By Mohammed Murad

Multi-factor authentication (MFA) has become a popular tool for organizations to authenticate the identity of employees and vendors using the corporate network. These MFA efforts often include the use of tokens and multi-digit codes sent to smartphones in an effort to reduce successful cyberattacks.

However, a recent FBI report found criminals have found ways to defeat these smartphone-based MFAs. The department’s recommendation – add biometrics to the mix.

Biometrics technologies are the measurement and recording of unique physical and/or behavioral characteristics that can be used to digitally identify a person before granting access to devices such as a computer workstation. The most commonly used biometrics for personal identification are fingerprint, facial and iris recognition.

According to the FBI Cyber Division’s Private Industry Notification, the department has noted criminals have successfully used social engineering attacks aimed at employees to defeat MFA authentication. One of the more common attacks is known as SIM-swapping which involves enticing employees to click on rogue links found on fake websites or emails and text messages. Once clicked, these links download and install malware on the user’s smartphone, enabling hackers to port the victim’s phone number to another SIM card that then receives tokens or other smartphone-based MFA tools.

The FBI urged organizations to help employees and administrators recognize fake websites and to not click on unknown or suspicious links. The report concluded that organizations should “consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods though this may add inconvenience to these users”

Iris ID has developed an end-to-end authentication process that uses access control cards and iris recognition readers to provide a strong and accurate MFA process. Entering a facility requires both a card and a scan of the user’s iris. No two people – even identical twins – share the same iris patterns. Iris authentication is virtually impossible to spoof, making it ideal for organizations requiring physical and logical security. So, even with a hacked token, a cybercriminal won’t be able to access the network.

Organizations concerned with cyber security should follow the FBI’s recommendation and begin including biometrics in their MFA efforts. Iris-based authentication technology from Iris ID has been known to help reverse the rise in successful cyberattacks.

For more information about our solutions for physical and logical security and time and attendance solutions, visit the Iris ID website.

(Mohammed Murad is vice president, global sales and business development for Iris ID.)