BW
Last week, news broke that within hours of the iPhone 5S launch, the German Computer Chaos Club (CCC) fooled the fingerprint password system. The CCC was able to re-create a fingerprint impression by photographing the glass, which leaves us all questioning – how secure are biometric systems?
Using fingerprints as a security measure seems sensible since they are unique to each person and difficult to acquire. Unless, as a hacker, you are able to get hold of a perfect impression of your victim’s prints or in the style of a spy-thriller, remove one of their fingers. A fingerprint is certainly more secure than a password, which is often guessable or left written down. However, if a mould of someone’s fingerprint was obtained, the situation becomes extremely severe. Unlike a password, fingerprints cannot be changed if they are stolen. A hacker would have access to their victim’s identity for life.
Businesses that do not already utilise some form of biometric technology will need to be prepared as employees buy the latest iPhone, bring it into work and connect into the corporate network. There are steps that can be taken to eliminate the small risk thatbiometric technology brings:
First, companies need to ensure that they have a strict and clear Bring Your Own Device (BYOD) policy. It must specify which employees can connect personal devices to the corporate network, and what types of devices are permitted. Only those who require it should be able to access the most sensitive company information.
Second, all staff must be trained in the best security practices, in order to ensure that human error does not lead to data loss. Employees need to be aware of the amount of company datathey carry out of the workplace on a personal device. They must also immediately report any loss or theft of their biometric device, so a remote wipe can take place, rather than relying on the biometric system to keep hackers out.
The most important thing to remember is that finger print scanners make an excellent addition to a company’s security, but they must not stand alone as a single access point to devices. This is under the control of a corporate IT department and will be covered by policy. Until this technology is further developed it should be used in conjunction with the traditional password, rather than acting as a replacement.
Currently, biometrics is a new trend when it comes to security, but no new security feature allowing access to the corporate network should be implemented without proper policy and staff training, in order to reduce security risks.
Biometrics are, on the whole, much safer than passwords and within 10 years’ time I would expect to see passwords as being a thing of the past.
Bill Walker, security analyst, QA
Bill Walker is technical director at QA – the UK’s largest training company – with a core specialism in cyber security. He consults for private enterprise and Government organisations on the protection of critical IT infrastructure and information.
In addition, Bill is also responsible for developing QA’s relationships with key technology vendors and partners including Microsoft, Oracle, VMWare and Citrix and for bespoke e-learning and innovation activities within QA.
Prior to joining QA, Bill held a directorship at Xpertise and was a key member of Microsoft’s CPLS Advisory Council.