2019 saw password-harvesting malware gaining strength. Designed to capture user passwords by harvesting digital data, these programs are increasingly making them redundant, say several recent research reports. Organisations and services are increasingly moving towards multi-factor authentication linked with biometrics, with curious results. The latest effort was a fingerprint ring prototype from Kaspersky.
The cyber-security company teamed up with Swedish designer Benjamin Waye and creative agency Archetype to make a ring that could mitigate the risk in a situation where an employee’s or customer’s biometric data is stolen.
From mobile phones to passport verification counters, fingerprints are the most commonly used biometric tools because of the fact that it could not be forged as easily as a signature or stolen as easily as password.
However, the recent Biostar 2 data breach has proved that biometric details, including fingerprints, can be stolen. The idea of the ring is to use a proxy fingerprint for devices such as mobile phones or automobile keys. The first prototype of the ring was displayed at a recent press meet at Milan, Italy. It is still at a concept stage, says Vladimir Dashchenko, head of ICS CERT vulnerability research team at Kaspersky.
"This artificial fingerprint can be used in cases when you are not made to provide your real fingerprint. So you can use it to enter the office building for example. In case your data is compromised, you can be sure that your real digital identity is safe."
There are a lot of things to be done to protect technologies that involve human body in cyber-space, notes Dashchenko. However, the latest effort is not about improving fingerprint authentication, says Marco Preuss, director of European research and analysis team at Kaspersky.
"The main point about the ring is not to improve security of fingerprint-authentication mechanism itself, but to improve security for the user in this case, to allow artificial fingerprints be used that can therefore be changed and offer less risk when leaked - means the own biometric data of a user is protected. This is a huge advantage when compared to the current scenario when biometric data gets leaked in any way and is able to be abused."
Both concede that the present prototype is not foolproof.
"I guess there's no system without vulnerabilities. This ring also might have weak spots. But it's a concept that can be developed and enhanced in terms of security," said Dashchenko.
"Using biometrics is convenient but not secure per se," said Preuss. "This is the main point about why we were discussing this topic also in combination with the ring to raise awareness about the potential problems in the widely used technology of biometrics and explore technologies and trends to better protect the users and improve such technologies."
However, not many seem convinced that the project can be a substitute for multi-factor authentication methods.
"This is not multifactor authentication or anywhere as secure as the biometrics it’s designed to replace," said Dan Conrad, field strategist at One Identity.
"Authentication is assurance that you are who you say you are. Biometrics can be a strong authenticator," he said, warning that the ring can be loaned or stolen. "This ring makes the problem they have invented worse."