4 Strategies for Implementing NIST’s Biometric Guidelines
We often hear that technology is changing rapidly. We’ve heard this phrase for years – but in 2018, it really is.
Today, almost everyone has a handheld tablet or mobile device (or two). In fact, two-thirds of Americans own one, according to a Pew Report. On top of that, organizations across the globe are living in a “future of work” world, where employees are increasingly based elsewhere than a company’s headquarters. With the workforce operating on their mobile devices, organizations need to deal with an evolving (and disappearing) perimeter. For example, take the Google’s BeyondCorp initiative, a “Zero Trust security framework” that shifts access controls from the perimeter to individual devices and users.
The new mobile workforce brings with it major challenges to defend against threats and risky behavior. The 2017 Annual Data Breach Year-End Review revealed that U.S. data breaches hit a record high of 1,579 last year, with over 178 million records exposed. That averages about four data breaches a day, a drastic increase of 44.7 percent over 2016. Passwords are a main concern. Troy Hunt, a web security expert, recently released his latest “Have I Been Pwned” database of 500 million known passwords. If the wrong person gets ahold of a password, they will wreak havoc within seconds.
A breaking point has come. It’s time to replace usernames, passwords, PINs and other logins with more secure methods, like biometrics. The question who is in charge of holding companies accountable for adopting new methods?
Enter the National Institute of Standards and Technology.
NIST recently announced the Contactless Fingerprint Capture Device Measurement Research Program after decades of biometric testing. In 2013, it released the final version of a standard that identifies biometric specifications for personal identity verification. To date, these standards and guidelines only covered contact-based fingerprint capture methods.
This year, NIST will release guidelines for Contactless Fingerprint Capture, based on a seven-company, three-year cooperative research and development agreement. NIST will also release an update of its Cybersecurity Framework to help organizations better manage their cybersecurity risks. The overall framework builds upon NIST's development of methodologies for measuring the image fidelity of contactless fingerprint capture devices. This is important for companies that develop biometric technology or plan to deploy touchless fingerprint technology into their devices.
Authentication is the cornerstone of cybersecurity frameworks. A combination of what you know (e.g., passwords, PINs), what you have (e.g., token), and what you are (e.g., biometrics) is key to a secure authentication system. The missing link has been a lack of biometrics guidelines, but the upcoming Contactless Fingerprint Guidelines will help fill that gap.
Here are four strategies to consider when implementing NIST standards:
1. Create Awareness: Educating employees about the NIST contactless fingerprint guidelines is crucial. Make sure users are aware of the background of the program and its objective of providing open testing methods, metrics and artifacts that will support future certification of devices for inclusion on certified products lists. In addition, organizations should publicize NIST's Strength of Function for Authenticators, which offers guidance for selecting biometric frameworks based on resistance to spoofing (i.e., presentation attacks). A fingerprint biometric offers a unique authentication option better than facial recognition and simpler than the iris technology used by Samsung. Organizations also should consider where fingerprints should be incorporated into their authentication process: primary, second-factor, multi-factor and/or escalated translations.
2. Upgrades: Replacing old technology needs to occur for organizations across industries to stay ahead of advanced threats, especially for every soldier and government employee who carries an access or ID verification card, for example. Reports have surfaced about stolen authentication cards. Hence, government agencies are exploring biometrics to replace 20-year-old technology with new security – a practice organizations should put in place.
Defense Department CIO Terry Halvorsen has asked the IT industry to submit proposals for advanced ID management technologies that deliver “10 factor” security without the use of smart cards or other additional hardware. “It’s absolutely doable today, with today’s technology,” he said. Halvorsen did not specify which technologies DoD needs, but noted the eventual solution might be a combination of biometrics such as iris scans, tools that monitor users’ behavior patterns, detect deviations along with cross-referencing to users’ personal information.
3. Establish Standards: The upcoming NIST guidelines, including the existing NIST 800-63 guidelines for digital identity, help organizations establish working standards. For example, NIST researchers can help companies understand product limitations and help make necessary improvements. The contactless fingerprint guidelines will establish reliable testing procedures for developing standards for digital identity credentials, identity proofing and verification and convenient biometric authentication.
4. C-Suite Buy-In: Lastly, it’s important to start from the top down, to achieve buy-in from an organization’s executives (including their board) as their understanding and commitment will be necessary to justify the investment.
Biometrics closes a critical gap in the cornerstone of cybersecurity: authentication. It also increases end-user convenience and reduces costs by eliminating password resets, complexity and rotations. All three benefits help CXO’s achieve key performance goals across their enterprise with measurable results.
All organizations must be ready to combat the uptick in advanced threats. If an organization understands and implements these four strategies as they relate to NIST guidelines, they will be better prepared to identify, protect, detect, respond and recover against evolving risks.
--John Callahan is CTO of Veridium, a biometric authentication vendor.