As expected, Apple recently introduced a handful of new features, with the launch of iPhone XS, XS Max, and XR. Alongside the fancy Liquid Retina and Super Retina screens, and speedier A12 bionic processor, the trio of new iPhones interestingly dropped one of iPhone's iconic fixtures, the home button.
While Apple has always been the trendsetter in the mobile communications industry, the move to go beyond the use of passwords may in fact also pave the way for cybersecurity practices to follow suit. It is interesting to note that while biometrics incorporated into IoT are becoming more commonplace, the same cannot be said for biometrics integrated as a cybersecurity solution for enterprises. According to Palo Alto Networks State of Cybersecurity in Asia Pacific Report, biometrics is in fact the least popular solution among organisations.
The sophistication of techniques that cyber criminals employ today has made it easier to steal usernames and passwords, which they can then use to test at thousands of different sites. There is a need for organisations and employees alike to strengthen their cybersecurity posture -- passwords can no longer be the sole tool used for credentials and authentication as this highly increases the risk for identity theft and/or a significant data breach.
One of the ways in which cybersecurity can be strengthened is by enhancing identity proofing and authentication solutions -- which means going beyond traditional authentication methods such as usernames and passwords. Adopting a two-factor, and, realistically, a multi-factor authentication will greatly lessen the risk for credential-based attacks. Such authentication methods can be thought of as three levels: something you know, something you are, and something you have. Passwords, in this case, fall into the category of something you know, though it is worth noting that time and care should still be taken to manage passwords properly and to not keep using the same word and character patterns over and over again.
Taking a leaf out of Apple's book, organisations should look into incorporating biometrics into their cybersecurity solutions in the category of "something you are". While the combination of these security measures may not create the ultimate perfect solution, biometric authentication is generally an improvement from an approach that relies only on usernames and passwords. The level of security is also much higher when biometrics is one of the authentication technologies as the risk of a biometric scan being spoofed is much lower than a password or a token.
While two-factor authentication might be enough, organisations might want to also include "something you have", such as a security token, as part of the authentication process. This can be used as an additional safety measure especially so for employees who have access to sensitive company data.
Of course, as with all cybersecurity solutions, biometrics also brings with it some caveats and new risks. This includes privacy concerns as Personal Identifiable Information is involved. There might be concerns around how these data are being collected, shared and secured as these data can also be a target for cybercriminals. As biometric technologies depend on probabilities and confidence score, there are also risks that the systems can be spoofed by say, a photo. Therefore, it is always best for biometrics to work in conjunction with other security measures.
Biometrics is already being used in so many verticals -- and will be the new normal way that we interact with our phones moving forward. There is no escaping that with time, biometrics will become even more mainstream and will be a part of everything we do. Incorporating biometrics as a cybersecurity solution enables enterprises to better protect their digital assets by adding another layer of security.
A prevention-first approach to cybersecurity reduces the threat of vital information being stolen, which is especially important at a time where an increasing number of crucial information are being stored online.
Vicky Ray is the principal researcher in Unit 42, Threat Intelligence Team of Palo Alto Networks for the Asia Pacific region where he spearheads researches mainly on cybercrime and cyber espionage campaigns. Ray is also nominated by Interpol Global Complex for Innovation (IGCI) as a cybercrime expert to collaborate on investigations coordinated by Interpol.