As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Kimberly Biddings of BIO-Key tiptoes carefully between convenience and security, and swings into the future of biometrics.
More personal and professional data is being harnessed to provide streamlined online experiences for consumers and companies. Every day you subscribe, opt-in, and give your permission to companies looking to collect and leverage data through cutting-edge AI and machine learning programs to provide an unprecedented online experience. Personalized recommendations, single-click purchasing, and same-day delivery are all data-driven services providing convenience as we have never seen before.
With all of this data being collected, the need to protect it has never been more vital, with data breaches increasing by 68 percent in 2021. However, there is a debate surrounding the line between security and convenience. While many companies want to institute stricter data protections, as an employee, you expect the same level of convenience when logging in as you have in your everyday life and will often draw your personal “line” much closer to the convenience side of the equation. The future of identity and access management (IAM) will need to strike a balance that facilitates the seamless experiences you’re looking for with the security required to combat the rising threat of cyber-attacks.
Passwords Need to Go
Passwords are everywhere. It is estimated that your average computer user inputs somewhere between 8 and 23 passwords per day. However, despite their popularity, they are not particularly effective at maintaining security. Over 80 percent of breaches worldwide stem from compromised passwords. Phishing exercises, password fatigue, and easy-to-guess passwords all contribute to that rise in hacked systems. Out of necessity, organizations are looking for new identity and access management solutions to secure their operations.
The move away from passwords has begun. A 2021 Forrester survey showed that 67 percent of respondents looked to shift to a passwordless authentication method for employees within a year. But while corporate leaders aim to provide convenient online experiences for employees, convenience cannot completely negate the requirement for stronger security. Ultimately, the security that works the best is that which is used.
The Next Generation of Options
The data tells us that there is a need to move away from password-based authentication, but this process will take time to adopt organization-wide. Security professionals must be wary of what it means to go passwordless and what type of system they are transitioning to. Selecting the right methods to replace the password is essential for both security and ease of use. A good passwordless system will be more convenient for the user, reduce overhead for IT departments, and authenticate only authorized people’s access.
The primary way organizations are ditching passwords is to authenticate people based on something they possess. This often means using a hardware token or the user’s smartphone, often enabling device-native biometrics such as Apple Touch ID or Face ID. These avoid the trap of having to remember a password but ultimately don’t always add convenience on the side of the user or the level of security as expected. Hardware tokens, as with any “what you have” method, are an additional device that a user has to carry around with them, which can be lost, stolen, or forgotten. When it comes to security, these tokens are more secure than a password but only authenticate that the token is present. These tokens can be easily shared among users, especially for shared workstations. The overhead required to create, distribute, and keep track of them places a significant burden on IT.
While it seems that everyone has a smartphone these days, there are many cases where using a phone-based method is impractical. There are often groups of users who refuse to use their personal device for authentication or simply do not have the service to receive many of the authentication methods, such as an SMS one-time password (OTP). Costs for phone-based methods are lower than hardware tokens, but more regulations are being implemented to require the organization pays for a phone stipend for any personal device used for corporate reasons driving costs for these methods up higher than before. Finally, phones are often not feasible to use, especially in industrial settings, labs, contact centers, and financial institutions where there are safety and/or security concerns. Beyond the convenience issue with these methods is their security. Any authentication method that verifies a device or token does just that— authenticating a device rather than a person. But this doesn’t prove the right person is gaining access. A critical point that is often missed by most organizations is that it is possible to achieve a passwordless approach without phones or tokens.
The Future is Identity-Bound Biometrics
Biometrics use something that is unique to us to verify identity without the need for remembering passwords or possessing a device. By enrolling biometric data centrally, methods like Identity-Bound Biometrics (IBB) can match the biometric presented by the user to an enrolled, centrally stored template that acts as a lock and key for authentication. The important piece to centrally enrolled biometrics is that the biometric data is held with the organization rather than a device. Device-native methods present the same issue as possession-based authentication methods— from the organization’s side, all they are authenticating is a device with a biometric lock rather than authenticating the actual person.
Centralized methods like IBB store the biometric data centrally, empowering the IT department to authorize or revoke access across devices. On the user’s end, there is no need to remember passwords or hang onto devices, and the level of security is higher than most other methods. By encrypting the user’s biometric data and creating a unique, centralized biometric identity, IBB allows users to use themselves as an authentication method without the risk of a hack compromising their biometric measurements or their authorized access being shared with unauthorized individuals. A user can simply scan their fingerprint or palm and be automatically logged into the desktop or application. No tokens, no devices, no password, just a person being authenticated as themselves. The best way to be truly passwordless without a device or token is to take a centralized biometric approach.
As we look to create new ways to personalize and streamline online services, we need to look to methods that do not discourage them from engaging with the basic necessities of security. While we have all become accustomed to passwords ruling everything around us, they have come up short as a secure, convenient method for securing data. The future will need to use flexible, immutable, and easy methods for authentication to maintain the high levels of convenience we are all accustomed to while safeguarding organizations against attacks. The move towards a passwordless world is happening. And it is possible without extra devices or tokens. The only way to guarantee streamlined security in the new normal is to rely upon an authentication method that can’t be stolen, forgotten, or lost. Namely, Identity-Bound Biometrics and the capacity to identify ourselves with methods that truly verify who you are.