Biometric data obtained from selfies, forged passports and cyberattacks on data stores holding everything from fingerprints to DNA have long been best-sellers on the dark web. Untraceable yet very powerful in allowing attackers to access the most valuable information a victim has, attackers are racing to fine-tune their tradecraft, producing synthetic ID fraud for more sophisticated attacks.
Current approaches to protecting biometric data are falling short, however. “Biometric authentication offers unique advantages over other credential-based methods, but concerns about novel attacks and privacy are barriers to adoption,” according to Gartner. Their recent study of biometric authentication states that “concerns are growing about AI-enabled deepfake attacks that could undermine biometric authentication or render it worthless.”
Last year, at his company’s Zenith Live 2023 event, Zscaler CEO Jay Chaudhry told the audience that a deepfake of his voice to extort funds from the company’s India-based operations was created and launched by an attacker. VentureBeat has learned of more than a dozen instances of deepfake and biometrics-based breach attempts against leading cybersecurity companies over the last year. They have become so prevalent that the Department of Homeland Security provides a guide on how to counter them, “Increasing Threats of Deepfake Identities.” All forms of biometrics data are already best-sellers on the dark web. Expect 2024 to bring even more biometrics-based attacks aimed at corporate leaders.
Why attackers are focusing on senior executives first
Nearly one in three CEOs and members of senior management have fallen victim to phishing scams, either by clicking on the same link or sending money.
C-level executives are the primary targets for biometric and deep fake attacks because they are four times more likely to be victims of phishing than other employees, according to Ivanti’s State of Security Preparedness 2023 Report. Ivanti found that whale phishing is the latest digital epidemic to attack the C-suite of thousands of companies.
“In 2024, there will be heightened demand for more rigorous standards focused on security, privacy, device interaction, and making our society more interconnected. The expectation to connect everywhere, on any device, will only increase. Organizations need to make sure they have the right infrastructure in place to enable this everywhere connectedness that employees expect,” Srinivas Mukkamala, Chief Product Officer at Ivanti, told VentureBeat in a recent interview.
The goal: Improve biometrics to secure a zero-trust world
“When we founded Badge, our mission was to solve one of the hardest problems in authentication by moving the trust-anchor for digital identities to the human instead of relying on a hardware device that can be lost or stolen,” Tina P. Srivastava, co-founder of Badge told VentureBeat during a recent interview.
“After losing my own identity in a breach, we went back to the fundamentals. We relied on math to solve the problem and used cryptography to build a user-centric solution that makes people their own roots of trust, rather than their device or token. With Badge, you are your token,” she explained.
In response to the increasing need for better biometric security globally, Badge Inc. recently announced the availability of its patented authentication technology that renders personal identity information (PII) and biometric credential storage obsolete. Badge also announced an alliance with Okta, the latest in a series of partnerships aimed at strengthening Identity and Access Management (IAM) for their shared enterprise customers.
Srivastava explained how her company’s approach to biometrics eliminates the need for passwords, device redirects, and knowledge-based authentication (KBA). Badge supports an enroll once and authenticate on any device workflow that scales across an enterprise’s many threat surfaces and devices. Srivastava says her company’s unique approach to biometric authentication can prove that the same human who registered is the same human who’s authenticating to use a given resource or device. “So what we figured out how to do at Badge is how to share your identity across devices without ever storing any secrets anywhere,” she said.
What makes Badge’s approach noteworthy is how it enforces the foundational elements of zero trust while protecting PII, including all forms of biometric data, from attacks. Core to the platform is privacy-preserving authentication to every application on any device without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Today, Badge has customers across a broad spectrum of industries, including banking, healthcare, retail, and services.
How Badge helps strengthen zero trust
Srivastava explained how Badge’s technology is core to zero trust during a recent interview with VentureBeat. She explained how Badge minimizes data access by not storing user secrets or personally identifiable information (PII), reducing potential breach impact it supports and strengthens least privilege access.
What’s also apparent from the approach Badge is taking to biometric security is how strong its potential is for strengthening multi-factor authentication (MFA). Srivastava explains that users can authenticate using unique factors, including biometrics, without hardware tokens or secrets. Badge is also scaling out into enterprises with its partnerships, further adding value to zero-trust frameworks. Their recent announcements with Okta and Auth0 further validate Badge’s growing importance as part of broader IAM platforms and tech stacks.
Srivastava also told VentureBeat Badge operates on a cryptographically zero-knowledge basis, not trusting any party with sensitive data, and offers quantum resistance for future-proof security. That positions Badge’s technology as a solid contributor to any organization’s zero-trust architecture. “Badge has a compelling technology to address both consumer and enterprise use cases,” said Jeremy Grant, former senior executive advisor at the National Institute of Standards and Technology (NIST).
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.