Are Biometrics IAM’s Future?

biometrics identity management's future?

Once just another part of the Identity Management Solution arsenal, biometrics is evolving, taking flight both in cybersecurity and in the public imagination. Visa’s recent survey confirmed that a majority of Americans see biometrics as a more secure and convenient authentication method than traditional passwords. On the other side of the coin, traditional passwords are almost universally reviled for being difficult to remember and yet easy to hack. The public appears eager for change in identity access management; market intelligence research indicates that biometrics will be used in 100% of cell phones by 2020.

But how are innovations in biometrics progressing? Are biometrics as secure as we’ve been led to believe? How long before they become truly ubiquitous as a security solution?

Fingerprints: Biometrics’ Current Benchmark

Biometrics are not a new concept by any stretch. Visa’s and Keeper Security surveys confirm that the majority of Americans are familiar with and approve of fingerprint sensors. Indeed, fingerprints are the current standard in biometrics, most commonly seen in cellphone-unlocking technology. First made mainstream in 2013, fingerprints as authentication have the benefit of convenience. They are quick both in comparison to other biometric factors and other authentication methods, easy to use and remember compared to passwords, and difficult to replicate by hackers—fake fingerprints are possible but quite rare.

Fingerprints do have a significant downside though—a substantial false reject rate. False rejects occurs when the biometric authenticator should confirm a user’s identity but cannot. Dirt, sweat, water, and almost any other substance can disrupt fingerprint scanners, rendering them incapable of issuing authorization. Additionally, similarities between fingerprints means that an average of 1 in 50,000 unauthorized users might be able to receive a false acceptance by a fingerprint sensor.  

Facial Recognition: The Rising Star?

Facial recognition had a rocky start when it first stepped onto the biometrics and cybersecurity stage; the early camera-imagery-reliant technology could be fooled by a photograph, and its sub-branch iris recognition could be hacked by an admittedly elaborate combination of  nightshot camera images and contact lens.   

Yet according to industry experts facial recognition is poised to supplant fingerprint sensors in the next 5 years. Apple in particular has focused on improving the technology, using specialized infrared cameras and grid projections to register the user’s more securely. The latest developments feature machine learning capabilities so they can register the correct face even faster the more times the face is used as authentication. Some of the more advanced innovations have supposedly even cracked facial recognition in the dark, once an insurmountable challenge for scanners.

However, while facial recognition in its current form has proven harder to crack, it is not impossible. Similar looking people such as twins or items such as 3D masks can fool the device. Additionally, as the technology improves to prevent false acceptances, it concurrently escalates the false reject rate. In other words, the harder it is for a hacker to use their face to break into your phone, the harder it will be for you to use your phone.

This rise of inconvenience could result in more people refusing to engage with the technology; more people will choose ease over security, according to recent surveys. Additionally, facial recognition does require users to look into their phones, which is not always possible and puts it behind fingerprints in versatility. Even still, experts believe that only 1 in one million people could hack into a phone with facial recognition.

Voice Recognition: The Dark Horse?

Voice recognition tries to balance the convenience of fingerprints and the security of facial recognition. With the rise of microphones in mobile devices, mobile devices are certainly capable of authenticating without asking users to inconveniently look at or touch their device. Voices are also difficult to truly replicate fraudulently. However, voice recognition has proven tougher to implement effectively due to environmental conditions, including distance and background noise, disrupting authentication in much the same way that water can disrupt fingerprint sensors. Currently, voice recognition is poised to serve as a backup authentication method to a more reliable biometrics tools.

Underlying Issues Continue?

One significant issue that faces even the most secure of biometric authentication methods is the collection and use of that data. U.S companies and government agencies are allowed to sell personal identifying information, which can include biometric identifiers, to third parties without users’ knowledge. Self-regulation by those industries has proven ineffective at preventing these sales. And as the Equifax and Alteryx leaks show, third-parties may not be the most responsible at securing such valuable data. Without some regulation, customers may feel reluctant to share such private information with an unknown number of unscrupulous marketers.

It ties into concerns from Keeper Security about the over-estimation of biometrics security capabilities. According to Darren Guccione, CEO and Co-founder of Keeper Security, “If the biometric is stolen, it can never be changed.” Even Apple, the most visible innovator in the field, is continuing to require two-factor authentication in order to more fully secure users’ devices, further indicating that biometrics may not be the end and be all of identification.

Other sources can be found here.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner