Cyber Vulnerabilities of

BiometricsBojan Simic

CTO @ Hypr Corp.

@bojansimic

hypr.com

What’s this talk about?

Current methods of proving

Am I who I say I am?

have failed miserably.

Our Authentication Failures

1. 123456

2. Password

3. 12345

4. 12345678

5. Qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

11. 1234567

12. monkey

13. letmein

14. abc123

15. 111111

Top 15 Passwords of 2014

“2FA Systems Used by Banks Bypassed

with Malware, Rogue Mobile Apps”

Biometrics to the Rescue

Not so fast...

• Man in the Middle Attacks (MITM)

• Malware

• Biometric Storage (Digital Lockers)

• BYOD/Internet of Things

Biometrics the Wrong Way – Example 1

Malware Bypasses Client Side Verification

Biometrics the Wrong Way – Part 2

Man in the Middle Attacks – Biometric Storage

Do’s and Dont’s of Biometric Security

Do encrypt everything

Do device tracking

Do behavioral analysis

Do require 3-factor

security

Don’t do Client Side Verification

Don’t store biometric data in a

centralized repository

Don’t rely on passwords

Don’t do verification of template

data remotely

Do

Don’t

Free tools for your consideration

Fast Identity Online (FIDO) alliance

Read it

Learn it

Love it

Open Web Application Security Project (OWASP)

Read the top 10 – Especially authentication

Join and participate

Dozens of free tools and documentation

Join pilot programs for new biometric tech

FIDO Spec Biometric Registration Process

FIDO Spec Biometric Authentication Process

Thank You! Email - bojan@hypr.com

Twitter - @bojansimic

https://hypr.com