[By John Gallagher, Vice President of Viakoo Labs]
Biometric security is often viewed as superior to passwords when it comes to protecting sensitive systems or data. The interface between physical and software security, verified by unique personal identifiers like iris scans, fingerprint scans, or voice verification, seemed to render biometrics invulnerable to the types of attacks that systems of either variety were susceptible to independently. Recent news has proven otherwise.
The Widening Gaps in Biometric Security
Earlier this year, an Arizona mother received a late-night ransom call with her 15-year-old daughter pleading in distress on the other line. “The voice sounded just like Brie’s, the inflection, everything,” she told reporters – but it wasn’t her daughter on the line. It was an AI-generated clone of her daughter’s voice print generated from snippets of audio and used to create a fake recording with enough fidelity that even the child’s mother could not tell the difference.
We saw a remarkable surge in the frequency and quality of deepfakes last year. The increasing availability of biometric data makes these types of scams relatively easy to execute. Threat actors can mine IoT-connected devices like video databases for iris, fingerprint, and facial recognition data – think of a typical office environment where a person might pass a high-resolution camera multiple times a day for several months. A bit of the iris here, a partial fingerprint there – with enough repetition, compute power, and time, threat actors could “crack” a person’s full biometric profile with relatively little effort (not to mention capturing passwords if the cameras are positioned to read keyboards). As the technology evolves rapidly, attackers can now insert the deepfake right into the video feed, avoiding some of the liveness checks that biometric systems offer. For this reason, securing video surveillance systems and the data they generate will be crucial in the upcoming year. IoT devices are among the largest unsecured attack surface for most modern organizations. As cybercriminals become increasingly clever and sophisticated, lax IoT security poses a greater risk than ever before.
Leveraging Emerging Technologies and Processes to Overcome Challenges
These issues, combined with advances in artificial intelligence (AI) and quantum computing, have the potential to break biometrics. The solution? Greater use of AI by defenders at all levels–specifically using AI to drive more rapid expansion of zero trust approaches, threat detection mechanisms, early eradication of bots and malware, and use of digital authentication methods such as certificates.
Organizations must make strong, proactive investments in improving their security posture to stay ahead of the evolving threat landscape. As attackers use AI to find and exploit vulnerabilities, IT and security teams should leverage AI at every level of defense to act as a force multiplier, aggregating and prioritizing data, identifying likely attack paths, revealing lateral access, highlighting back doors, and compiling potential remediation actions.
Despite the size and scale of its potential impact, the “end” of biometrics is also the continuation of an increasingly popular trend: the move to zero trust. The cloud era ushered in the decline of the traditional security perimeter, and the shift to remote work amid the Covid-19 pandemic delivered its last rites. Zero trust should be the default position for all organizations – meaning that each user is continually verified not only based on their credentials, but on the data they’re accessing. A sophisticated zero trust capacity can identify and confront unauthorized access faster than any traditional security protocol. Regardless of the method of attack, zero trust enables organizations to regulate network access to a granular degree in real time, limiting the risk of any unauthorized access.
Preparing for the Future
While the end of biometric security has deep implications for organizations across industry and government, there are concrete actions leaders can take to protect against the threats that will emerge in the gap. By expanding the use of AI in cyber defense, along with investing in tools to achieve a comprehensive zero trust network state, organizations can defend against these threats and evolve with threats in the era of AI and quantum computing.
