Why Biometric Authentication on Your Users' BYOD Devices Is Not Enough

From the perspective of someone responsible for securing an enterprise organization, the inclusion of biometric recognition capabilities in PCs and phones has been a positive development. The draw of using biometrics for recognition is that most are suitably unique and entropic, such that the biometric will more secure than a short passcode or easily-remembered password. Furthermore, biometric verification systems are viewed by most as being intuitive and convenient to use. In this way, biometric verification as the way users authenticate themselves to their devices has reduced a large attack surface for organizations whose employees work remotely or in hybrid environments.  

At first glance, one biometric authenticator may seem as secure as another. Users might feel secure using the fingerprint scanner on their Windows laptop, and the experience may be similar across different devices. However, the security and effectiveness of biometric systems vary significantly. 

This blog will explore the differences between fingerprint authentication built into popular PCs and next-generation biometric multi-factor authenticators, highlighting vulnerabilities and how advanced solutions, such as these provide the expected security and convenience. 

What is Biometric Authentication?

Biometric authentication verifies an individual's identity using unique physiological characteristics. The most common biometric system incorporated into computers today is the fingerprint scanner. However, other methods include matching templates created from retina, iris, voice, facial geometry, and behavioral data. 

Fingerprint verification systems are primarily used in an authentication context. It is desirable to know whether a query fingerprint matches the (or one of the) previously enrolled templates, with the assumption being that any enrolled template belongs to a legitimate user (often the device 'owner'). While the comparison between a query fingerprint and an enrolled template is done using some thresholded similarity or distance metric, the answer provided by the verification system to the question of, "is this fingerprint a match?" is a binary (yes/no) result. 

While conceptually simple and theoretically foolproof, the implementation details are crucial. 

Vulnerabilities in Legacy Fingerprint Authenticators 

Microsoft’s Offensive Research and Security Engineering (MORSE) team conducted a study on three fingerprint sensors used in popular laptops today. The study revealed a common class of vulnerability among these sensors.  

The study focused on fingerprint sensors from ELAN, Synaptics, and Goodix, used in devices like the Microsoft Surface Pro X, Lenovo Thinkpad T14, and Dell Inspiron 15. These "match on chip" sensors store biometric credentials on a separate, secure enclave rather than the device's general storage, making them more secure. To ensure that one cannot simply fake a "match," the laptop communicates with the chip through a secure channel, ensuring the integrity of the communication. Despite this, the MORSE team found a way to bypass the system. They discovered that the manufacturers did not fully utilize the secure channel -- improperly or only partially implementing the specification. In one instance, the researchers were able to dual boot Linux and Windows, finding that the enrolled templates could be overwritten when running Linux, after which, booting back into Windows would allow the attacker to login as though he was the device owner.  

Next-Level Authentication: The Security You Expect

MORSE identified multiple vulnerabilities in the selected built-in fingerprint scanners and evinced confidence that more are likely to be discovered. For enterprises, this represents an unacceptable risk. Attackers with physical access to a computer can exploit these vulnerabilities to gain access and escalate privileges.  

The critical security failing here is that the means of authentication and the potentially valuable contents of a stolen laptop -- be it for I.P., locally stored credentials, or other reasons -- are bundled together. (This is by design, as a biometric verification system that requires remote transmission and storage of biometrics will be attacked in other ways.) If a laptop is taken, attackers can disable Wi-Fi, leaving the organization unable to protect the device's contents through remote wiping. The attacker can then spend the necessary time to carry out the exploit without interference. This risk is greater still if the device's encryption/decryption is controlled by the built-in biometric verification.  

The Token Ring offers next-generation multi-factor authentication. While it shares some similarities with onboard fingerprint scanners, such as leveraging biometrics and storing credentials locally, the differences are critical for security. The Token Ring: 

• Is a wearable device assigned to an individual 
• Is independent of the work device 
• Lacks Wi-Fi or cellular connections, preventing remote attacks 
• Uses proximity security, requiring the Ring to be near the device to function 
• Utilizes the Fido protocol, making it resistant to man-in-the-middle attacks 

Each Ring is uniquely registered to an individual, providing the same high assurance of identity that the laptop biometric verification can offer. Most importantly, since biometric UV is used to gate the Fido authentication ceremony, there is not a simple comparison resulting in a yes/no result. Instead, the device using the Token ring for Windows login will require a connection to the organization's Entra IDP, and the Fido ceremony makes the process unphishable and immune to replay or man-in-the-middle attacks.  

Even if the attacker were able to steal a ring, deconstruct it, and employ a technique related to the one described by the Microsoft researchers, the organization has recourse. When a ring is lost or stolen, the Fido credential can be revoked from the organization’s side, meaning that even in the scenario where a nation state or similarly capable attacker is attempting to gain access to a stolen laptop using a stolen ring, and assuming that attacker can break all defenses on the ring (of which there are many), the attacker cannot use the authenticator to get into the pilfered machine when the credential is revoked by the organization.  

Your enterprise applications, paired with a SSO solution and utilizing the ring for Windows login will need more than a “green light” from an onboard authenticator. This kind of separation of concerns -- relying on the Token ring for biometric user verification and the Fido protocol for security -- mitigates the kinds of exploits demonstrated by the MORSE team. It allows Token to provide organizations with some of the strongest and most resilient authentication available while providing users with a familiar biometric authentication experience that they've come to expect and appreciate. 

 Learn more about the Token Ring and next-generation authentication in our product brief.