This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Stephen Simchak.

What is it?

A means by which a person can be uniquely identified by analyzing distinguishing traits such as fingerprints, retina and iris patterns, voice signatures, gait, and facial characteristics.

Why is it important?

Biometrics-based security is increasingly being used to identify people – for example, using a fingerprint to unlock a smartphone. Security professionals are turning to biometrics both for convenience and because password-based security is not secure enough. Inherent traits, such as a retina pattern or gait, cannot be easily counterfeited, making them potentially more secure, especially when used as an additional factor in a multi-factor authentication scheme.

Why does a business professional need to know this?

Password-based security requires users to enter a string of characters to gain access. This security scheme can be bypassed by nefarious parties without much effort. An unauthorized user could guess a common password, e.g., 123456 or QWERTY; a hacker could trick a user into disclosing a password through a phishing attack; or an unauthorized user could use software tools to crack or guess a complex password.

Biometrics-based security relies on physical or behavioral characteristics, which are difficult to circumvent without an inordinate amount of effort. An unauthorized user cannot guess what a user’s biometric data looks like or recreate it without tremendous effort. The effort required to mislead a user into providing biometric data, capturing that data, and recreating it, currently outweighs the benefits of using the data.

Biometric-based security often captures data in a template and stores it in a database. If this database is not properly secured, the data can be stolen. In 2015, the United States Office of Personnel Management (OPM) announced that its security had been breached and 5.6 million sets of fingerprints were stolen [Simchak-Stephen 1][Simchak-Stephen 2][Simchak-Stephen 3]. This is worrisome because a person’s retina pattern or fingerprints cannot be reset like a compromised password. As with any other security technique, biometrics depends on the confidentiality, integrity, and availability of the underlying data.

Biometrics and passwords can be utilized together for two-factor authentication (2FA), where something a user knows (e.g., a password) can be combined with something the user has (a characteristic of that user, e.g., fingerprint) to gain access. Biometrics can also be one of the independent categories of credentials used for multi-factor authentication (MFA). This is where defense is layered in hopes that even if a bad actor obtains two sets of credentials, there still will be at least one more barrier between the actor and their target.