Biometric Authentication

What is the Most Secure Authentication Method?

We’ve been enjoying using signing and authenticating technologies since the late ’90s and back then, it was just about signing in different applications via one ID and password. Companies have taken advantage of the convenience of a single signature system that handles a variety of tasks in one way. However, as the number of management servers and applications increased, the number of ID/PW required to access and manage became more and more difficult.

Kicking off with this single authentication technology, various authentication methods have been developed to address the above issues. In addition to the existing ID/PW method, depending on the usage environment and purposes, various authentication methods such as the OTP and biometric authentication have been implemented.

Amongst these, biometric authentication has attracted attention in various fields.

 

What is Biometric Authentication?

 

Biometric authentication is a technology that identifies and authenticates users by using their own physical characteristics (fingerprint, face, iris, etc.) or behavioral characteristics (voice, gait, signature, etc.).

Biometric authentication has been applied to smartphones since 2013 and is deployed to enhance the convenience of customers by taking advantage of the simplicity of utilizing biometric information owned by individuals.

In fact, Kakao Bank has installed ATMs using palm vein authentication in more than 1,700 GS convenience stores. KB Bank also provides services in some branches where customers use their palm vein as an authentication method in South Korea. 

 

Is Biometric Authentication Secure?

 

Authentication methods that utilize personal biometric information, such as irises, pupils, and fingerprints, might imply that it’s the safest authentication method thanks to its advanced IT technologies. However, biometric authentication also has security risks.

Firstly, biometric information is recognized as public information. Since our fingerprints and facial shapes are always exposed, it is quite possible to hack them by creating 3D printings. The traditional ID/PW authentication method is private information and even administrators aren’t able to recognize the information thanks to encryption technology. 

Secondly, biometric information cannot be changed periodically. PW can be changed periodically in case it’s extorted or exposed.

Thirdly, repetitive patterns are sometimes found in biometric information. New York University analyzed 8,200 fingerprint patterns and created virtual fingerprints and they found that 65 percent of smartphones with fingerprint authentication could be compromised

Many people think that biometrics cannot be typed in letters. However, when registered in the system, biometric information is also stored as specific values or text.

By exploiting this, it is also possible to breach biometric authentication through brute force attacks. Hacking of authentication methods has been demonstrated by acquiring the user’s biometric information, creating fake fingerprints to crack smartphone authentication, or creating a face with a 3D printer to unlock the device.

Recently, as vulnerabilities were discovered in smartphone fingerprint recognition of Samsung Electronics, attention in the safety of biometric authentication is increasing.

Fingerprint recognition by putting a silicone case on a Samsung smartphone was a case which even allowed other people to unlock the phone. The worst part of this issue was that it even allowed the apps, such as financial apps, to be exposed by the extortion.  A recent survey (Financial Security of South Korea) shows the awareness of biometric authentication users. According to a survey, the users preferred traditional authentication methods such as accredited certificates (74%) and OTP (34%) in high-value transactions.

On the other hand, for relatively low transaction volume, simple passwords (50%) and bio-authentication (33%) were preferred. As such, the users were using biometric authentication for convenience and simplicity rather than security. Should we be using a different method instead?

 

Need for Multi-Factor Authentication

 

In order to have a secure authentication system, each strength of various authentication methods should be used. In other words, you should have a better authentication environment by utilizing Multi-Factor Authentication.

Companies are introducing multi-factor authentication in their management systems as well as for consumers. In recent years, an increasing number of breaches has stolen the authority of corporate web or management servers. Traditional authentication methods are often insufficient to prevent these attacks.

Accordingly, the Financial Supervisory Service of South Korea recommends additional certification procedures such as certificates or OTP in addition to the existing login procedure through the Electronic Financial Supervisory Regulations.

Moreover, in accordance with the ‘Technical and Administrative Protection Measures for Personal Information’, the Information and Communication Network Act requires the application of safe certification methods. Therefore, numerous corporates are considering adopting multi-factor authentication for management systems or servers.

But of course, multi-factor authentication is not the ultimate option. The FBI published real-world examples of attacks aimed at SIM swapping or vulnerabilities on multi-factor authentication management pages.

However, when using multi-factor authentication rather than single authentication, the fact that you can still create and manage the environment securely remains the same.

In order to properly respond to advanced hackings, strengthening the authentication system is essential. Multi-factor authentication should be used to increase user convenience as well as security.

 

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+

Smart Car Security: AutoCrypt