FBI Recommends Use of Biometrics

In its Private Industry Notification, 17 September 2019 PIN Number 20190917-001, the FBI encourages the use of biometrics to resist what they see as the limitations of strong authentication.  In fact what they have observed is effective social engineering attacks necessitated by effectiveness of one-time passwords.  Other strong authentication, which might include biometrics, is the solution that I would recommend.

Consider my financial services firm.  They offer me strong authentication based upon a software token installed on my mobile computer.  I downloaded the token from the App Store and gave its identity, 4 letters and 8 digits, to my financial services firm and they associated that token with my account.  When I logon with my UID and password, I am prompted for a one-time password, six digits, generated by that token, with a life of sixty seconds, and expected by a server used by my financial services firm.  

Now, suppose I were to lose the mobile.  I would have to get a new mobile and download a new token.  I would have to associate the replacement token with my account.  In the capability to do that lies a potential vulnerability.  If an attacker were successful in convincing my financial services firm to associate his token with my account, then he might be able to defeat the strong authentication.  Therefore, my financial services firm must be able to resist this "social engineering" attack.  This is where biometrics can play a useful role.

When I call my financial services firm to replace my lost token, or for any other purpose, they may recognize me from my "calling number ID."  They authenticate me by my voice, a biometric, something that only I can do, one that works over the phone.  Yep, they really do; they tell me that that is what they are doing.  While I am a stranger to the agent, the computer recognizes my voice as the one to expect for my phone number.  The agent also asks me for another piece of shared information, a challenge and response, a second factor.  Only then will they honor my request to replace the lost token ID with the the new one.  I think that this is an instance of the use of biometrics that would meet the expectation of the FBI.  

Of course, the process does not end there.  My firm e-mails me, out-of-band confirmation, that they have changed the token associated with my account.  This gives me the opportunity to recognize a fraudulent change to my token ID.  

Now the link above not only points to my blog entry on limitations of one-time passwords but also to the limitations of biometrics.  One needs to understand those limitations in order to use biometrics effectively.  I like the voice implementation used by my financial services firm because it is dynamic and resists replay attacks; replay attacks are one of the limitations of biometrics.  Along with facial recognition, voice is one of two biometrics that both people and machines can reconcile reliably.  

(I am sure that you have heard of static facial recognition being duped by a photograph, a limitation, but fooling a four year old child in dynamic facial recognition, for example, over Skype or FaceTime, as to the identity of her grandmother might be more difficult.)

While there are alternatives to the use of biometrics, the FBI and I agree that they can be both convenient and secure in some applications and environments.  The FBI recommends them to resist what they see as limitations of multi-factor authentication.  I recommend them as effective and efficient measures for resisting one form of "social engineering."