Last week was a bad week for biometrics.  Two separate incidences that demonstrated the vulnerability of biometrics authentication occurred.

The first occurred at The Defcon event, Las Vegas where researchers were able to demonstrate that they could bypass the FaceID user authentication and access the iPhone of the victim in less than 120 seconds.

In a separate incident, investigators exposed biometrics data of more than a million people (23 gigabytes of data) left unprotected on a database owned by Suprema, a biometric security company. The data exposed included facial recognition and fingerprint information collected by the UK authorities.

The amount and type of data leaked were overwhelming.  Note the examples below:

  • Fingerprint data
  • Facial recognition information and images of users
  • Unencrypted usernames, passwords, and user IDs
  • Records of entry and exit to secure areas
  • Employee records including start dates
  • Employee security levels and clearances
  • Personal details, including employee home address and emails
  • Businesses’ employee structures and hierarchies
  • Mobile device and OS information

The two incidents shed light to the concern of biometric authentication and emphasize the need for tighter more secure biometric security.

And the concern is clearly justified – once biometric data is hacked, the information pilfered is for life. Biometric data in the form of facial recognition and fingerprint data is not reversible. Unless you go to a plastic surgeon 😊

With the recent leak, fraudsters could easily attain complete access to admin accounts which they can use to take over accounts including user permissions and security clearances. Not only can they change user permissions and lock people out of certain areas, but they can also generate new user accounts making account takeover simple and easy.

The use of biometric authentication is prevalent in eCommerce, financial and mobile wallet sectors.  Its invariable ease of use and convenience factor is significant, but as demonstrated last week its lack of security can be hazardous and irreversible.

Perhaps a coincidence, but the two incidences reflect the need for mobile authentication that is contextual based, relying on multiple forms of identity verification.  Paygilant’s CMA based authentication and fraud prevention solution utilizes a multi-layered approach that combines device fingerprinting, behavioral biometrics and transaction analysis to provide a robust fraud prevention/detection offering.

What makes Paygilant unique is that it does not rely on any single fraud indicator as to the sole criteria for authentication, rather incorporates a layered that multi-checkpoint solution that reviews and validates the user throughout the users-journey. At every junction, including app. download, registration, and transaction Paygilant confirms the legitimacy of a user.