INVITATION TO CYBERSECURITY 194 8.1.2.3 Universal The biometric should also be universal. This makes hair color a poor biometric because not everybody has hair. Similarly, gait recognition would not work for people in wheelchairs. Biometrics should exclude as few people as possible. 8.1.2.4 Costs Another concern is costs. What is the initial investment and what are the ongoing costs of a biometric system? Some types of scanners are more expensive to buy, install, and maintain than others. This is ultimately a cyber risk management decision because it involves weighing risks against costs taking into account relative security benefits. 8.1.2.5 Collectible Another practical consideration for a biometric is collectability. The recognition phase is repeated frequently, therefore, the easier and quicker it is to capture the recognition sample, the better. Facial recognition on smartphones scores highly in this category because front-facing cameras can scan faces when users look at their smartphones, requiring no deliberate effort on the part of the user in order to be authenticated. Fingerprints are captured by a simple scan in a fraction of a second and put little burden on users. Iris scans are more onerous since they require a higher resolution image of the eye. DNA makes for a great biometric when considering the permanence factor, but it rates poorly on collectability. DNA samples could be collected through cheek swabs, blood draws, or hair samples, but those can be time consuming, tedious, and invasive. 8.1.2.6 Secure Lastly, biometric schemes should be rated for security. This is another area where adversarial thinking is important for cybersecurity. How easy would it be to hack the biometric? What are some approaches adversaries might take? In some early facial recognition systems, a photograph of a person could be used to login as them. Some fingerprint recognition systems were susceptible to fingerprints lifted from a glass cup using scotch tape. Biometric authentication systems, like all computers, are potentially hackable and need to be tested not just for performance and reliability but also for security. 8.1.2.7 Summary Table 8.1 illustrates how these categories can be used to rate biometric candidates. In this illustration, facial recognition comes out on top, but in reality, specific implementations would need to be compared with one another, including multiple different candidates in the same category. Plus, organizations may give more weight to some factors over others based on their cyber risk management profile. “Something you are” authentication tokens are becoming more popular because their performance has been improving and their costs have been decreasing. They place less of a burden on users than passwords because most people prefer to scan a fingerprint over having to remember and type a password. Also, they are less susceptible to some of the
RkJQdWJsaXNoZXIy MTM4ODY=