COVID-19: Cybersecurity, Biometrics, and Access Control for On-Premises and Remote Workers

COVID-19 has greatly affected the biometrics market, forcing a split between contactless modalities, like face and iris, and contact ones, like fingerprint and vein, which are currently struggling to uphold the new stringent infection control protocols. This has caused an unprecedented demand in remote logical access control followed by new investment opportunities. What followed was a demand surge in contactless technologies (with face recognition being the clear winner) but a calamitous effect on the contact-only ones, forcing governments and organizations to stall many current fingerprint access control applications and postpone similar projects in the implementation pipeline.

All contact-only biometric modalities (affecting fingerprint, vein, and finger-vein) are currently on the downslope. While on the surface this just looks like a standard security measure with few implications, it has actually caused significant challenges worldwide in immigration and border control, law enforcement and public safety, civil and welfare, banking and payments, workforce management, and logical and physical access control. Numerous governmental entities, law enforcement agencies, and in some cases even correctional facilities worldwide have suspended the use of fingerprint technologies for registration, authentication, and many related applications, even causing additional problems for suspect processing and management of biometric templates in criminal Automated Fingerprint/Biometrics Identification System (AFIS/ABIS) databases.

The Indian government has suspended all biometric attendance and workforce management systems in key regions after the UIDAI-backed attendance systems failed the mandatory hygiene tests. In countries making use of biometric residence permits and VISA schemes, this process has been severely hindered and some agencies (e.g., U.K. immigration) have extended all current VISA applications due to COVID-19 and the applicants’ self-isolating restrictions. For the biometric services that were not suspended, the standard security protocols in regard to deletion and re-registration of new biometric templates have been omitted, changing the security lifecycle of biometric templates. Most recently, U.S Citizenship and Immigration Services (USCIS) was forced to lower biometrics data management and authentication standards in light of the recent outbreak. The agency will stall all new biometric registrations and instead reuse all the previously collected biometric templates in order to process all near-future I-765 employee authorization applications.

While physical on-premises biometric access control has been dealt a significant pushback, logical remote access control is currently experiencing the most significant surge of the last few years. With the rapid increase in remote workers, biometrics can safeguard user authentication, creating a clear identity audit trail that allows them to access network resources. Due to the personal nature of authentication, USB fingerprint sensors (even of a lower price tier) can greatly assist in the authentication process. However, ABI Research warns that biometrics alone is not the panacea from a cybersecurity perspective. While it is a great tool for workforce management and for adding an additional Multi-Factor Authentication (MFA) layer on top of traditional approaches, it does not itself provide the adequate security level required for Information Technology (IT) security in the grand scheme of things.

No matter the level of biometric security, if remote logical access control is not coupled with the appropriate endpoint protection, Virtual Private Network (VPN) clients, anti-malware services, privilege access management on the backend (to prevent indiscriminate access to key resources), and social engineering cybersecurity training for the workers, then no biometric device can be of assistance. To make use of the most extreme, implausible example, even if remote workers had access to DNA (the most powerful biometric tool currently available) centrifuge and authentication services from their home offices, that alone would still not be a viable biometric access control tool if other cybersecurity tools are lacking. Attackers making use of a compromised system can simply issue a replay attack bypassing everything—regardless of whether a biometric device costs less than US$50 or more than US$5,000. In fact, there have been many cases in the past where high-value resources (e.g., banking) were protected by insecure, low-tier, low-cost network components (e.g., gateways).

Before the outbreak organizations had additional control over the types of endpoints and users under their own networks, protected with an array of security components which could be accessed, quarantined, managed, or revoked by IT (e.g., corporate protected communications. The picture after the outbreak is a lot different: organizations’ endpoints and users (including high-privilege C-level users) are, quite literally, scattered on a national or even global scale. This means that the majority of the endpoints and communications for many organizations right now do not fall under their own corporate domain—they originate from their employees’ home networks. To put it bluntly, the same home network that also connects smart home appliances, smart lightning, personal electronics capable of accessing web services that could be interpreted as “malicious” under corporate domains, video game systems, smart locks, and even webcams/indoor/outdoor cameras (which are some of the most easily hacked pieces of equipment worldwide and an attractive target for attacks) is now also forced to authenticate remote users accessing high-value company information and trade secrets.

As such, ABI Research recommends turning to biometrics as an additional form of authentication when other endpoint, privilege, and security protocols are in place. This can greatly elevate remote authentication security and offer statistically significant results to Return on Investment (ROI) due to less IT involvement in sorting out security alerts as well monitoring or implementing new policies. However, simply issuing a fingerprint sensor for employees will not (by itself) improve an organization’s cybersecurity posture during this time when IT departments are forced to adapt to an unprecedented demand for remote security.