Do Enterprises Need Biometric Authentication or a Password Revolution?

Do Enterprises Need Biometric Authentication or a Password Revolution?

In the third State of Privacy and Security Awareness Report by MediaPRO, 75% of respondents pose a moderate to severe risk to their enterprise’s data and digital assets. 85% of finance workers show some lack of data security and privacy knowledge.

In a statement, Tom Pendergast—Chief Security and Privacy Strategist MediaPro—said: “The overall results revealed a trend we weren’t happy to see, that employees performed worse across the board compared to the previous year.”

While so much of these findings indicate the widespread prevalence of cybersecurity ignorance, one of the key weaknesses employees represent is password insecurity. It’s why biometric authentication has received the attention and anticipation of security experts the world over: if successful, it could represent a closing of a major security vulnerability. But is it the only way?

Could a password revolution reduce the risk employees pose to their enterprises?         

What Would A Password Revolution Look Like?

By “password revolution,” we mean a complete and radical overhaul of how enterprises and employees create and manage passwords. It would, if implemented properly, represent a break from the password practices of the past.  

Firstly, it would mandate all employees, including privileged users, to create new passwords. Notice the choice of words there: it would not be a change of passwords. The new passwords would be in no way similar to any other password each user has created in the past.

This may seem like a big ask. The average user will already have 130 accounts connected to a single email address. Further, stronger passwords may also be more easily forgotten or complicated, which can cause frustration for users and for the help desks tasked with helping them recover those passwords. Yet it is essential to fulfilling this vision of authentication.   

In addition, a true password revolution would also require the mass adoption of multifactor authentication, even on accounts that would normally not warrant such layers. According to a Google study, only 3.1% of users implement MFA when regaining control of their accounts after a breach. This needs to change if we are to have a truly secure digital marketplace. It may require far more single sign-on as well.        

Why Should We Implement a Password Revolution?

The current state of password and identity security looks like this:

  • Research by the 2018 Verizon Data Breach Investigations Report indicates over 80% of all enterprise data breaches involve stolen or weak credentials.
  • 73% of cyber attacks were perpetrated by outsiders.
  • With passwords in hand, there is a 68% chance threat actors will dwell on enterprise networks for months before being discovered.
  • Enterprise data breaches can cost well over $3 million.
  • Users are still overwhelmingly using weak passwords.
  • Credential stuffing and malicious guessing are prevalent attacks for digital attacks, according to Okta.  
  • 59% of users try to secure their accounts with repeated or easy-to-remember (read: easy to hack) according to LastPass.
  • Additionally, the repetition of passwords has resulted in a likely scenario of most employees credentials

Even though these facts surrounding password security are beyond dispute, does this mean a password revolution is completely necessary? Couldn’t biometric authentication solve these problems far more easily?

Perhaps, but biometric authentication—as with all identity and access management solutions and processes—is not a panacea. It operates best in the proper context.          

When thinking about biometric authentication, ask yourself these three questions:

  1. Are biometrics objectively more secure than passwords?
  2. Are passwords as unpopular as claimed by identity security experts?
  3. What causes passwords to become insecure?

Biometric Authentication: Truly More Secure?

Biometrics are, by and large, more secure than passwords in the proper context. However, implementing the proper is not as straightforward as you may be led to believe. Almost all identity and access management scholars agree: biometrics by themselves can fall prey to the same perils as other single factor authentication protocols like passwords.

Most say biometric authentication is far more effective in a multifactor authentication scheme, in which passwords are also a possible authentication factor. This raises the question of whether passwords are truly insecure or if the real problem is with single-factor authentication schemes in general.

Additionally, while biometric authentication data is much more difficult to steal or fabricate than passwords and credentials, but past experience cannot predict the future in cybersecurity. Hackers may one day discover a way to do so.

Also worth considering: biometric authentication can create its own frustrations with its (admittedly diminishing) rate of false positives and false negatives.         

Are Passwords as Unpopular as We’ve Been Told?

It isn’t so clear. If biometrics were truly more convenient and more secure, shouldn’t users be queuing up to deploy them?  

Granted, that question brushes up against questions about human nature and the familiar, but it is important. And moreover, it is relevant. Only 27% of U.S. adults favor biometric authentication over passwords, according to a recent survey by Callsign. In the same survey, 51% of U.S.adults prefer passwords in the workplace, in part because passwords are considered or perceived as easier to use.

This is only a snapshot of the present times; these numbers are likely to change as biometrics become more common and sophisticated. However, it speaks to entrenched security culture which can be difficult to displace.

Perhaps it might be better to lean into it?  

Why Do Passwords Become Insecure?

In part, it’s because users insist on using passwords like “password 1234.” These are so easy to guess it provides practically no security at all.

More likely, it is because of the repetition of passwords and the frequency of breaches exposing those repeated passwords. A password revolution would cut out both issues.   

Is a Password Revolution What Enterprises Need?

Maybe? It is hard to say. Obviously, a widespread identity security reform movement is necessary to ensure safety in the digital marketplace. But how can it be spearheaded? How can we convince enough enterprises to engage in what might be a lengthy and costly endeavor for something as abstract as identity management? And we get employees to absorb the importance of identity security best practices?

Here is what we can say: biometrics authentication technology is growing and evolving. However, unless we can reform and transform the way we handle passwords, we’re going to continue to run into the same credential issues we face now.

A password revolution doesn’t just mean stronger passwords. It means taking cybersecurity seriously in a way we haven’t yet…and that we must.       

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner