Do Enterprises Need Passwords or Biometric Authentication Factors?

biometric authentication factors

Plenty of security experts have proclaimed the death of the password in the wake of biometric authentication. Indeed, we here at Solutions Review are just as guilty of this anyone else; we asked if traditional, single-factor authentication was dead in early March of this year.

Yet passwords don’t seem to have all been impacted by what has been proclaimed by some experts the biometric authentication revolution. The vast majority of enterprises continue to rely on passwords and single-factor authentication for their identity security. Biometric authentication is starting to gain presence and acceptance among users, but not at the speed many experts expected.

The lingering question, therefore, becomes…why? Why are passwords still clinging to life when superior identity security exists in biometric authentication factors?

The Case Against Passwords, Reiterated

Passwords’ reputations precede them, at least in security circles. Those reputations, by and large, aren’t sterling. Passwords have long suffered from being easy to guess or crack with basic tools or even common sense. Many users repeatedly use the same passwords over and over again, rendering them increasingly vulnerable to being stolen in the era of frequent data breaches. On the other side of the coin users often forget their passwords, adding stress to help desks and often falling back to repeated passwords anyway.   

Additionally, plenty of users still use embarrassingly weak passwords (including “password1”) rendering their employee accounts vulnerable to both malicious guessing and credential stuffing. Relying on passwords as the only authentication factor basically guarantees a hacker with steal someone’s digital identity and slip into the network.

By contrast, biometric authentication cannot be guessed or fall victim to the issues facing passwords. Biometric authentication factors cannot be forgotten since they are by their nature always on a user’s person. They cannot be stolen (at least no digitized biometric information has ever been stolen). Each is distinctly individual. In other words, it’s an outright stronger authentication strategy than password-based processes in terms of identity security.

Yet at the same time, passwords have strengths biometric authentication factors don’t. At least, not yet…

The Case for Passwords

For identity security expects, the most worrying aspect of biometric authentication is the inability to update them. Passwords can always be changed in case of an accident or a loss, usually within a few minutes. Biometric authentication factors like a fingerprint can’t be. If a hacker does somehow obtain stolen digitized biometric data, your enterprise might need a completely new authentication process.

Additionally, biometric authentication is reliant on the hardware necessary to read and process the factors. With bring-your-own-device culture gaining steam, and with so many mobile devices containing a biometric reader, this may not seem like a problem.

However, passwords can be used to log in from anywhere, on any device, at any time. If you have a biometric reader device connected to an endpoint in your offices, you may not be able to respond to a digital emergency from your home at 2 AM. Passwords thus offer a responsiveness biometric haven’t yet matched.  

Some of these issues are a matter of biometric technology still being in the innovative stages of relative youth. Most likely, these issues will be resolved in the near future. But what about the now?

Granular Authentication: The Best of Both Worlds

The key to strong enterprise-level identity security and authentication might be to bring passwords and biometric authentication factors together in a granular authentication model.

In a granular model, the lowest level of security is monitored by the lowest level of authentication clearance. In a CIAM model, customers would only need a password or a social sign-in to enter the customer-facing network. Lowest level employees would only need a password to enter the network proper and do their jobs.

Higher level employees may be asked to produce a hard token or biometric authentication factors to access more sensitive databases as per their duties, as per a two-factor authentication. For top-level employees or C-suite executives looking to access the most sensitive or valuable digital assets, you can enforce multifactor authentication; this can require biometric authentication factors, geofencing, passwords, PINs, and whatever your enterprise needs to feel secure.

The debate between passwords and biometric authentication factors should not be an either/or question. It should be about how to merge the two to secure your identity perimeter.   

Other Resources: 

The Current State of Biometric Authentication in IAM

Top 4 Questions to Ask Before Selecting A Biometric Authentication Solution

Top 4 Authentication Findings from IBM’s Future of Identity Study

Survey Reveals Public Opinion on Biometrics and Passwords

How to Deploy a Biometric Authentication Solution

The 32 Best Identity and Access Management Platforms for 2018

How IAM Solves Onboarding and Offboarding Challenges

IAM vs CIAM: What’s the Difference?

The Current State of Biometric Authentication in IAM

Comparing the Top Identity and Access Management Solutions

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner