As Lenovo biometrics bug makes problems for CSOs, app-happy millennials want more

Consumer confidence in fingerprints and other identifiers may be high, but a high-severity vulnerability in Lenovo fingerprint scanners is a reminder that implementations of the technology must still be carefully examined even as it becomes ubiquitous and easier to implement. The inclusion of a hard-coded password in Lenovo’s Fingerprint Manager Pro – which allows users of Lenovo Windows 7, 8, and 8.1 PCs to log into their systems and favourite passwords with a fingerprint scan – meant that anybody knowing that password could log into any of 38 different models of ThinkPad, ThinkCentre and ThinkStation devices running the software.

Lenovo has released a patch and classified it as being of high severity. IT administrators using the affected models will of course be working to prioritise application of the patches, but their very presence will give pause to many IT managers who are juggling users’ desire for convenience with the very real need to secure enterprise computing devices.

The challenge is set to grow in coming years, with government bodies progressing with work drawing on the National Biometric Interoperability Framework and Capability Requirements. Private-sector companies are also pushing into biometrics, with a recent IDC forecast suggested that nearly 55 percent of Australia’s 500 largest consumer-facing organisations will use biometric sensors to personalise experiences.

New forecasts from Deloitte’s Technology, Media and Telecommunications analysts suggest that by 2023, more than 75 percent of smartphone owners in developed countries will use some form of biometric authentication, up from around 29 percent this year; 80 percent of smartphones will have at least one biometric sensor, up from 42 percent this year.

Even as consumer companies like Apple work to transition the consumer market from fingerprint scanning to facial recognition – Deloitte believes forward-facing infrared cameras will become mainstream in coming years – biometrics leaders like NEC and Fujitsu have been working to make the technology more readily accessible and acceptable in large-scale environments.

The former company recently joining CrowdOptic for a biometrics-based smart-city monitoring solution and the latter company this week bringing its Biometrics-as-a-Service (BaaS) solution to Australia.

A Frost & Sullivan analysis of the biometrics and BaaS market predicts biometrics market revenues of $US6.15 billion ($A7.67b) by next year.

Strong vendor interest in biometrics is echoed in strong acceptance of biometric authentication amongst millennials, with IBM Security this week releasing the results of its 4000-participant Future of Identity Study, which found that 88 percent of Australian respondents would be interested in using biometrics in the future.

That figure represents a significant jump from the 21 percent of Australian respondents who said they have used, or are currently using, biometric authentication. Respondents ranked security as their main concern when using biometrics, and APAC respondents were the most knowledgeable and comfortable with the technology.

Respondents’ biggest concerns with biometric authentication, IBM’s figures suggested, were privacy – nominated by 55 percent of respondents – and security, named by half. Users were most likely to be concerned about security when using banking, investing, and budgeting apps but were slightly more concerned about convenience than security (36 percent vs 34 percent) when accessing social-media apps.

Despite users’ willingness to use biometrics, IBM Security ANZ CTO Chris Hockings warned that companies implementing the technology need to take a measured approach that treats authentication as a continuous process rather than a one-off event.

“In the wake of countless data breaches of highly sensitive personal data, there’s no longer any doubt that the very information we’ve used to prove our identities online in the past is now a shared secret in the hands of hackers,” Hockings said in a statement.

“As consumers are acknowledging the inadequacy of passwords and placing increased priority on security, the time is ripe to adopt more advanced methods that prove identity on multiple levels and can be adapted based on behaviour and risk.”