The FBI Cyber Task Force recently issued a four-page Private Industry Notice that recommends the addition of biometric factors and behavioral information checks to multi-factor authentication (MFA) approaches, citing known and exploited vulnerabilities of token and phone-based multi-factor authentication methods.
According to the FBI, this use of secondary tokens or one-time codes to back-up usernames and passwords still isn’t enough. Unless companies employ “biometrics or behavioral information—such as time of day, geolocation, or IP address,” there is a risk that an attack can either trick a user into disclosing a multi-factor authentication code or use technical interception to create one for themselves.
And it’s this accelerating sophistication of employee manipulation, so-called social engineering, that’s prompted the warning. In September, Proofpoint offered a stark warning that social engineering is getting out of hand, as criminals exploit “human interaction rather than automated exploits to install malware, initiate fraudulent transactions, steal data, and engage in other malicious activities.”
According to the research, 99% of cyberattacks now rely on a person taking an action—clicking a link, opening an attachment, falling for a scam. “The instincts of curiosity and trust,” Proofpoint says, “ lead well-intentioned people to click, download, install, open, and send money or data—instead of attacking systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to ‘click here’.” (Forbes October 2019)
“The FBI’s report and recommendation is so powerful because it comes from their unique vantage point from the front lines, fighting cybercrime and investigating real breaches, not from an ivory tower or hardware token industry standards group,” said Jim Sullivan, BIO-key’s SVP of Strategy and Compliance. “The FBI has one goal, which is the prevention of cybercrime, and that makes them a very credible source,” Sullivan added.
The FBI’s notice, issued as part of National Cybersecurity Awareness Month, provides important validation for the use of biometric hardware and software authentication solutions such as those developed by BIO-key. The FBI’s report has received broad media attention including Forbes, ZDNet and BankInfoSecurity.com. BIO-key’s authentication solutions are unique in the market in that they allow interoperability among over 30 different fingerprint scanners from a variety of manufacturers and are available as a turnkey Windows Active Directory authentication solution for enterprises, as well as an authentication platform module ready to serve our federated IAM partners’ customers.
The FBI reported that a large variety of schemes and attacks are being used by cyber actors to defeat multi-factor authentication, including social engineering, SIM swapping and account-takeover malware such as Muraena and NecroBrowser.
“Biometrics should not be an afterthought in a comprehensive Identity Access Management (IAM) strategy,” said Mike DePasquale, BIO-key CEO. “It should be a core design factor in an IAM platform, for end-user authentication, provisioning and governance. BIO-key offers our customers a comprehensive set of biometric authentication options, both on-device and on-server, to meet the real needs of business users,” continued DePasquale.
For organizations that are concerned about the security of their current multifactor authentication platform, BIO-key has established a Proof of Concept test program so biometric authentication can be tested in your environment to ensure it’s a good fit for you. Simply contact firstname.lastname@example.org and state that you are interested in scheduling a demo.