The Current State of Biometric Authentication in IAM

Time and time again at Solutions Review, we’ve written about the innovation in identity and access management authentication technology that has spawned more imaginative speculation and optimism than any other: biometric authentication.

The reasons for this content coverage are numerous. Plenty of reports from top identity and access management solution providers have uncovered the deep disdain consumers and employees share for passwords and single-factor authentication protocols in general. Passwords are easily cracked or guess at by hackers. Users often reuse passwords across disparate login portals and enterprises lest they forget their credentials. Given how many credentials the average user is expected to remember—easily over 100 in most studies—their fears may be more than justified.

Access management issues like this aren’t just confined to users. Reused passwords exponentially increase the chances of stolen or guessed credentials being used to infiltrate your enterprise’s network. Forgotten passwords and credentials are the banes of help desk IT workers in enterprises large and small, consuming valuable time and resources that could be devoted to other projects. The hate surrounding passwords also means that employees will often develop workarounds to subvert logins or even write their passwords down—a serious faux pas—both of which could compromise your network’s security.  

Biometric authentication alleviates fears of forgotten credentials by literally mapping authentication to (theoretically) permanent physiological attributes like fingerprints or voices. These are impossible to forget or lose. They alleviate the burden on help desks’ schedules. As for the user experience, biometric authentication is growing in popularity throughout the world as it proves to be faster and more convenient than passwords.

There’s little wonder, then, that identity and access management solution providers are wholeheartedly embracing biometric authentication either as an outright replacement for password-centered single-factor authentication or as a key component of a two-factor or multifactor authentication protocol. Yet biometric authentication is still on the periphery of the identity and access management world. How is this innovation adapting to the fast pace of everyday cybersecurity? What is the current state of biometric authentication in IAM technology?

Here’s what we found:

New Ways to Fool Biometric Authentication Emerge

At the time of writing, there hasn’t yet been a major data breach or enterprise network hack resulting from falsified biometric authentication factors. Unfortunately, the keyword in that sentence may be “yet.”

One of the most common and most challenging concerns surrounding biometric authentication is that the permanence of factors that makes it appealing can prove a drawback. Biometric factors like fingerprints can’t be changed in the event of theft or data leaks as passwords can. This, in turn, means that if this personal data falls into the hands of digital threat actors, entire authentication systems may be compromised beyond repair.

Compounding the issue, there are reports that security testers have discovered ways to create copies of users’ biometric data good enough to fool authentication systems. Other reports tell of hackers developing the means to fool facial scanners by stealing “selfies” from social media platforms.

What this indicates is that IAM solution providers need to ensure that whatever biometric data they use in their authentication protocols is stored securely and monitored constantly. Additionally, enterprises should carefully consider what biometric factors they use in their authentication protocols and thus evaluate what information is available to hackers looking to subvert their cybersecurity platforms.

Biometric Authentication as Reassurance

According to a recent study from technology research giant Gartner, only 41% of US workers believed that CIOs were on top of their everyday technology problems. That same percentage were the only employees satisfied with their work devices.

This is a problem because it can provoke employees to use workarounds, both in terms of unapproved devices and in terms of unapproved software, which can undermine cybersecurity platforms. In the same Gartner study, they found that 26% of employees between the ages of 18 and 24 used unapproved applications to collaborate with their peers.

Further, employees and customers alike are becoming increasingly skittish about their digital privacy.  Their anxieties are provoked by the frequent headlines of data breaches and by the innate and accurate understanding of the inherent security risk of passwords.

Deploying biometric authentication can help alleviate these anxieties by removing the password from their place of prominence in authentication protocols while simultaneously displaying that your technology team is listening to the concerns of your employees and consumers. The convenience of these solutions may matter more to them than the security, but it will also give them the peace of mind only good security can provide.   

Biometric Data and GDPR

Of course, biometric data is one of the personal identifying data sets protected under the European Union’s GDPR. Your solution provider should already be in compliance with GDPR if they interact with European Union citizens and collect their data. It remains to be seen how GDPR affects biometric authentication via storage and the right to be forgotten, but it may complicate customer-facing enterprises plans.