There’s nothing like a good, purloined logon credential for hackers wanting to launch a cyberattack.
“There’s a variety of ways cyberattacks get carried out, but many of them start with stolen credentials,” said Ajay Amlani, president and head of the Americas at iProov. What’s worse, he pointed out, is that “the technology continues to get easier and more accessible for cyberattackers to be able to access at scale.”
Increasingly, hackers take advantage of credentials — such as login identifications and passwords — to appear as if they are the users who actually are supposed to have system access privileges, Amlani said during Federal News Network’s Industry Exchange Cyber 2024.
It’s why the need for credentials that rely on unique biometric data is becoming critical, he said. At iProov, that biometric authentication focuses on the use of facial recognition technology. We asked Amlani to talk about how to implement multifactor authentication using biometrics and to share details on the latest facial recognition technology developments.
The scale of credential attacks
Malicious hackers have several ways to obtain credentials, Amlani said. Often, they reach databases of stored credentials, having used spear phishing to gain initial access.
“Those spear phishing attacks actually are becoming more and more prevalent, and their messages are being sent or to either IT systems support specialists or others within the organization that are targeted,” Amlani said.
Highly specialized attacks often appear to be from people at the executive level in a target’s organization. “This is causing a lot of problems right now within corporate systems and government systems,” Amlani said.
The obvious solution is multifactor authentication, in which a user typically receives a code via cell phone to use with a password or verifies authenticity by pressing a button on the phone. MFA is a solution that many organizations in fact do use.
But, Amlani said, “the challenge with all of these is they really don’t get to the third factor of authentication.”
A stolen phone hands the hacker the second factor, presuming that attacker has the user’s password too. Biometrics can provide that third factor, he said, once agencies establish a convenient and reliable way to use fingerprints or facial recognition.
“People are now recognizing is that it’s actually more convenient, in addition to being more secure, to be able to access systems by using biometrics instead of usernames and passwords or tokens,” Amlani said.
Facial recognition as the third factor in MFA
Deploying facial recognition security requires a carefully designed application so hackers can’t simply use a picture of someone to gain access. Amlani explained that the image collected initially in a facial recognition system is converted to a template, “so the image itself is never stored,” he said. The template consists of certain points on the face that never change, called minutia — essentially the facial equivalent of a fingerprint.
If someone were to get the minutia data, Amlani said, they couldn’t reconstruct an image for purposes of spoofing. Moreover, the minutia are encrypted before they’re processed by a backend comparison algorithm.
Beyond that, he said, lies a special capability for what iProov calls genuine presence assurance, a sort of final fence preventing the use of images to fool facial recognition.
“Now that you’re leveraging biometric sensors that are basically on remote devices and you’re utilizing them for remote uses, verifying that it’s a live human being at the time of the matches becomes very important,” he said.
IProov does this by generating a unique set of colors and sending them to the screen of a user’s phone or monitor. The colors bounce of the user’s face and back into the camera the user is looking at for recognition.
“You collect, basically, the information that’s necessary to be able to match the face,” Amlani said. “But at the same time, you’re verifying that it’s actually a live human being at the time of enrollment.”
That last step of reflected colors generated by iProov provides a foolproof way to stop use of photographs for logging on because reflection from paper or plastic is different from reflection off living skin, he said.
“It’s an added element, I’d say, of the third factor,” Amlani said. “The liveness element adds a factor, especially in today’s day and age when many of the attacks that you’re facing are actually against bots.”
He said “liveness” is particularly important when artificial intelligence can generate fake images at scale.
The reflected color system also complements what he called one of the biggest strengths of biometric systems. They work “regardless of your skin color, regardless of your ethnic background, regardless of your economic situation.”
“What other forms of authentication have trouble with is the fact that data sometimes is not resident on that individual,” he added. That is, if someone hasn’t “opened up a home mortgage or a car loan application, if they haven’t applied for things like student loans, then information is not readily available, and they get locked out of specific programs.”
Plus, Amlani said, genuine presence assurance also aids in the reliability of remote initial enrollment for new hires or any program that formerly required in-person initiation.