Biometric Security and SAP: Pluses, Pitfalls, and Best Practices

Oct 26, '18 by Joerg Schneider-Simon

Passwords are out, prints are in.

Biometric security features have been added to door locks, banking applications, smart phones and beyond. Instead of memorizing pin numbers, authenticating our identity is now as simple as looking into a camera or touching a sensor.

What are the implications for SAP cybersecurity, particularly in relation to SAP FIORI? Will biometrics make cybersecurity easier, or will it open up other avenues for cyberattack?

What Is Biometric Security?

Biometric technology uses an individual’s facial features, fingerprint, iris pattern, voice, or DNA (or any combination of these) for identity verification. These characteristics are compared to data already stored on a server, requiring a match for authentication.

Biometric Security: Advantages

Biometric security has some considerable advantages. Not only is it fast and easy to use, it reduces one of the biggest cybersecurity risks: poor security hygiene, such as weak or written-down passwords, misplaced keycards, and general carelessness. Indeed, biometric security uses our human features to eliminate human error. The rapid advances in biometric technology have allowed for a wide range of applications in the cybersecurity and SAP cybersecurity fields.

Biometric security uses our human features to eliminate human error.

In 2016, Fujitsu launched an access control technology that uses the unique pattern of blood vessels in the user’s palm for authentication. As an SAP Global Partner, Fujitsu was able to integrate this technology with the login security for SAP ERP and HANA. Besides eliminating the risk of lost passwords, technology like this could mitigate the risk of successful phishing attacks. After all, cyberattackers can’t steal a password if their targets don’t use one.

This advantage could extend into the increasingly mobile workplace facilitated by SAP FIORI. Currently, if an employee is using traditional login credentials to access FIORI from their phone while sitting in a coffee shop, a nearby cybercriminal could covertly watch or video them, taking note of the login and password. This risk is eliminated if the employee signs in to FIORI using fingerprint authentication; the cybercriminal could be sitting on the employee’s lap, but still wouldn’t be able to steal their login credentials.

Biometric Security: Concerns

As beneficial as biometric security can be, it’s also not foolproof.

Biometric information is much harder to steal or mimic, but it can be done. Fingerprints can be stolen from discarded coffee cups or other items, and then molded onto a silicone finger. Researchers in China created a baseball cap that can throw off facial recognition software, granting false access to whoever is wearing it.

Another consideration is the data behind this technology. When someone uses a fingerprint scanner, for example, their fingerprint is being compared to the one already stored in the security system’s database. What if that database is breached?

Data theft is a continually growing problem that has affected some of the world’s largest companies. Imagine a data breach on the scale of the 2017 Equifax breach, except the target is a smartphone manufacturer and the data stolen is millions of fingerprints. If regular login credentials are stolen, that’s bad enough. But at least users can immediately change their passwords. If end users’ fingerprints are stolen and reproduced, the victims’ viable options are few.

The concerns about biometric security aren’t limited to what cybercriminals might do; there’s also concern about what the state might do. Facial recognition software combined with security cameras can improve security within an organization, but it’s also being used out in the public square. An example of this is the current mass surveillance taking place in China, where ubiquitous security cameras and facial recognition software are used to track the movements and actions of every single citizen as a means of social control, aimed at enforcing conformity.

SAP and Biometrics: Best Practices

With these cautionary examples in mind, implementing biometric security into your SAP environment is still worthy of consideration. With SAP being an increasingly popular target for cyberattacks, it is wise to look beyond the standard login credentials when guarding access to your SAP system.

So, how can you go about it the right way?

For starters, approach biometrics as an additional layer of security, not as a replacement for the security measures you already have. Two-step authentication using both biometrics and passwords will create a much more robust security process.

Biometric security is a powerful weapon, but one that must be wielded with forethought and care, lest it be turned against those it aims to protect.

Another issue that cannot be taken lightly is your data security. If your employees are trusting you with their biometric data, protect that data with every resource at your disposal. Build secure infrastructures, carefully control database access, and use robust security solutions (both at the OS level and specifically for SAP) to help keep this ultra-sensitive data from falling into the wrong hands.

As cyberattacks grow more sophisticated, so must our safeguards. Biometric security is a powerful weapon, but one that must be wielded with forethought and care, lest it be turned against those it aims to protect.

Visit the SAP FIORI Cybersecurity Page