The Compromised Affair

If people’s credentials are compromised, that is a bad thing. Everybody knows that.

But what if those compromised credentials include people’s biometric data?

What value does a stolen fingerprint template or an encrypted voice profile provide to hackers? And what steps can companies take to reduce the risk associated with dealing with such information?

Six months after the compromise that hit the Office of Personnel Management (OPM), the organization is still catching up and trying to recover from this incident.

The information and credentials that were stolen included biometric data for millions of users. It’s still not clear how well the information was encrypted and if the biometric data was in template/reusable format.

Regardless, let’s assume someone has somehow arrived at a great “copy” of your fingerprint imprint. Can they, using this copy, impersonate you?

To answer this question, we need to look at how systems and services use biometric methods as a means of user identification. If a system solely relies on biometric matches to determine if you are who you claim to be, then, yes, someone in possession of a pristine copy of your fingerprint can pose negative & impactful consequences.

Take the typical (and sadly, very popular) smash and grab attack on servers, similar to the one the OPM is dealing with.

How could OPM reduce the risk associated with user credentials if they were to design their solution from scratch, on a clean canvas?

• For starters, avoid collecting and managing biometric data altogether! A growing catalog of modern & capable devices is eliminating the need to collect biometric data or match biometric information on servers. In fact, an impressive group of companies (including RSA) are pushing for standards (namely FIDO) that mandate for the biometric verification to avoid any user-credential transfer over the wire. IOW, your biometric data never leaves your device, and if it does, it’s useless without the accompanying trusted device. Good for privacy, good for security. While not all devices are capable to do this, but, we’re getting there.
• Restrict access only from trusted devices. I recently wrote about how this approach can result in improved user identification.
• Rely on more than one method of user verification. If services rely on more than one indicator to verify your identity, the authentication protection bar is nicely raised. For example, you are who you claim to be, because of a biometric match, but also because the service has seen/registered the device you’re using, as a trusted device. Or: the type of environment (including location) from which you’re performing this action and the type of action you’re performing look ‘normal’ from a risk analysis point of view. Or: you also know a pin/can provide a one-time password.

The bottom line:

Relying on more than one verification method reduces the risk associated with each method.

While adding all of these methods to the verification process doesn’t make it 100 percent bullet proof, but if someone matches all these criteria:

• Has a pristine copy of your fingerprint
• Is in possession of your registered/trusted device and can unlock it
• Is performing an action at a known environment and in line with your normal activity pattern

Then, for most/all intensive purposes, they are you (or you are them?).

This of course would be considered a sophisticated targeted attack, and would be very tough/practically impossible to pose such an attack on a large number of people.

At RSA, we consider various methods of user authentication. For example, the RSA Via Access solution supports biometric user authentication on devices that are equipped with the right sensors (such as Apple iOS devices, and just out now on Samsung devices).

Looking for designing a strong user authentication solution that can withstand the notorious smash and grab attacks? You should assume that user biometric data (fingerprints, face-prints, voice-prints) have already been compromised. Start there.

The post The Compromised Affair appeared first on Speaking of Security - The RSA Blog and Podcast.