The importance of secure remote authentication during lockdown (and beyond)

216
[ This article was originally published here ]

Being able to securely and accurately authenticate yourself is extremely important in order to protect your identity and data. This is especially true in the current challenging context where billions of people are working or accessing public and private services online from home.

While business IT capabilities have been advancing at a pace, the pandemic is set to be a tipping point for widespread adoption of strong authentication solutions.

In a previous post, we discussed the significance of digital identities during these unprecedented times. Today more than ever before, digital IDs allow us to safely and easily remain connected with the rest of the world despite the lockdown. Security is a key pillar of digital identities, making sure that your personal data is protected and encrypted. There are two types of technologies that help us ensure this: biometrics and data protection.

How biometric technology enhances the multi-factor authentication

Biometric technology provides identity verification by using an individual’s physical and behavioural characteristics. It enables the authentication scheme to validate both the physical presence of an individual and the identity of the individual. Traditional multi-factor authentication takes two forms, something you know (password, security questions) and something you have (smart card, phone). When biometric verification is being used for remote authentication, it adds an additional dimension to the multi-factor authentication, something you are (fingerprint or face image), making it more secure.

For example, when you work from home and need to login to your company’s network, you might be asked for a username, a password, a code from your smartphone and/or a security token such as a smart card, in order to verify who you are. This authentication scheme has many advantages but if a hacker gets access to your password and the security token, they can login pretending to be you. This compromises your security and data.

With biometric verification, one or more biometric samples such as a facial photo or a fingerprint is gathered using live capture. This means it is collected from an individual who has to be physically present at their computer at the time the authentication request is submitted. The live captured biometric data is then compared with the facial or fingerprint images stored in a database or on device, in order to determine if they belong to the same individual. Biometric verification with live capture thus helps to ensure that it is really you seeking to authenticate, and not someone else who might have obtained your password and token, or a hacker using a stolen photo or fingerprint sample.

Beyond establishing the identity of an individual requesting remote authentication, biometrics can be used to further strengthen security by supporting continuous monitoring of the user after the login. This is usually done with behavioural biometrics such as keystroke analysis — while the computer is logged in and being used, the keystroke stream is analysed to determine if the authorized user is still the one using the computer.  It is expected that continuous monitoring can also be done through face recognition. And with the advances of machine learning and other technologies, additional novel modalities could emerge as well.

How biometrics and remote authentication keep the world working

Apart from enabling us to work remotely, remote authentication also allows businesses to offer experiences that are personalised and seamless, while providing stronger security. According to Experian’s most recent Global Identity and Fraud report, 81 percent of consumers think that physical biometrics such as fingerprints are the most secure form of identity verification. This suggests that many organisations will be looking at the right way to implement them as they undertake digital transformation initiatives, adjusting to a new way of working even after the lockdown officially ends.

The current situation means that, for many of us, we are not able to do things physically as we always have, and so going through extra layers of authentication will become a normality.

How data protection technology addresses data security and privacy concern

Transferring sensitive and confidential data over network is an essential part of remote authentication. It is critical to keep the data from being stolen or corrupted in the transferring process. Biometrics data is personal identification information and requires high level of protection.

Data protection technology and infrastructure such as encryption and Public Key Infrastructure (or PKI) help to protect biometric data from unauthorised access in storage and over transferring channel, and maintain the integrity of the data content.

Encryption  protects the data by using software to ‘scramble’ plain data into an unreadable format with a unique ‘key’, making it virtually impossible to decipher the data without the key. PKI establishes a secure and convenient way to manage the encryption key with advanced cryptographic technology.

In the case of remote authentication, the facial photos or fingerprint images being captured, or the templates generated out of them, can be encrypted and digitally signed right upon the capture or template generation before being transferred. Only the encrypted data are sent over network. The biometric data being stored are either kept in secure database or in encrypted form.

Remote authentication in action 

The best way for an employee to prove that they are who they claim to be is via multi-factor authentication. This can take the form of a text message sent to a user’s mobile phone, prompting them to enter a code once they’ve inserted their password, or physical code generators that create single-use codes.

Thales employees for example have long used a smart card (similar to a credit card) which they insert into a reader or directly into a PC, to authenticate themselves. The card cross-checks certificates with the device. If there’s a match, the connection to Thales’ internal network is made.

Another example of multi-factor authentication that utilizes PIN, smart card and biometrics is the U.S. government’s PIV card (Personal Identity Verification). The PIV card is used for both facility access (physical access) and network authentication (logical access). When strong authentication is needed, the user needs to present the card to a card reader, enter the PIN, and have a biometric sample captured (fingerprint or iris) to verify identity.

Highly functional and secure remote authentication structure plays a crucial role in maintaining business continuity. Therefore, organisations need to ensure they have technology in place that maintains continuous secure authentication, so that employees are authorised to quickly and safely access the files/programmes they require.

Biometrics have been quickly established as one of the most pertinent means of authenticating individuals in a reliable, convenient and fast way, using unique variable characters. In combination with data protection technologies, they create a secure system for authentication that is crucial during today’s uncertain times.