It seems like biometrics are everywhere in Identity and Access Management (IAM): fingerprints, facial recognition, voice recognition, and more. But are biometrics really the cure for secure authentication? Like all technologies, this one has pros and cons. In this topic, we’ll examine the good, the bad, and the ugly side of biometrics for authentication.
There’s a reason biometrics are increasingly popular in identity management: they’re harder to fake. Authentication has evolved. It started with what you know, a username and password, for instance. But it’s easy to steal or trick people into giving up the information they know. So, authentication techniques moved to what you have: a cell phone in hand or a card key. This, combined with what you know, made users more secure.
But, biometric authentication might not be secure enough. Cyber criminals could still obtain or fake the devices users had. What you are, demonstrated through biometrics, is the next stage for authentication. And it’s true, it’s much harder to fake someone’s voice, fingerprint, iris, etc.
On top of that, biometric authentication is often easier for users: you carry you around everywhere. Putting a finger over a keypad or looking into an eye scanner isn’t tough to do. Some systems, such as facial recognition, can even authenticate without the user consciously making a gesture. Simply move into a room or sit in front of your computer and you’re authenticated via facial recognition, for instance. Best of all, users aren’t going to forget their fingers or eyes like they do passwords or physical keys. You won’t have all those password reset tickets piling up at your help desk with biometrics.
So, what’s the downside? First, while biometrics are generally more secure, they aren’t foolproof. For example, smartphone fingerprint scanners often rely on partial matches, and researchers have found that it’s possible to create “master prints” that match partials well enough to give access to a large number of user accounts.
Researchers have also demonstrated the ability to create fake fingerprints from high quality prints left behind. Others have found ways to use photos or 3D prints to trick iris scanners or facial recognition systems. Sometimes the issue is that the system can be hacked as much as that it too often fails to recognize a valid user: someone wearing different makeup or new glasses, the voice of a user who is sick or has just woken up.
So, it’s no surprise then that quality biometric solutions cost more. In fact, 67 percent of IT professionals cite cost as the biggest reason for not adopting biometric authentication. There are hidden costs, too, with 47% of those surveyed reporting a need to upgrade systems in order to support a shift to biometrics.
This is why many companies considering adoption of biometrics are focused on using it as only one component of multi-factor authentication (MFA). MFA can require a biometric factor and a non-biometric one. If one authentication factor is hacked, the user’s account is still secured by the other. And with tools like risk-based authentication, MFA can adapt to challenge users when the probability of cybercrime is high and reduce the barriers to entry when it’s low.
If you’ve been following developments in biometrics, you’re probably aware of the ethical concerns surrounding many forms of biometrics. One of them involves bias. Facial recognition systems may not recognize POC or non-CIS gender people as accurately. And learning systems for biometrics have too often been based primarily on white or white male photos, creating a clear bias that results in difficulty recognizing people in the broader population.
Additionally, there are fears about how biometric data could be used. Who has access to images used for facial recognition, fingerprints, or voice patterns? Is it acceptable for companies to sell or provide their biometric data to others, such as law enforcement, immigration enforcement, or repressive foreign governments?
For businesses, another ugly side of biometric data is the storage issue. Where biometric data is stored, it must be stored securely. Because if it’s hacked, there’s no going back—a person can’t change their fingerprint or their iris. That means losing your biometric data presents a permanent risk of hacking for the rest of your life.
Companies that choose to store employees’ or customers’ biometric data are taking on a big financial and ethical responsibility. This is one reason to consider on device storage: where the biometric data is stored on the device that authenticates the user, like the user’s smartphone or computer. This gives the user control over the data and it also restricts its location to a local device, reducing the likelihood of a cyber criminal gaining access to large sets of biometric data through a single breach.
While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. Despite the bad and the ugly side of biometrics, the good side is outweighing them, enough that companies are expected to continue adopting biometrics for authentication.
Passwords alone are not enough to protect your corporate data. Here are five reasons why.Read More
See how Multi-Factor Authentication (MFA) helps to prevent some of the most common and successful types of cyber attacks.Learn
Find out how SSO and MFA together are key to protecting your tech company’s corporate data and intellectual property.Download the Paper
Find out how security leaders are using artificial intelligence and machine learning to fight cyberattacks and risks, while using biometric data for context-aware authentication.Learn more