Why the FBI called for using biometrics in MFA

Fred O'Connor | October 21, 2019

One-time passwords may no longer be effective in multi-factor authentication. That’s according to the FBI, which recently warned companies that threat actors are obtaining OTPs and circumventing MFA techniques. While OTP theft is still rare, these incidents are becoming more common. This doesn’t mean organizations should stop using MFA, which Google and Microsoft have found is highly effective at protecting accounts. The FBI holds a similar opinion, saying that MFA “continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.” 

Those precautions, said the FBI, include using biometrics and behavioral information for authentication. So why use biometrics and behavioral information? Here’s Veridium’s take based on talks with our biometrics scientists. 

The case for using biometrics

The FBI likely advocated for biometrics because of their security benefits. Using what we are to authenticate is more secure than using a knowledge-based authentication factor, like an OTP or password. To use an OTP, a threat actor has to steal it and type it in. Again, OTP theft isn’t common, but has been occurring with enough frequency for the FBI to take notice. 

Using a stolen biometric, on the other hand, requires significantly more effort. Threat actors first have to spoof the biometric and then use the spoof to deceive a biometric sensor. Neither task is an easy feat; spoofing biometrics is complicated. And even if an attacker successfully spoofs a biometric, it has the fool liveness detection measures, which ensure that a person, not a forged biometric, is authenticating. This also assuming that a threat actor can steal the biometric. If stored properly, by using a distributed data model that splits the biometric and stores it in different locations, for instance, a biometric is more secure than using knowledge-based authentication methods like OTPs and passwords. 

There’s also a convenience factor for using biometrics over knowledge-based authentication methods. Entering an OTP involves waiting for the password to arrive either in your inbox or as a text message. Then you have to toggle to either your text messages or email account, copy the OPT, return to whatever service or app you’re trying to authenticate into and, finally, enter the OTP.  Using a biometric is an easier and faster experience that entails touching a smartphone’s fingerprint sensor, using facial recognition or scanning your four fingerprints. 

The case for using behavioral information

Incorporating behavioral information into MFA makes authenticating with a biometric more secure, which is probably why the FBI recommended adding it to MFA. This information, which can include time of day, geolocation or IP address, as the FBI noted, is unique to a person. Behavioral information makes using a stolen biometric even more difficult since attackers would have to obtain this data to successfully authenticate. 

Behavioral biometrics are also emerging as a way to detect attacker activity during authentication. Behavioral biometrics operate on the principles that everyone acts differently and copying another person’s behavior is challenging to impossible. Behavioral biometric data entails how people interact with their phones, including how people hold their phones, the pressure they use when typing and how they scroll. The data is passively collected by a phone’s accelerometer, gyroscope and other sensors when people use their devices. A baseline is established and behavior that deviates from the baseline could mean that someone besides the legitimate user is trying to authenticate.

What this means for businesses

Organizations that use OTPs for MFA may want to consider replacing them with biometrics, behavioral information or both. As the FBI noted, MFA is still a strong security tool. Adding biometrics, behavioral information or both make MFA even stronger and mitigate the risk that attackers could obtain OTPs. 

Share this article: