Identity & Access Management Archive - SITS

Biometrics - security almost without password

  • Identification systems based on biometric data offer a good combination of security and convenience.
  • When introducing biometric systems, increased requirements for the protection of personal data must be respected.
  • Biometric features are difficult to falsify, but should never be used as the sole authentication for access to critical systems.

Modern IT security is no longer thinkable without biometrics. Whether on cell phones or PCs, biometric features such as fingerprints and facial structures are used billions of times every day to log in to devices. These promise security and convenience, as they save users from having to enter complex logins and passwords. But how secure is the technology really? What basics are necessary and what needs to be considered if you want to use biometrics in IT security? This post provides an overview.

How does Biometrics work?

The term biometrics covers a range of different processes. The best known is probably fingerprint recognition, which is used in many smartphones. Since Apple introduced the FaceID system in its products, the recognition of facial geometry via cameras has also become widespread.

There are also other methods that enable biometric recognition. For example, the iris or retina of the eye can be used for identification. The vein pattern of the hand is also suitable and DNA analysis also enables precise identification.

In addition to these common methods, there are also more exotic approaches: For example, there are methods that can recognize people based on their way of walking, their body odor, their signature or their typing behavior on a keyboard.

Four important factors

No matter which method is used, it must fulfill four requirements:

  • Uniqueness: The characteristics must actually only occur with one person at a time.
  • Consistency: The characteristics must not depend on age or environment.
  • Measurability: There must be clearly defined measurement parameters and procedures.
  • Universality: As many people as possible should have the biometric characteristic in question.

Are fingerprints truly unique?

For over a century, fingerprints have been considered the ideal means of uniquely identifying people. The method is based on the as yet unproven assumption that every fingerprint is absolutely unique.

A study from 2024 calls this hypothesis into question. An AI-based analysis of over 60,000 fingerprints has shown that there are significant similarities between the patterns of different fingers.

However, this does not raise any problems for biometrics. This is because the similarities found exist between the different fingers of one and the same person. It is therefore still practically impossible to match two people on the basis of one fingerprint.

The required technology

In principle, all biometric recognition works according to the same method.

  1. First of all, the user must be registered. During this enrolment, all relevant characteristics are recorded that are necessary to uniquely identify him or her.
  2. Templates are created from this data with an algorithm. They no longer contain the raw data recorded by the respective sensor, but only the information required for subsequent comparison. These templates are stored in encrypted form.
  3. If a person is to be biometrically identified later, the new data set (e.g. the finger on the sensor) is compared with the data stored in the template during the matching process. There is practically never an exact match between the data. They are therefore not checked for absolute equality, but for sufficient similarity within a previously defined tolerance.

In addition to an appropriate scanner, such as a camera system, a powerful computer is also required to implement this method. This must not only be capable of carrying out the matching, it must also be able to encrypt sensitive data quickly and securely.

Requirements for companies

When using biometric procedures in companies, it is important that the data collected is actually only used for the intended purpose, for example for access control or for logging into systems. Other data must be removed from the raw data – in other words, only template data may be stored.

Ideally, biometric data should be stored with the employee, for example on a chip card or within a smartphone app. If biometric data has to be stored centrally, it has to be pseudonymized and encrypted.

Important: When introducing biometric procedures, both the works council and data protection officers should be involved at an early stage. Covert recording of employees is not permitted.

How secure are biometric systems?

The level of security varies greatly depending on the method used. For example, there are facial recognition systems that only work with one camera. Some of these can be tricked with a simple photo. Advanced facial recognition systems (such as FaceID from Apple or Hello from Microsoft) therefore use up to three cameras and the associated recording of facial geometry – and thus achieve a very high level of security.

The situation is similar with fingerprint scanners. Simple systems only recognize the pattern of the fingertip, while better sensors measure whether it is actually a finger or just an object with a pattern on it.

In general, biometric methods offer a good compromise between security and convenience. Most systems can be bypassed, but the effort involved is high.

For critical systems, biometrics should never be used alone, but always in combination with other authentication factors (such as passwords, key generators, etc.).

Does biometrics pose a data protection risk?

Biometric data enables the direct identification of persons. Their storing is therefore subject to the Federal Data Protection Act. If the data collected allows conclusions to be drawn about ethnic origin or health status (e.g. iris scan, facial recognition, etc.), they are considered particularly sensitive. The explicit consent of the data subject is required for their collection. Apart from the type of biometric data collected, the information should only be encrypted and, ideally, never stored centrally on a server, but rather in a decentralized manner at the respective user’s location.

The German Federal Office for Information Security (BSI) advises that biometric systems should only be used rarely. Unlike a lost password, fingerprints, facial geometry etc. cannot simply be replaced once they have been compromised. Biometric data should therefore only be stored with trustworthy providers.

It is also important during implementation that biometric data should never be stored as the exclusive access information. The combination with passwords, PINs etc. increases the security and reliability of the login.

Verdict: Biometrics as a good compromise between security and convenience

Used sensibly, biometrics can enhance the security architecture of an organization. User acceptance is high, handling is simple and recognition quality is high. Nevertheless, important points such as data protection, encryption, consent requirements and thorough employee training must be taken into account when introducing biometrics. If these factors are met, biometrics is more secure and convenient than many other authentication methods.

Privileged Access Management - greater security for key users

  • PAM increases IT security through the constant monitoring of sensitive data and just-in-time and just-enough restriction of access rights.
  • Implementation requires expertise and a comprehensive assessment of the IT systems and the entire security architecture.
  • When used correctly, PAM minimizes risks, supports reporting, creates greater transparency and helps to meet compliance requirements.

In addition to access data for regular users, company networks also have accounts with very extensive authorizations for employees who are responsible for administering systems or accessing sensitive data. If one of these accounts is compromised, substantial damage can quickly occur. Privileged access management (PAM) helps to comprehensively protect these critical accounts. In this post, you can find out how PAM works, how it is implemented and what precautions a company should take.

How does Privileged Access Management work?

PAM is a modern form of identity management. It is used for two main reasons: First, because it increases the security of critical data by preventing the theft of credentials, securing data and detecting attacks before damage occurs. A study by Gartner shows the importance this has, according to its findings, around 70 percent of all relevant security incidents can be traced back to the compromise of privileged access.

In addition, the use of PAM may be necessary in order to meet compliance standards or fulfill corresponding requirements. PAM solutions also create immutable audit trails that prove that the necessary access controls are in place and effective.

What are privileged accounts?

In the PAM context, privileged accounts are user accounts that have extensive access rights to data, systems and services.

The most obvious example of a privileged account is the administrator, who must have access to all systems. However, there are also accounts that have full access to data because their users are part of the management team, accounts for users who manage applications and therefore need access to special administration interfaces, or accounts for users who have access to sensitive data such as payment information, health data, etc. These are all assigned credentials by the company. They are all issued with credentials by the company that have more rights than standard users.

The implementation of PAM

PAM can be implemented either as Software-as-a-Service or with local IT resources. In both cases, a comprehensive approach is required for the management and control of accounts, access, systems, services and processes. A zero-trust architecture is used, which distributes access rights according to the least privilege principle. This means that all access is constantly checked and each user can only access the data they actually need to perform their tasks.

The implementation of a PAM architecture should include the following steps:

  • Identify privileged accounts: The first step is to determine who needs credentials that go beyond the rights of a standard user. A distinction is usually made between two groups here: Users who need access to sensitive information and IT administrators who need to manage systems and services.
  • Evaluate risks: Once the required users have been defined, a risk assessment should be carried out for each set of rights.
  • Implement controls: Systems must be prepared to restrict and monitor privileged accounts. Methods to achieve this are explained below.
  • The controls do not only relate to accounts or users. It must also be possible to assign appropriate privileges or restrictions to devices and services.
  • Monitoring: All employee activities in the network must be monitored and logged. This log data is constantly checked for unusual activities or conspicuous usage patterns. To avoid data protection problems, the collected data should be pseudonymized as far as possible.
  • Train employees: Once all measures are in place, employees must be made aware of the importance of PAM and trained in the use of the system.

What elements does a PAM system require?

As part of a security and risk management strategy, a PAM system has to offer the possibility of identifying people, services and systems that require privileged access rights. These accesses must be secured, logged and monitored. The following elements are required to fulfill these tasks:

  • Privileged password management: Automated password management that assigns role-based access rights to credentials. Solutions that allow sensitive access rights to be assigned for a limited period of time are ideal here. In addition, the system should also allow external partners or guest users to assign (time-limited) authorizations.
  • Privileged session management: This is a system that monitors and logs access to privileged accounts. It can also create audit logs and session records to meet compliance requirements.
  • Usage analysis: An analysis system records all activities and can therefore detect conspicuous usage patterns at an early stage.
  • Flexible assignment of rights: The system recognizes whether users with extended access rights currently need their privileges – and downgrades these rights to a lower security class if no sensitive data is required. Critical data is offered “just in time” and is not kept constantly available.
  • Multi-factor authentication (MFA): All privileged credentials should only be usable with a prior MFA login.
  • Account economy: Privileged access rights should only be granted to users who really need them. The list of these users should be checked regularly and the rights granted adjusted accordingly.

The difference to PIM

At first glance, Privileged Identity Management (PIM) seems to have many features in common with PAM. However, PIM focuses on the management of accounts, while PAM also monitors and secures access to resources.

PAM - more security via customized user rights

Used correctly, a PAM can not only improve the quality of IT security, but also improve the creation of reports and security audits. At the same time, the management of access rights increases transparency for the company itself. The implementation of preferred access management is therefore worthwhile wherever companies work with sensitive data and the loss of this data would cause significant damage to the company.

The most important advantages of single sign-on and its significance for companies

What is Single Sign-on (SSO)?

Single sign-on, or SSO for short, is a management solution that helps to increase IT security, improve user-friendliness and reduce costs. Remembering countless, complicated passwords is almost impossible and fiddling with password managers takes time. SSO, freely translated as ” one-time login”, offers a way out of this conflict. It is a session and user authentication service that makes it possible to access multiple applications with just a single set of login data consisting of user name and password.

How does SSO work?

Without SSO, authentication is carried out separately for each website or application. This requires the website to keep its own separate database of user credentials and maintain it accordingly. For companies that combine cloud applications and local networks, the sheer volume of user data represents a considerable administrative workload. The IT department must store and manage separate credentials for each account (e.g. employees, contractors or customers) for each individual website, program or application in their systems. This leads to security risks, high administration costs and inefficiency. SSO simplifies the login and authentication process. In concrete terms, an SSO login process works as follows:

  1. employees access the Service Provider (SP) website or application they wish to access.
  2. The service provider sends this request and forwards the employee to the identity provider (IdP) of the SSO system.
  3. the employee is asked to authenticate by entering the credentials requested by the identity provider for the SSO, such as username and password.
  4. once the identity provider has verified the employee’s credentials, it sends a confirmation back to the service provider to confirm successful authentication. The employee is then granted access to the desired application.
  5. other service providers accessed by the employee confirm the user’s authentication with the identity provider. These service providers do not require a user name and password.

How SSO boosts security and productivity

Every time a user logs into a service, this poses a potential risk. This is because login data is one of the most popular targets for cyber criminals. SSO reduces the attack surface as employees only have to log in once a day, for example, and only use one set of login data. Limiting logins to one set of credentials therefore increases the security of companies. After all, if employees have to use a separate password for each application, they often fail to do so or use passwords that are easy to remember. According to a recent study, for example, 32 percent of all passwords relate directly to the company, such as the company name or a variation of it.)  Single sign-on reduces the cognitive load. Its use also reduces the risk of employees reusing or writing down the same passwords, which in turn reduces the risk of theft.

Minimizing security risks

As in most cases, the use of SSO services is also technically more secure than “normal” login with a user name and password. This is because the login data is much better protected. SSO is based on a trust relationship between the party that has the identity information and can authenticate logins, the identity provider (IdP), and the service or application to be accessed, the service provider (SP). Instead of sending sensitive data back and forth over the Internet, the identity provider sends a confirmation – often via an identity standard such as SAML – to authenticate the login to the service provider.

A common myth about SSO solutions is that they compromise the security of IT systems. This false belief is based on the idea that all associated accounts are accessible if the master password is stolen. However, this can be effectively prevented. A proven strategy to create an additional layer of security is to combine SSO with multi-factor authentication (MFA), for example. MFA requires an employee to provide two or more proofs of identity when logging in. This can be a code that is sent to the smartphone, of course.

Risk-based authentication (RBA) is another established security function for protecting SSO. RBA enables IT managers to use tools to monitor user activity and context. This allows it to detect irregular behavior that indicates unauthorized users or a cyberattack. For example, if multiple logins fail or incorrect IPs are used, IT can request an MFA or block the user completely.

SSO prevents shadow IT

The term “shadow IT” is nothing new in the world of cyber security. It refers to unauthorized downloads from the workplace. In the past, shadow IT was mainly limited to employees using unlicensed or unauthorized software. With the increasing popularity of cloud-based downloads, the potential for risk is also increasing. To solve this problem, IT administrators can use SSO to monitor which applications employees are using. In this way, the risk of identity theft is also minimized, which represents a further plus in terms of security.

SSO reduces costs and increases convenience

Single sign-on also increases employee efficiency, as they spend less time logging in and managing passwords. Given the fact that many employees switch between different applications several times an hour, this time factor should not be ignored. According to estimates by Gartner, password problems are responsible for 40% of all calls to the helpdesk. Another study by Forrester shows that resetting passwords costs companies up to 70 US dollars per problem solution. SSO therefore also reduces support costs, as the process reduces the number of passwords required to just one. In addition, SSO simplifies the work of administrators as they can manage user accounts and access rights in a centralized manner. Last but not least, it increases job satisfaction in general, as employees can work without interruption and access all the services they need more quickly. Easy access is particularly valuable for employees who work in the field or from multiple devices.

What types of SSO are available?

Various methods are used for single sign-on (SSO). The most commonly deployed method is currently SAML-based SSO. This system is popular for various reasons:

  • Widely used: SAML has been on the market for many years and is supported by a large number of identity providers and service providers. Many companies have already invested in SAML infrastructure and are using it successfully.
  • Security: SAML offers robust security mechanisms for the transfer of authentication and authorization data between identity providers and service providers. For example, digital signatures and encryption are used to ensure the integrity and confidentiality of the transmitted data.
  • Ease to use: SAML makes it possible to log in once to an identity provider and then seamlessly access different service providers without having to log in twice. This improves user-friendliness and reduces login effort.
  • Interoperability: SAML is an open standard that many organizations support. This allows systems and applications from different providers to work together seamlessly, making collaboration more efficient.

Although SAML is the most widely used SSO method, modern protocols such as OpenID Connect (OIDC) are also becoming increasingly important, especially in web applications and cloud scenarios. OIDC offers additional features such as support for OAuth 2.0 and an improved user experience for modern applications and APIs.

Does SSO have disadvantages?

SSO also has system-related disadvantages. For example, if the SSO system fails or is unavailable, users may lose access to connected applications and services. This can lead to disruption and productivity concerns. When using SSO, companies must also be assured that their SSO provider protects the login data appropriately. Otherwise, there is a risk of attackers compromising or misusing authentication data.

How is SSO implemented?

The implementation and maintenance of SSO is a complex task. It requires careful planning, seamless integration into existing systems and ensuring compatibility with different platforms and authentication protocols.

Conclusion Single Sign On

Authentication processes are a key part of a company’s ecosystem. The larger the organization, the more authentication data it has to manage and store. The advantages of SSO in this context are significant: increased security, improved usability, reduced costs and effort for password management. However, there can also be disadvantages, such as an increased dependency on external services. A thorough assessment of your business needs will help you decide whether SSO is the right choice for your organization.