As Kacey Clark, threat researcher at Digital Shadows puts it: “Death in the digital era is complicated.”

Access denied by design

Sometimes, of course, it is entirely appropriate for digital access to die with the account holder.

“A system designed around biometric data scoped to a single user without the capability of administratively accessing that system without said user’s biometric data, has made a declaration that individual privacy is more important than continuity,” says Adam Mathis, director of information security at Red Canary. If no redundant option exists, Mathis says, it’s most likely by design rather than through omission, and means that, “You’re trading availability for more privacy.”

When it comes to enterprise data, however, most organizations will prioritize continuing access to that data over employee privacy.

Preparing biometrics for the great beyond 

It’s easy to stand on the sidelines and point out that proper enterprise governance should give administrators multiple ways to gain access to corporate data. This may be easier said than done.

“Ideally, the biometric and 2FA information should be part of an employee’s identity and should be managed by an enterprise identity governance system. This approach will ensure that any privileges assigned to an employee are known and managed,” says Arun Kothanath, chief security strategist at Clango.

There are still, though, specific situations in which the identity governance system will have to be carefully tailored to the environment.

Stephen Banda, senior manager, security solutions at Lookout, keeps his eye on the enterprise’s smaller devices. “When it comes to mobile devices, this is where preparation goes a long way. Employers that use mobile device management will need to have access to reset a passcode on corporate-owned devices and retrieve the information they need,” he says.

That access, though, can be more complicated when the organization doesn’t own the device. Specifically, he says, “For [bring-your-own-device (BYOD)] environments where the deceased employee used their own device for work, without enrolling in a corporate management program, businesses should be sure to manage corporate applications, and have administrative access to any cloud service accessed by these devices related to work.”

Ultimately, the questions behind two-factor authentication and access after an employee’s death can have repercussions that go beyond simple device management.

Mathis compares systems protected by biometric authentication that can be overridden through device management — such as those on MacBook computers — with systems that have components that cannot be overridden. He uses Slack as the example, with its encrypted private messages between users.

The difference, he says, means, “One of these systems (the Macbook) is appropriate for storing mission-critical business data and one (Slack) isn’t.”

Decommissioning the deceased

Stray user credentials can create a security risk. When employees pass away, removing their authentication credentials, even biometric form factors, is a security must.  

“This is a pretty common and well-understood issue known as decommissioning in the authentication space,” says Roger Grimes, data driven defense evangelist at KnowBe4. He explains, “Regardless of why someone separates from an organization, when they separate, there should be manual or automated processes which immediately disable the associated user account.”

The processes associated with decommissioning should be followed, Grimes says, whether or not there is critical enterprise data. Each account that is left “open” after an employee dies (or, in a less dramatic turn of events, leaves the company) represents a potential point of attack for a criminal.

“Unfortunately, decommissioning in general is probably the least followed part of the authentication lifecycle, and most organizations end up with a high percentage of inactive accounts,” Grimes says.

Digital Shadows’ Clark agrees. “At this time, even some major companies do not have established policies in place to coordinate the removal of accounts or account details,” she says.

Other experts also promote the critical importance of having policies and processes for decommissioning biometrics in place before the need arises.

“Like all binary authentication such as password, knowledge-based authentication, and vulnerable two-factor authentication factors such as SMS, biometrics can fall victim of account takeover,” says Fausto Oliveira, principal security architect at Acceptto. “Consequently, IT departments must apply the same rigor for the deletion of biometrics as clearing passwords when employees leave.”

Oliveira points out that a strong policy surrounding identity and how it is treated when an employee leaves a company for any reason makes for a situation that can be automated, resulting in a process that requires relatively little human intervention.

Without the policy and process, he says, “It leaves the organization in an uncertain state, without the ability to audit what is enforced in which systems, where there is no correct way to measure the risk associated with credentials that may have been left behind in the assets.”

Related content:

• Coronavirus, Data Privacy the New Online Social Contract
• Malicious Use of AI Poses a Real Cybersecurity Threat
• 7 Tips for Security Pros Patching in a Pandemic
• User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?
• How Enterprises Are Attacking the Cybersecurity Problem – 2019
• State of Cybersecurity Incident Response

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading: