Biometric technology has been bypassed multiple times by security researchers over the years. Once such incident saw Japanese cryptographer, Tsutomu Matsumoto able to fool fingerprint security systems using a ‘gummy finger' made directly from the target.And, despite widespread acceptance that a password alone is not enough, concerns over biometric technology's reliability remain. Even Apple has been compromised: last year, German security researchers Chaos Computer Club (CCC) created a fake finger which they claim easily bypassed the technology giant's fingerprint scanner.
At the time, a hacker with the nickname Starbug, said: “As we have said now for years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
Biometrics is not a new technology; it has been used in data centres and by governments for years. It is thought to have kicked off in enterprises in the mid-1970s, when a US university implemented a hand geometry system.
Today's biometrics are much more sophisticated and the 2013 release of the iPhone 5s' fingerprint scanner has opened the door for the systems on a wider level. The technology has also come a long way on the enterprise side, ranging from fingerprint scanners though to iris recognition - even vein and ‘liveness' detection systems. This is seeing it increasingly used in physical security, such as for access to systems.
However, whether fingerprint or iris scanner, all biometric technology poses significant risks. It can be breached - and if a bio-key is compromised, there is no chance of issuing a new one.
Despite the risks, biometric technology is still useful to enterprises: even a fingerprint can form part of a multi-layered security strategy, experts agree - as long as this is in addition to other measures. “Biometrics is going through the classic technology curve: it's getting faster and systems are becoming cheaper,” says Justin Hughes, identity management expert at PA Consulting Group.
However, experts agree that biometrics is not currently secure enough on its own. As Hughes points out, the technology aptly fits the last part of the three-tiered strategy that should form ID management: “Something you have, something that you know, and something that you are.”
Among its benefits, some types of biometric technology can cut costs when used in the enterprise, according to Richard Moulds, VP strategy at Thales e-Security. “Traditional hardware authentication devices such as one-time password tokens and smartcards can be very costly for organisations and are hard to manage, whereas biometrics allows the use of readily available sensors on users' own smartphones for authentication, making it a much cheaper option.”
The technology is particularly beneficial in high value environments, such as banking, says Ken Munro, partner and founder of ethical hacking firm Pen Test Partners. Similarly, border control agencies are now using biometrics as an added means of identification at passport control, he says.