity verification processes, as in case of loss or theft to help consumers protect their investments. But these processes are vulnerable to same attacks, social and technical, that plague password reset methods. In today’s day and age where crypto currency threats are increasing and becoming more sophisticated, it is crucial for organizations to protect cyber currency holdings by using stronger customer authentication (SCA) technologies.

Three things every organization can do

1. Implement biometrics: Adding biometrics to the identity verification and recovery processes in coin exchanges can strengthen on-boarding and ongoing fraud detection. In some jurisdictions, companies can utilize government identity checks. Aadhaar and similar know-your-customer (KYC) systems are available for real-time checks using fingerprint biometrics. Fraud detection and forensic processes could also benefit to track down money laundering and terrorist finance networks.

2. Use biometric-based consent: Biometric-based consent collected during SCA-required transactions is vital. For example the PSD2 required transfers over 50 Euro – which can record a biometric signature to increase confidence that the end-user granting consent is really the user, rather than someone with a stolen token or password. This form of consent is an alternative to SMS or time-based one-time password (TOTP)-based 2FA. This is increasing the major adoption point for biometrics. It gives the back-end system a better confidence measure than device possession or password and PIN in the case of identifying the end-user for escalated, high-value transactions.

3. Consider non-repudiation: Finally, it is still to be determined whether or not biometric signatures, like attestation signatures with a private key locked by a biometric, can be used for non-repudiation. If a consumer authorizes a transaction with SCA using only a password or token, they could always claim later that their device was stolen or compromised. Burden is then on the financial institution to prove otherwise. Proof of possession is extremely weak because users often repudiate a regretful transaction. If an SCA consented transaction using biometric signature is judicially ruled as a viable form of non-repudiation, the result could be wide-spread adoption of biometrics as one for the three forms of SCA for large transactions. Otherwise, biometrics will have the same utility as passwords and tokens, sans the identity verification benefits.

Regardless of hot or cold wallets, crypto currencies of all sorts require protection of private keys associated with each public wallet address via strong customer authentication (SCA) and authorization.

Private keys can be lost, and the associated coins are orphaned in such cases forever. It is estimated that 20 percent of all Bitcoins are orphaned due to lost or misplaced private keys that are irrecoverable. Even worse, once a thief has a private key, they can quickly transfer funds from your wallet to theirs via transactions that are virtually untraceable.

Biometrics play a vital role in all of these processes and can establish strong customer authentication (SCA) associated with identity credentials. Today, governments and military use biometrics to secure Common Access Cards (CAC) and Personal Identity Verification (PIV) cards. And, as more customers turn to cold wallets, they’ll need secure and robust key recovery methods they prepare in advance of disasters. In the near future, all citizens will also be able to secure and recover their assets using biometric technologies once only the purview of military and central banking organizations.