Vlog: Advanced Biometrics for MFA

Huzefa Olia

In this vlog, 1Kosmos COO, Huzefa Olia, and CMO, Michael Cichon, discuss why government agencies like the Cybersecurity and Infrastructure Security Agency have been encouraging MFA. They explore the issues associated with traditional MFA and how advanced biometric based MFA can mitigate these issues.

 

Michael Cichon:
All right. Well, hello everybody. This is Michael Cichon, chief marketing officer of 1Kosmos. I’m here today with Huzefa Olia, our chief operating officer, to talk about multifactor authentication. How are you today, Huzefa?

Huzefa Olia:
I am good, Michael, but I don’t look as sharp as you.

Michael Cichon:
Oh, thank you very much. Appreciate that. So there’s been so much talk about multifactor authentication. Can you just introduce the topic a little bit and talk about why has this risen to everybody’s top of mind right now?

Huzefa Olia:
I think there are multiple different reasons, but I would say one significant one has been recently, in fact last year, the Biden administration coming out with a mandate with respect to what government agencies, organizations need to do with respect to multifactor authentication. With the environment that we are living in today with the threats everywhere around the world with hacker presence being there almost around us, the government agencies can only play whack-a-mole when it comes to any cyber threat… only to a certain extent. So multifactor authentication, if you look at it is an evolution of how we are managing access today in any kind of a system or a service.

Michael Cichon:
Right.

Huzefa Olia:
Instead of entering just your user name or a password, I need to challenge you to make sure that you are the person who is behind the user name or a password.

Michael Cichon:
Okay. Okay. So I’m familiar with that directive. They talked about multifactor authentication. They talked about zero trust. So setting aside the zero trust, let’s just level set on what is MFA? And you just mentioned you use it in conjunction with passwords. Why do you need it?

Huzefa Olia:
Great question. So multifactor authentication is essentially built on three key principles. It’s built on the principle of what you have, just like a device that has been issued to you by an organization that has been tied to you. Second is something that you know, which is a password or a PIN that you have registered yourself with. And then the third aspect is what you are or who you are. Right? And that’s where elements like a fingerprint or a biometrics come into the picture as well.

Huzefa Olia:
So multifactor authentication essentially means that anyone who needs to authenticate now into a system, yes, they have essentially provide a user name or a password, but in addition to that have to use any two of these different factors, right… either what they have as well as what they know or what they are.

Michael Cichon:
Okay. So over and above the password, which we know can be hacked, lost, stolen, what have you, we have these additional factors: The what you know, what you are, what you have. What’s the problem? I mean, does it work? Does it not work? What are the issues?

Huzefa Olia:
So let’s go back to what I just said. Right? The first one, which most organizations work with, is what you know, and that’s where significantly lies the problem.

Michael Cichon:
Right.

Huzefa Olia:
The problem lies with a user name or a password that has been issued to you and a PIN as well. And we all know that passwords are hackable, either when it comes to any kind of social engineering that goes behind with it, or even when it comes to the data of a password or a PIN being stored in any kind of a system. So traditional multifactor systems have operated with a pretext of what you know and then what you have into the equation.

Michael Cichon:
Right.

Huzefa Olia:
And if you are trying to put a bandaid on a problem, which is passwords, by essentially using that as part of your bandaid, then that’s not an effective solution.

Michael Cichon:
Okay. So the person knows the password. They have a second factor, I guess, which is the code. That pretty much proves their identity, doesn’t it?

Huzefa Olia:
Not necessarily. Right? Like I said earlier, a password can be compromised and there are multiple different instances of how a password can be compromised along with a PIN. There are cases of social engineering. More recent hacks have happened with respect to that. You have a password or a PIN that can be compromised based on the device or the communication channel that has been used to essentially communicate that to the user. And most effectively, at the end of the day, when we talk about identity and access management, it is important to essentially assert a user’s identity. And everything that I describe to you right now, there is no identity in the equation. It’s essentially just a password or a PIN that has been provided to you on a device, nothing tying back to what a user’s identity is.

Michael Cichon:
Okay. So these do not prove identity, but they come pretty close to maybe this is probably the person that it’s supposed to be. So how are we solving this problem, the identity gap, if you will, in MFA?

Huzefa Olia:
Okay, let’s not move far away from MFA. Right? When we talk about multifactor solutions and to do it right, you still start with providing a user a device or a user having a device that they trust, but in addition to that, prove who the user is.

Michael Cichon:
Right.

Huzefa Olia:
So essentially using the biometrics into the equation becomes a very effective multifactor solution.

Michael Cichon:
Right.

Huzefa Olia:
In addition to that, you need to make sure that the device is trusted. That’s where zero trust comes in. We can talk a little bit more about that as well. But if you change the way a user needs to authenticate, and the change can be more with respect to I want to prove who I am and I want to prove it with a device that is secure, has been assigned to me, and when I’m challenged to prove who I am, I’m going to essentially prove myself by using my biometrics instead of giving you a password or a PIN.

Michael Cichon:
Okay. So the device, the handset or, I guess, the laptop device, that becomes the what you have. Correct?

Huzefa Olia:
Exactly.

Michael Cichon:
This gets back to the secure enclave or this TPM chip. Correct?

Huzefa Olia:
Yeah. So let me plug our solution right now. It’s a shameless plug. So the way we do this is anytime that a user is enrolled, we create a private key that is stored on a secure enclave of the user’s device.

Michael Cichon:
Got it.

Huzefa Olia:
So that makes it in a very, very secure place. Right? In addition to that, we make sure that we use a user’s biometrics.

Michael Cichon:
Right.

Huzefa Olia:
Those come in two different flavors, and I’m going to reveal the big surprise over here, but either you use a device’s biometrics like a face ID, touch ID or something proprietary that we have, which is called live ID. So you have the secure information stored in the TPM, and even to unlock that, you’re using the user’s biometrics to effectively use that specific key as well.

Michael Cichon:
Okay. So the device biometrics, I mean, we’re all familiar with this. You look at your Apple device, for example, and you log in. That’s pretty close to identity. Right?

Huzefa Olia:
Very close, right? But not quite there. I would say that, I mean, when it comes to most of the scenarios, most of the situations, yes, you can essentially prove with your face ID or touch ID. But most often what happens is you have your face ID and touch ID, multiple face IDs and touch IDs on a specific device as well as if your device is compromised or if your touch ID or face ID is compromised, you are effectively not knowing who the user is behind that authentication that is happening. And that was one of the primary reasons of us introducing the concept of live biometrics.

Michael Cichon:
Okay.

Huzefa Olia:
The idea of live biometrics is when you’re challenging a user, and especially if you’re looking at an authentication scenario of any kind of a sensitive system or a sensitive transaction, I do want to introduce that friction of the user having to prove who they are.

Michael Cichon:
Right.

Huzefa Olia:
And what live biometrics essentially does is challenges the user to prove their liveness.

Michael Cichon:
Right.

Huzefa Olia:
It essentially asks the user to do some kind of a random action. So I know it’s not just a face ID or a touch ID, but it is that user who has enrolled and onto the device as well as onto my system as well. I hope that answered the question.

Michael Cichon:
Well, it does kind of, but now you’ve raised a separate issue, which is the facial biometrics. I know there’s been some discussion of what’s called decisioning bias or racial bias in this facial recognition. Is that then a new problem that surfaces?

Huzefa Olia:
Yeah, absolutely. Because when you walk into the world of biometrics, there are multiple different factors. Right? One is the security aspect of it, and the second is more with respect to the usability of it. What you described comes into the second bucket.

Huzefa Olia:
Let me just describe the first part on the security as well because that’s important too. Because if you’re talking about passwords and passwords being replaced by biometrics, you want to make sure that that is effectively stored as well. So the way we do this is we’ve often seen that any kind of security loophole starts with how data is stored and managed, and most often that comes back to a database into the equation where all of this goes into one large, big honey pot-

Michael Cichon:
Right.

Huzefa Olia:
… and which is there for any kind of an attacker to compromise. The way we manage the biometrics is essentially the private key which I was referring to earlier in the TPM that is used to encrypt that data, shard it and store it on a private blockchain.

Michael Cichon:
Right.

Huzefa Olia:
So think of this, that your face, becomes a face map and that is then stored onto a blockchain.

Michael Cichon:
Right.

Huzefa Olia:
So security’s important and we manage that very effectively.

Michael Cichon:
Okay.

Huzefa Olia:
The second aspect of it is the usability. This is where your false rejection rates, the bias when it comes to a user logging in becomes extremely important. Right? So we have gone through extensive testing on our end with leading biometrics firms to make sure that we are keeping all of those factors down into our system as well.

Michael Cichon:
Right.

Huzefa Olia:
We have a lot of different white papers as well as studies that we have created, which have effectively proven that when it comes to people logging in into a system, whether that being… As an example, Michael, if you are logging in, I want to make sure that you’re the right user and you are getting in, not getting locked out.

Michael Cichon:
Well, I tell you as a consumer, I’d like you to be sure it’s me. Because if you’re talking about payroll data, if you’re talking about our hard-won savings, obviously passwords aren’t enough. These SMS codes aren’t enough. The device biometrics scare me. So make it as strong as you can, please.

Huzefa Olia:
Absolutely. Right. And that’s where I think when you talk about biometrics and live biometrics, et cetera, a lot of companies tend to tighten the hole, but usability then takes a backseat.

Michael Cichon:
Right.

Huzefa Olia:
When usability becomes a factor, that I want to make sure that you’re the right user and I want to let you in, and I’m not discriminating against you as well.

Michael Cichon:
So the executive order also mentions zero trust, mentions multifactor authentication and zero trust. Can you talk about zero trust and what these two have to do with each other?

Huzefa Olia:
Great. Right. So zero trust, again we won’t have the time to unpack everything which goes within that, but one of the pillars of zero trust as identity. And essentially, if you boil it down, I need to prove who I am every time I log in into any kind of a system or a service.

Michael Cichon:
Right.

Huzefa Olia:
So when you look at zero trust today or how organizations traditionally have been trying to implement zero trust, they have effectively used the traditional MFA method to challenge the user and ask the user to prove their identity. And we just unpacked that traditional MFA is not enough.

Michael Cichon:
Right.

Huzefa Olia:
So we believe that when it comes to zero trust, identity being the pillar, the user’s identity has to be proven every time that they’ve been challenged to authenticate into a system.

Michael Cichon:
Right.

Huzefa Olia:
That’s where our version of what we describe as zero trust is using your live biometrics. So think about it. You have an employee who’s logging in through remote access. I want to challenge and essentially say that, Michael, if you’re an employee coming in, I’m going to challenge you with my live biometrics before you come in into any kind of my infrastructure-

Michael Cichon:
Right.

Huzefa Olia:
… or before you log into a Windows machine or a MAC operating system, so and so forth.

Michael Cichon:
So I get that. So zero trust would look at an assumed trust as a risk, and that’s somewhat obvious, I guess, but why hasn’t this been done all along?

Huzefa Olia:
Same problem. Right? That most of the organizations have traditionally used the existing methods which are out there to implement zero trust.

Michael Cichon:
Right.

Huzefa Olia:
And that existing method comes to, going back to earlier point, what you know and what you have.

Michael Cichon:
Right. Got it. And probably, they’d drive users crazy if they asked them the key an an SMS code every time they request access.

Huzefa Olia:
Can you imagine the friction that you’re introducing at that point? You’re implementing zero trust and now you’re telling the user, it’s not just using a password, but you have to enter a six-digit code. Right? And hold on, wait a minute. I’m going to send you that six-digit code onto your phone.

Michael Cichon:
Right.

Huzefa Olia:
Right? So not only this is the security aspect of it, which is extremely important, but you want to reduce the user friction as well.

Huzefa Olia:
Well, thank you very much, Michael. It is always a pleasure to be here with you. Great chatting, catching up around MFA, zero trust. Right? Look forward to connecting again.

Michael Cichon:
It was really great having you.

A Customer First Approach to Identity Based Authentication
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Huzefa Olia

Chief Operating Officer

Huzefa Olia, Chief Operating Officer for 1Kosmos is a recognized expert in Identity & Access Management. He previously held senior management roles at global identity management services provider Simeio, cyber risk management vendor Brinqa and identity compliance management vendor Vaau (acquired by Sun).