Passkeys and biometrics have long been regarded as the new frontier for cybersecurity, with many organizations requiring their employees to use them. These two technologies alone have paved a long road for organizational security, protecting organizations from data breaches and cyberattacks — making a safer environment for corporations.
Like every technology, passkeys, and biometrics will soon become outdated. Due to the constantly changing technologies and the threat actors who always have a way of exploiting vulnerabilities in them. Here is a quick look at the implications of passkeys and biometrics in office spaces, the potential vulnerabilities they pose, and the impact on user privacy.
The Good and the Bad: Navigating the Perils
Shiva Nathan, the Founder & CEO of Onymos, envisions a future where alternative authentication mechanisms, especially biometrics, will gain prevalence. Highlighting the use of passkeys and biometrics states that “more websites and apps will offer alternate authentication mechanisms to passwords, many of which will involve biometrics. The two major platform players — Apple & Google — will increase the adoption of passkeys/FIDO”.
The 2022 State of Phishing Report by SlashNext highlights a stark reality—76% of attacks focused on credential harvesting, emphasizing the persistent threat to security. Passkeys and biometrics, though formidable, face challenges in an era where technological advancements are met with equally sophisticated threat actors.
Multi-factor authentication (MFA) emerges as a crucial defense mechanism, urging users to diversify passwords and embrace routine changes. However, as good as it sounds, hackers have their methods to bypass MFA, and one of those technologies is social engineering and dark web access. By social engineering, hackers can access online accounts and the technologies associated with them.
Moreover, the dark web has played a crucial part in this ordeal where sellers advertise ‘access’ to the users wherein interested parties can buy login credentials to corporate accounts for less than $100.
Password Dilemma: A Breach Waiting to Happen
While biometrics is still considered a safer option, the use of passwords and passkeys is often associated with data breaches. According to reports, the most extensive password collection to date has recently surfaced on a popular hacker forum, shared by a user in a colossal 100 GB TXT file comprising 8.4 billion passwords.
Biometric systems, often considered a safer alternative, navigate a precarious path in ensuring user privacy. Earlier this year, the Federal Trade Commission warned users of misuse of biometric information. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, emphasized the escalating sophistication and prevalence of biometric surveillance, presenting fresh challenges to privacy and civil rights.
At the core of this search, the FTC laid down several key points, adhering to the ongoing abuse of biometrics authentication. These points include:
- Neglecting assessment of potential consumer harms before collecting biometric data.
- Delaying action on known or foreseeable risks and not implementing tools to mitigate them.
- Conducting clandestine or unanticipated collection and use of biometric information.
- Neglecting evaluation of third-party practices and capabilities related to biometric data access.
- Inadequate training for employees and contractors handling biometric information.
- Failing to monitor and ensure the proper functioning of biometric technologies to prevent harm to consumers.
The Use of Passkeys and Biometrics: The legal outlook
The biometric data protection lacks global specificity, with most legal provisions relying on broader personal data protection legislation. The General Data Protection Regulation (GDPR) in the European Member States is a notable exception, providing a comprehensive framework for biometric data protection. The GDPR’s impact extends to 28 countries, including the U.K.
Despite the absence of a comprehensive federal law in the U.S., individual states like Illinois, Texas, California, New York, and Virginia have enacted biometric privacy laws. The legal framework for biometric data protection in the U.S. is evolving rapidly, with a focus on issues such as consent, data breach notification, and penalties for non-compliance in cases of data breaches and cyber-attacks.
In India, the Supreme Court has recognized privacy as a fundamental right, influencing the regulation of biometric data, particularly in the context of the Aadhaar identification program. China, following a unique approach, balances consumer privacy and state surveillance through laws like the Cybersecurity Law and the Personal Information Protection Law (PIPL).
Despite the challenges and ongoing developments, there is a growing global consensus on the importance of privacy. Many countries, from Europe to Brazil, India, China, and Africa, have enacted or updated privacy laws, emphasizing the need for robust accountability and imposing significant fines for inadequate data protection.
As the cybersecurity narrative unfolds, a global consensus on privacy gains momentum. From the GDPR’s impact on personal and biometric data protection to the enactment of stringent privacy laws across continents, the call for robust accountability resonates. In this dynamic dance between innovation and security, organizations must remain vigilant, adapting to new threats while upholding the sanctity of user data.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.