Advanced Biometrics Based Multi-Factor Authentication
Enable MFA!
CISA Director, Jen Easterly posted a video about how to enable MFA across all of your accounts. It’s important to do as it ensures organizational security. But not all MFA is created equal.
Advanced Biometrics Based Multi-Factor Authentication
While multi-factor authentication (MFA) isn’t new to most users, it’s full of problems. Any traditional two-step verification requires a combination of the following data:
- Your user name
- Your password
- A mobile device or token
The traditional method is always full of friction and unsecure. A user has to remember their password in the authentication journey. Their mobile device or token or the gateway used to deliver their OTP may be compromised.
What Is Traditional Multi-Factor Authentication?
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Traditional MFA requires users to enter their username and password and an additional verification factor, decreasing the likelihood of a compromised user account.
Traditional MFA offers a variety of factors, each having a varying degree of assurance. For example:
Problem with Legacy MFA
The varying degree of assurance is because of the likelihood of compromise for any factors. The problem with the approach above is that all the above factors don’t assure that the user authenticating against the service is the same user who had registered. This is because all the above methods of MFA use these two factors:
- Possession (Something You Have): A unique token or device or OTP generated. This approach can also include mobile device-based push authentication.
- Knowledge (Something You Know): A credential or piece of information the user knows, such as a username and password, a PIN, or other items.
The problem with the above two is that when it comes to a password or pin, it can be easily compromised through social engineering. A user often repeats their passwords which, with the amount of breach data available on the dark web, is easily accessible.
The trouble with what a user possesses is that even that can be compromised with user behavior. For example, a firm’s VP had unknowingly let the attackers in during a recent breach. It turns out that the VP had approved over ten different push-based messages for logins that he was not involved in. When the VP was asked why he approved the login requests, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”
The common issue is that the authentication journey does not know the user behind the request and whether the user is the right one.
Biometrics Based MFA
To mitigate the problems with legacy MFA, the authentication journey needs to be now comprised of these two categories:
- Possession (Something You Have): A unique device associated with the user
- Inherence (Something You Are): Inherence focuses on biometrics, typically technologies like fingerprint scans and facial recognition.
1Kosmos BlockID allows registering a user using a feature called “LiveID.” The user performs an advanced form of biometrics called a liveness test as part of this feature. This biometric identifier eliminates any risk of facial spoofing, which is the task of creating false facial verification by using a photo, video, mask, or a different substitute for an authorized person’s face. The liveness test is then leveraged for authentication.
In addition, device-based biometrics can also be used as part of the authentication journey, including “touchId” or “FaceId” on iOS and Iris, Fingerprint sensor on android.
All devices that a user uses to authenticate are tightly coupled with a user. A user is allowed to authenticate only from a registered device. Add-on features such as SIM checks and checks if a user’s device has been jailbroken are also available before every authentication request generated from a device.
To authenticate, a user scans a QR code, a push message is sent to their registered device, and a user authenticates with their biometrics. No more remembering complicated passwords or Pins or scrambling through email or SMS to find an OTP.
Implementing biometrics as part of the MFA is not only more secure but also provides the following benefits:
1. Reduce friction in user experience
2. No more social engineering and account take over
3. No more password policies or password reset calls
4. Detect fraud and block it
5. More secure
Considering Biometrics for Multi-Factor Authentication?
BlockID is an enterprise-grade, passwordless authentication solution for the workforce. Employees gain instant and secure access to company resources in a manner that’s easy to use, eliminates the need for passwords, and has a positive impact on the end-user experience. To learn more about our Biometric authentication, click here.
Are you interested in learning more about MFA? Please join us in our upcoming webinar where we will be diving deeper into this topic.
And watch the video from CISA Director, Jen Easterly here. And additional information about MFA from the CISA is here.