What Does NPR Know About Biometric Cyber Security? Not All That Much...

A recent post on NPR's site called "Biometrics May Ditch The Password, But Not The Hackers" misses the mark.

Biometric solutions in general and Virtual Keyring specifically, strive to merge convenience, ease of use, and stronger cyber security. No one involved in cyber security takes lightly these biometric identity verification solutions. Research continues by organizations like the FBI, NSA, Google, Apple, Microsoft and many others. 

There are three aspects of the NPR article that are misleading. First, the author seems to say that good old passwords are better than biometric solutions.  That is false. According to the 2014 Verizon Breach Report over 60% of data breaches result from weak, stolen, hacked or shared passwords. Organizations store and manage too much confidential information to protect to continue to use methods developed in the 1960s. The more sensitive and confidential the information, the higher the security barriers must be. We must replace user name/password logins with biometric solutions. There is simply too much at stake to hope that hackers can’t figure a password of ILOVEFLUFFY.

The problem is not the hackers as much as it is us, the users.  We want to use a simple, easy to remember password like 1234 for all of our applications and websites, without consequences. Common sense tells us that is not possible. 

The simple truth is, Virtual Keyring provides the convenience of an easy password with the security of a 50 character password.

Second, not all biometric solutions are equal. Consider facial recognition technologies and you will find a vast range in identity verification sophistication, encryption of and storing of data, and level accuracy.  An apt comparison would the be difference in video shot on your iPhone compared with 6K digital systems used in movies like “Interstellar” and all of the digital photography in between. Yes, it’s all digital video but there are huge variables.

Third, this short article over simplifies today's biometric technology landscape. It is a large, complex global technology trend and its uses expand daily. For example, 85% of ATMs in Japan use vein recognition, while in Brazil one third of ATMs feature palm readers. 

Of the hundreds of reported breaches data in the past 2 years, only one bank (Morgan Stanley) was a victim. And that was caused by an employee password. Banks use the most secure cyber security tools because they are required by entities such as the FDIC and state regulators to protect customer assets. NPR highlights USAA, one of the largest financial institutions in the country, serving members worldwide. The facial recognition they use is far more sophisticated than the apps used to open mobile phones. They would not use it if had not been throughly tested and proven. The risk would be too great.  Virtual Keyring’s system was developed and proven using the same standards as bank systems.

Variables such as user population, information stored, location, and devices used will determine the optimal solution for an organization.

I cannot speak to the biometrics investor mentioned in the article, but I question his business and technology skills with an investment of $100 million into a system that he doesn’t trust. The argument that hackers can ‘steal’ your biometrics is a red herring. The biometrics control access to credential security which is the real target. This ridiculous scenario imagines some North Korean geeks capturing your fingerprints and storing them is so far from the real world as to be fantasy. 

2015 Second Annual Data Breach Industry Forecast

"We expect this increase in hackers targeting online credentials such as consumer passwords and usernames
to gain keys to the castle — with the likelihood that compromising one record can often give access to all sorts of other information stored online."