Cyber Defense Magazine– PQC & Biometrics

Why biometric security is crucial in a post-quantum world

By Nils Gerhardt, Chief Technology Officer for Utimaco

Many are saying that passwords have now become obsolete – they can be stolen, ‘brute-forced’ or guessed, and are too vulnerable to lay the foundations of our digital security as we shift towards a post-quantum future. In fact, given that 70% of people reuse passwords, guessing is very easy. All Cybercriminals need to do is to buy a list of email addresses and, after gaining access to a site’s shadowed password file, crosscheck each password against the encrypted passwords. Once matched, the password can be used on the site.

However, new hardware devices are making it possible to avoid using passwords for anything from logging into websites to accessing restricted areas. Combining biometrics with smart design and the latest authentication protocols, they could become part of everyday life for millions of people as we move towards a new age of much stronger security and quantum computing.

The end of the passwords

While foreign espionage groups have been using free USB sticks and phone chargers to install keylogging software on target computers for a while, this technique would only continue to work if passwords remain the most important method of validating users. It can certainly be problematic for online businesses and an even larger problem for businesses and government organisations if they handle sensitive information.

Alphanumeric passwords are not only the standard for logging into websites, but in thousands of other places, including PIN numbers used in bank cards, unlocking phones and in entry keypads. Someone peering over your shoulder could quite easily access your bank account, phone (and with it every other password stored on it) or even your home or office.

Alphanumeric passwords are also far more likely to be compromised by an eavesdropper or ‘social engineer’ rather than by hacking. Common encryption standards like RSA would take trillions of years to ‘brute-force’ passwords, so techniques like phishing were used in high-profile penetrations like the 2016 DNC hack. Increasing the complexity of passwords and mandating that each one be unique will only make passwords so complex that most people won’t be able to use them.

Two-factor or multi-factor authentication increases the security of password-based systems by adding other factors. However, it is rarely used due to its multileveled complexity. Thus, almost every compromised Microsoft account didn’t use multi-factor authentication even when it was available.

The rise of biometric security

Biometric security has been around for as long as alphanumeric passwords and arguably earlier, since recognising somebody by their face has predated writing. Modern biometrics such as fingerprint security, facial recognition and behavioural biometrics have become integrated into everyday life.

Despite it being easier and more secure than alphanumeric passwords, biometric authentication may still rely on information being sent from one place to another (a fingerprint reader sending a user’s fingerprint to a cloud server where it will be verified), and although it will be encrypted during transit. If the fingerprint reader or even the cloud server at either end is compromised, for example, then biometric security may still be exploited.

Many of us will already use fingerprint security to unlock our phones, and an increasing number of us will use Near Field Communication (NFC) at least somewhere, whether that is using your phone to pay for a purchase, unlocking a door with a key fob or logging into sensitive systems (the NHS uses NFC cards to log users in to their computer network, for example.) The FIDO security standard allows users to use NFC or USB keys to log in to websites, meaning that only a key holder would be able to log into an account. Of course, an NFC key card can be used by anyone, and there is no way of verifying that the person using a key is its correct user without another form of verification.

Quantum computers being developed could break the cryptography used in passwords in a matter of days or even hours, whereby contemporary computers could not. Therefore, every piece of data would need to secured by one of the newly developed quantum-resistant algorithms to prevent bad actors from breaking passwords without the need to use phishing or social engineering.

The future of cybersecurity

Although these replacements for passwords may have disadvantages, a card-based biometric system that removes these limitations and allows governments, companies and individuals to verify their identity securely is currently being developed by Pone Biometrics, a Nordic R&D-driven cyber tech company.

With its own operating system and embedded applications, Pone Biometrics aims to develop a fingerprint reader on a card that acts as a microcomputer. Users that log into a website or open a door, can tap their card while pressing their thumb or finger on the reader. The onboard computer checks their print and transmits the encrypted verification to the device securely, meaning that very little is sent between devices.

Since the cards are only active when in use, there is no possibility that they will be ‘skimmed’ while a user believes that they are inactive and a visual display that shows if it is in use. The internal battery can last 2-3 weeks between charging, and it even has a failsafe system in place that protects users from being forced to use it – they can have a ‘failsafe finger’ that will wipe the device if used.

These cards could end up being used wherever there is currently the need for authentication – a government employee could use the same device to access sensitive information while at work and use it to open the door to their home and log in to accounts on their home computer.

To ensure biometrics survives, cryptography protecting biometrics from future quantum computers would need to be integrated into any new security systems from the start. After pursuing feasible security for over 25-years, Utimaco has been developing technology to counter quantum computers years, perhaps even decades before they are widely available. By combining next-generation biometric security cards with future-proof quantum resistance we can enter a post-password world.

About the Author

Nils Gerhardt is the Chief Technology Officer for Utimaco, a leading provider of cyber security solutions, and board member of the IoT M2M Council. Before joining Utimaco, Nils worked at Giesecke + Devrient in various executive management roles with regional and global responsibilities in Germany, Canada and the USA. As Chairman of the Board of GlobalPlatform, a global industry organization, Nils brought major companies together to define the standards for secure digital services and devices.

Nils can be reached online at linkedin.com/in/nils-gerhardt-38b6691 and at our company website https://utimaco.com/

About Utimaco

UTIMACO is a global platform provider of trusted Cybersecurity and Compliance solutions and services with headquarters in Aachen (Germany) and Campbell, CA (USA). UTIMACO develops on-premises and cloud-based hardware security modules, solutions for key management, data protection and identity management as well as data intelligence solutions for regulated critical infrastructures and Public Warning Systems. UTIMACO is one of the world’s leading manufacturers in its key market segments.

500+ employees around the globe create innovative solutions and services to protect data, identities and communication networks with responsibility for global customers and citizens. Customers and partners in many different industries value the reliability and long-term investment security of UTIMACO’s high-security products and solutions. Find out more on www.utimaco.com.