Great brands earn the trust of their loyal customers over time. But, brands are created by businesses, businesses are created by people, and people make mistakes. Fixing a mistake can be an opportunity to build a stronger customer relationship, furthering loyalty. But, cybersecurity breaches are mistakes of a much great magnitude. Once trust is lost, the road back can be painful and costly. In some cases, brand damage can be permanent.
Verizon, in their latest annual Data Breach Investigations Report (https://goo.gl/atQnAX), estimates over 80% of breaches “leverage stolen or weak passwords”, directly compromising the attack surface (the login screen). Understandably, choosing the right biometric solution to fortify the attack surface now plays a critically important role in corporate strategies. The decision to use an inappropriate or badly performing biometric can have significant consequences.
Some early adopters buying into overreaching security claims have already felt the public sting of a bad biometrics choice. A while back, a respected US financial organization with a trusted brand chose a biometric that claimed having a user blink proved liveness – but it doesn’t. The weakness was exposed when a national science magazine easily spoofed it, and it was done without even using photo animation software like CrazyTalk.
In the past several years, Samsung has fumbled through a series of major new-product launches that cost it dearly. Hours after the launch, a YouTube video showed a user logging in with a digital photo, destroying the illusion of security (>820,000 views to date). Further, their iris scanner was hacked and the brand took another very public hit.
A very similar story has unfolded around the performance of Apple’s Face ID, which has been spoofed with masks, siblings, a 10-year-old child and even… pizza toppings. At this stage in the development of Face ID, it can only be considered an on-device convenience feature. The consensus is it will improve, and if any long term damage to the Apple brand will exist remains to be seen, but as is plainly evident in social media, it is shaking confidence and is not shedding a positive light on the flagship device.
John Williams, a San Francisco Bay Area-based global marketing and strategy veteran, is unequivocal: “Major breaches of any sort, like those at Yahoo!, Target and Equifax have a lasting, negative effect on the actual value of the company; and moreover, on a customer’s willingness to stay with the brand. Users will run the other way if they think they are personally exposed. This is true for businesses of any size or type. Spending focused time to match your organization’s specific needs to an appropriate biometric that meets your specific needs and performs as advertised can prevent very serious, lasting consequences.”
This is not to say the massive efforts to advance biometrics are insignificant. Quite the contrary. It’s a difficult problem to solve, not only because of the inherent complexity, but the problem and its solutions are truly global and will always be a moving target.
But, there are two salient issues to examine today. First, if a biometric is presented as a security feature, it should perform at a level commensurate with what it is purports to protect. If it opens a device or can open an app, the level of security is relatively low, and can be classified as more of a convenience. Face ID, for example, is likely more secure than Touch ID, but for it to protect higher-level transactions, it will require more development (which, no doubt, Apple will do). A latte and a scone, sure. But a $5K wire transfer, it’s not there yet.
This distinction is critical, because even if the spoofing of a biometric is contrived, like the Touch ID vs. cat’s paw video, the company’s brand is at risk because the general public can’t discern between real threats and contrived situations. Also, any demonstrable biometric spoof opens the door to liability for friendly fraud. A user can claim that since the biometric was not proven 100% secure, they had nothing to do with the $10,000 transferred overseas from their account, and insist that it had to have been done by an imposter.
With demand for biometrics high, but truly secure mobile biometric options low, many companies have settled for multi-factor solutions that compromise security. And in most of these cases the password isn’t actually being replaced, it’s simply being bypassed by the biometric. This means all of the security risks of the password are present, plus the added risk of the insecure biometrics, increasing the attack surface. Brands must realize that biometrics that are designed to unlock a device are not secure enough to replace a password when accessing a bank or healthcare account.
Reducing the attack surface is one of most effective means of improving security and the current trends toward multi-factor authentication embody this thinking: more login modalities strung together promise to increase security. But if one of the modalities can be easily spoofed, then it can’t really be considered a factor at all. So beware the false sense of security that comes when stringing weak factors together.
Some considerations companies should contemplate before adding a biometric to their app:
- What percentage of the user base owns the specific hardware required to use the biometric? If users can’t try it because they don’t own the latest high-end device, or have not purchased a dongle, they will still have to use passwords by default and the company must continue to support both password and biometric logins indefinitely.
- Is the biometric convenient enough for any customer to use daily? The biometric needs to be fast and be as secure as necessary with as few factors as possible
- Transmitting digital images of faces or fingerprints to a server and then storing them long term in the cloud along with, passwords and other PII could prove problematic for the Brand if there is a breach.
- Can the biometric be easily spoofed with readily available media? If it takes a 3D face scan and Hollywood mask-masking professionals weeks to fool your biometric, the general public will not likely see that as a real-world vulnerability. But if your biometric can be spoofed with a photo, slideshow, video, fingerprint copy or CrazyTalk7, then it’s entirely possible competitors, unhappy customers, or just YouTubers looking for views, may target your brand and expose the weakness.
Some additional considerations when making biometric decisions include:
- Assess all related costs, like dedicated internal support resources and additional customer support requirements, as adding a biometric and keeping passwords may actually cost more to support.
- The term “authentication” is not clearly defined today. A FIDO authenticator and Google authenticator are not the same thing and serve different purposes. True biometric authentication requires strong liveness detection.
- Test and evaluate internally, but also look for reputable third-party verifications and certifications for the assurance of security.
- Consider initiating your own third-party testing for independent verification.
The mobile security problem is global, and affects billions of people. The stakes for trusted brands are very high. The biometric your company chooses will directly impact your user’s security and your image . Give careful and deliberate consideration to not only the convenience level of any biometric you assess, but also the real-world security level, and determine from every angle whether that impact is net positive or negative.
John Wojewidka is the Director of Business Development for FaceTec, Inc. FaceTec improves security for businesses and consumers by providing intelligent, ultra-secure mobile biometric software to mobile app developers. Leveraging decades of Computer Vision, Artificial Intelligence and Machine Learning experience, FaceTec is changing mobile security by replacing app passwords on nearly all iOS and Android devices with ZoOm®, the world’s first universal 3D face login software for mobile apps. ZoOm’s patent-pending face authentication technology ensures not only positive identification, but also three-dimensionality and liveness. For more information, please visit www.ZoOmLogin.com.