Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Biometrics in the Great Beyond
A thumbprint may be a good authentication factor for the living, but are you prepared to access mission-critical data and devices after an employee's death?
May 13, 2020
When a heart unexpectedly stops beating, it doesn't care whether the body around it took the trash out thay morning, kissed a spouse goodbye, or made sure to arrange for backup access to systems and data if a biometric authentication factor no longer passes the "live" test.
Imagine, for example, that the recently deceased is a senior executive with critical sales information stored in files, messages, and a smartphone. And imagine if that executive had done their security due diligence and protected each of those accounts and endpoints with biometric multifactor authentication (MFA).
Now imagine it's your job to secure the organization. And the CEO tells you that the while the executive's demise is a certainty, the company's survival is not – and in order to survive, the organization needs access to those well-protected assets.
If you didn't plan for this, you might now imagine that you have a problem.
As Kacey Clark, threat researcher at Digital Shadows, puts it: "Death in the digital era is complicated."
Access Denied by Design
Sometimes, of course, it is entirely appropriate for digital access to die with the account holder.
"A system designed around biometric data scoped to a single user without the capability of administratively accessing that system without said user's biometric data has made a declaration that individual privacy is more important than continuity," says Adam Mathis, director of information security at Red Canary.
If no redundant option exists, Mathis says, it's most likely by design rather than through omission. That means "you're trading availability for more privacy," he says.
When it comes to enterprise data, however, most organizations will prioritize continuing access to that data over employee privacy.
Preparing Biometrics for the Great Beyond
It's easy to stand on the sidelines and point out that proper enterprise governance should give administrators multiple ways to gain access to corporate data. This may be easier said than done.
"Ideally, the biometric and [two-factor authentication] information should be part of an employee's identity and should be managed by an enterprise identity governance system. This approach will ensure that any privileges assigned to an employee are known and managed," says Arun Kothanath, chief security strategist at Clango.
However, there are still specific situations in which the identity governance system will have to be carefully tailored to the environment.
Stephen Banda, senior manager of security solutions at Lookout, keeps his eye on the enterprise's smaller devices.
"When it comes to mobile devices, this is where preparation goes a long way," he says. "Employers that use mobile device management will need to have access to reset a passcode on corporate-owned devices and retrieve the information they need."
That access, though, can be more complicated when the organization doesn't own the device.
"For [bring-your-own-device] environments where the deceased employee used their own device for work without enrolling in a corporate management program, businesses should be sure to manage corporate applications and have administrative access to any cloud service accessed by these devices related to work," Banda says.
Ultimately, the questions behind two-factor authentication (2FA) and access after an employee's death can have repercussions that go beyond simple device management.
Mathis compares systems protected by biometric authentication that can be overridden through device management – such as those on MacBook computers – with systems that have components that cannot be overridden. He uses Slack as the example, with its encrypted private messages between users.
The difference, he says, means, "one of these systems [the MacBook] is appropriate for storing mission-critical business data, and one [Slack] isn't."
Decommissioning the Deceased
Stray user credentials can create a security risk. When employees pass away, removing their authentication credentials, even biometric form factors, is a security must.
"This is a pretty common and well-understood issue known as decommissioning in the authentication space," says Roger Grimes, data driven defense evangelist at KnowBe4. "Regardless of why someone separates from an organization, when they separate, there should be manual or automated processes which immediately disable the associated user account."
Regardless of whether there is critical enterprise data, tthe processes associated with decommissioning should be followed, Grimes says. Each account that is left "open" after an employee dies (or, in a less dramatic turn of events, leaves the company) represents a potential point of attack for a criminal.
"Unfortunately, decommissioning, in general, is probably the least-followed part of the authentication life cycle, and most organizations end up with a high percentage of inactive accounts," Grimes says.
Digital Shadows' Clark agrees. "At this time, even some major companies do not have established policies in place to coordinate the removal of accounts or account details," she says.
Other experts also promote the critical importance of having policies and processes for decommissioning biometrics in place before the need arises.
"Like all binary authentication, such as password, knowledge-based authentication, and vulnerable two-factor authentication factors such as SMS, biometrics can fall victim of account takeover," says Fausto Oliveira, principal security architect at Acceptto. "Consequently, IT departments must apply the same rigor for the deletion of biometrics as clearing passwords when employees leave."
Oliveira points out that a strong policy surrounding identity and how it is treated when an employee leaves a company for any reason makes for a situation that can be automated, resulting in a process that requires relatively little human intervention.
"[Otherwise] it leaves the organization in an uncertain state, without the ability to audit what is enforced in which systems, where there is no correct way to measure the risk associated with credentials that may have been left behind in the assets," he says.
Related Content:
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
About the Author
You May Also Like