As Identity Management and Privileged Identity Management march inevitably into the future, the password—once the end all and be all of authentication—seems to be rusting away before our eyes. Indeed, traditional passwords look like a far uglier and less secure solution when compared to their newer, more elegant, and possibly more secure challenger: biometrics. According to a study by Visa, 70% of American respondents find biometrics more convenient than passwords; a separate study by Keeper Security found that 66% of respondents consider biometrics a secure and convenient authentication tool. IBM Security’s most recent global survey indicates that biometrics’ popularity are contributing to a global revolution.
So it seems like the logical conclusion for enterprises to start considering a transition to biometric authentication for their employees and privileged users. However, as with any cybersecurity solution, you should not select and deploy biometrics thoughtlessly or as a quick-fix to an immediate problem. Such a patchwork approach to cybersecurity often results in neglected problems and integration issues that could make life harder for your cybersecurity team—and malicious activity going undetected until it is far too late.
Before you select and deployment a biometric authentication across your enterprise, ask yourself and your potential biometric solution providers these 4 questions:
1. Who has access to the biometric data? How is it stored?
Biometrics are considered more secure than passwords by a growing plurality, but the input data of each user’s fingerprint, voice, and facial features must still be stored somewhere for the software to recognize it. And where there is storage there is the potential for storage issues; improper or unsecured databases can leave your employee’s or customer’s authentication data in jeopardy. For a small insight into the panic this can elicit, look no further than the recent expose on Aadhaar, the Indian government’s civilian biometric database, revealing potential security flaws.
The core of this concern is a simple yet often-overlooked principle: biometric authentication data can’t be changed the way a password can. A fingerprint remains the same fingerprint, regardless of who has that information. So if the fingerprint data is stolen, all the accounts associated with that fingerprint will be compromised—potentially permanently.
Therefore, before selecting a biometrics solution, you must first inquire as to how you enterprise’s authentication data be stored. Will it be on a separate server or network? How will it connect to other servers, networks, and databases? And who will have access to that database? Furthermore, it is important to inquire about how the biometric data will be verified. What is the vendors’ rate of false positives? And what are the mechanisms for recognizing a potential false positive?
These aren’t idle questions; according to the IBM study, 55% of respondents were concerned with their privacy a la the collection and use of biometric data. 50% were worried about false positives. So investigating the storage of your biometric data will not just save your enterprise possible heartache—here manifested as massive legal fines in remunerations and consultations—later on. It will also help you maintain your employees’ and customers’ trust in your enterprise security policies.
2. How will I balance security and convenience in my biometric authentication policies?
The IBM Security survey does suggest that security is actually more important to consumers and employees than convenience in their authentication, bucking conventional wisdom on the subject. But even if convenience is not the end-all-and-be-all it has been purported to be, it remains an important factor in whatever solution you select. Employees and customers may push back against inconvenient security initiatives, leaving you vulnerable.
In that regard, biometric authentication is certainly considered more convenient and more secure than passwords. However, cybersecurity best practices suggest that biometrics are best as a component, rather than the total, of a layered security policy, such as two-factor and multi-factor. This ensures that hackers will need at least two disparate pieces of information to gain access to your enterprise’s data, which will deter many and frustrate others in their malicious efforts; it even comes with the added bonus of limiting the number of false positive authentications.
So when selecting a biometric authentication solution, see how they support multi-factor authentication and consider how your employees will respond to your new biometric security policies. Additionally, you might want to consider your current business processes and infrastructure, and how you can integrate biometrics into them for easy adoption across your enterprise.
3. What kinds of data, applications, and privileges am I looking to secure with biometrics?
While all of your enterprise’s data is important, not all data is created equal. Some data—personal identifying information of your employees, corporate and customer financial data, etc.—require an extra layer of security. The same goes for certain enterprise applications and privileges; some will need the maximum amount of security and others may not need as much authentication.
Therefore, as you select a solution, consider where you need a biometric authentication process most. Do you need your entire enterprise and every database secured in such a way? Or will only a few processes and applications need such scrutiny?
4. How will your biometrics be deployed across your endpoints and enterprise?
Let’s say that you want to incorporate fingerprint biometrics into you security policies. The question becomes how you will actually have employees scan their fingerprints. Many modern laptops have fingerprint scanners built into them, and many mobile devices have such technology standard in their design. But will those devices work with your selected solution? Will you then need to update every endpoint in your enterprise to have the latest models of mobile device and endpoint? Or will you buy a specialized fingerprint scanner for each device? This is as much a budgetary consideration as it is one of coordination.
On the flip side, if you want a different form of biometric authentication such as facial recognition or iris recognition, you’ll need specialized equipment or programs for that as well. Deployment is a long process, which requires taking into account your physical location, the tasks you wish to protect, the expected number of end users, the storage of existing data, and the strengths and weaknesses of each authentication factor.
Biometrics can be a boon to your enterprise, but you must be ready to take on the responsibility of choosing the right solution. Never rush in cybersecurity; that’s a fast way to a security vulnerability.