Passwords Are Not Enough: Biometrics for Better Account Protection
/Samantha Weeks, CFE, kicked off her session at the 33rd Annual ACFE Global Fraud Conference with a stark warning to fraud fighters. “If you have not already been greatly impacted by account takeover fraud in your organization, you should be very concerned that you haven’t seen it yet. Because it is happening,” said Weeks, the fraud project manager for financial technology company Chime.
Weeks’ session, “Biometrics Replacing Passwords: The Future of Account Protection,” illuminated just how weak passwords are in guarding accounts and the personal information they contain, and it stressed that organizations — and individuals — need to get serious about upgrading information security with the far better protection that biometrics can provide. According to Weeks, passwords offer just as much security as a chain-link fence surrounding a house.
“Passwords were not what they’re meant to be,” said Weeks. “We had a house and we didn’t have a fence, and passwords were a chain-link fence. Good intentions but really easy to jump.”
Indeed, Weeks used the metaphor of the house and how people secure their homes to elucidate just how ineffective passwords are in protecting our personal information. As Weeks described, a person’s online identity is their house, and their username and password are the keys to get into the house. In discussing the problem of people reusing passwords for multiple accounts, Weeks pointed out, people generally don’t use the same keys for their house and their car.
Why Passwords Are So Vulnerable
The vulnerability of passwords lies mainly in how people use them. For example, Weeks listed the following ways that users make passwords incredibly vulnerable to attacks.
People reuse their passwords — 50% of people use the same password for multiple accounts.
More than half of internet users use the same password for their work and play accounts. For example, Weeks recounted the 2015 data breach of affair-seeking site Ashley Madison and how it revealed a healthy number of members who used their work passwords for their Ashley Madison accounts.
Fifty-seven percent of people who have been victims of phishing attacks continue to use the same password that was subject to the scam.
More than 20 million people use the very simple-to-crack password “123456.”
What Are Biometrics?
Biometrics employ unique physical and behavioral characteristics that provide a much more secure layer of protection for accounts. Fingerprints, voice recognition, vein mapping, iris scans and facial recognition comprise physical information. Signature dynamics — analysis of a person’s unique signature — keystroke dynamics, and gait and gestures are some of the behavioral characteristics that can be used to guard accounts.
The Future Is Already Here
The COVID-19 pandemic allowed users to get more comfortable with biometrics. As Weeks described, people reported that biometrics made the pandemic easier to deal with. Biometrics made it possible for people to stay within their homes, use their devices and use cash less. According to Weeks, as people are getting more comfortable with using biometrics and using the technology itself more, there’s an opportunity for organizations to adopt biometrics.
“When you start seeing attitudes shift, that’s an opportunity for you to jump on it,” said Weeks.
The Pros and the Cons
During her session, Weeks laid out some of the advantages and disadvantages of using biometrics. They provide far more security than passwords, they’re convenient and fast — people don’t have to remember their keystroke dynamics, for example — and they’re non-transferable — people can’t share a gait or gesture like they can a password.
Biometrics do have their drawbacks. According to Weeks, biometrics “are not inherently inclusive,” and coders of biometrics have unconscious biases that come through in their code. Weeks described something she had witnessed with an organization in which Black users were unable to get into their accounts using facial recognition software; however, white users were able to get into their accounts without fail.
Furthermore, clever fraudsters can fake fingerprints, especially with optical scanners; however, technology that employs liveness testing, which can test for temperature and movement, present a much higher hurdle for fraudsters to clear. Behavioral biometrics are much harder to replicate. Still, Weeks warns that no matter the level of sophistication of the technology, hackers are gearing up to spoof it. Biometric technology is rapidly changing, but fraudsters are always working on ways to stay several steps ahead.
Passwords Are Not Going Away, But Biometrics Are Next
Despite the growth in biometrics, their ability to provide a stronger layer of protection, and people’s willingness to use them, Weeks said that passwords won’t be disappearing anytime soon. But there are ways to increase their security, such as multifactor authentication.
Early in Weeks’ session, she described herself as an evangelist for biometrics, and in closing, she told the audience that biometrics are next and that organizations need to modernize. Upgrading to biometric software is incredibly expensive, but Weeks told attendees that modernizing is worth it. “If you invest in keeping with the times, that is profit.”