Can Eyeprint ‘selfies’ replace hardware tokens?SecurEnvoy 20/07/2015 Archive
Eyeprints – of veins in the white, not the iris of an eye – captured via selfie are another biometric option for 2-factor security, but concerns about the implications of compromise remain.
Andy Kemshall, co-founder and technical director at SecurEnvoy, warns that this form of biometric technology is “not mature or proven” but does see it as being “a clear indication of how the security authentication market is developing.”
That said, Kemshall also warns that there are still potential technical flaws in any type of camera based solution. “The biggest question being how would the app know the difference between a picture of you shown to the phones camera versus the real you?” he asks. Indeed, over the years there have been problems with iris and retinal recognition falling victim to image quality at both ends of the spectrum: poor quality can cause a failure in the initial enrollment process, while high quality images could be used to fool the scanner. While the evolution of high quality cameras in smartphones have solved the former, it’s as yet unclear if Eyeprint ID will prove any more resilient against ‘scanned image’ attacks once security researchers start probing it in the labs.
One thing is for sure though, and that’s the need for the kind of increased security that 2FA provides, without compromising time or convenience, is gaining momentum and focus for businesses because of the increasing number of data breaches over the last few years. “The key however is ensuring the right approach and technology to enable business grade 2FA is taken” Kemshall warns. The fact that, pretty much, we all carry smartphones with us is helping to break down the price barrier and technologies such as Eyeprint could help break down user resistance to complex security processes as well. As long as the security side of the equation stands up to real world exposure.
Kemshall worries that this might be the software behind the scanning application, for example. Others worry about how and where the biometric data is stored. However, there’s also another problem when we start talking about replacing passwords with a biometric alternative; and it’s the numbers game. Whether it’s the number of fingers for printing, or eyeballs for scanning, they are very finite indeed. Passwords are not perfect by any means, but you can be creative and retain enough complexity to ensure there are secure and unique ones for all your logins. When you only have a couple of eyes to go around, if that biometric signature were to get compromised then everything protected by it gets weakened as a result.
Hans Zandbelt, senior technical architect at Ping Identity agrees, telling SCMagazineUK.com “As with any biometric technology, once breached or stolen it is difficult to revoke.” Of course, Solus isn’t talking about replacing passwords for everything, but instead is looking at the enterprise single sign on market where such a technology could just be what the optometrist ordered. Zandbelt considers it a clear indication of “the rise of the phone as a replacement for the hard token type of authentication, where the phone becomes the token” and concludes that this is a good thing as the security industry “needs to help develop secure personal, multi-factored and identity-based authentication as hackers grow ever more sophisticated in their methods.”