Flash and Substance: Biometric Authentication and Multifactor Authentication
How should enterprises consider biometric authentication in the modern age? Moreover, how should they consider it in the context of multifactor authentication (MFA)?
Biometric authentication becoming mainstream caused a stir in cybersecurity like never before. In more than a few segments of the industry, it felt like a new era was dawning in authentication and identity management in general. In biometric authentication InfoSec professionals found a technology that suffered from none of the weaknesses of traditional passwords; biometrics couldn’t be forgotten or changed maliciously, couldn’t be stolen or guessed via social media information, and hackers couldn’t just crack them the way they could with passwords. The future, as they say, was here.
Yet now, the conversation around biometrics has changed. Biometric authentication is still a critical branch of cybersecurity certainly worth investigation, selection, and deployment by enterprise IT decision-makers. In fact, Solutions Review offers a Biometric Authentication Buyer’s Guide for that process. Instead, the conversation pivoted to incorporate biometric authentication into the conversation around multifactor authentication.
Why?
Biometric Authentication and Multifactor Authentication
Single Factor Authentication Remains a Problem
Part of the reason passwords suffers from the reputation they hold within the cybersecurity conversation actually stems from a certain kind of stagnation. Businesses allow passwords to operate as their sole means of authentication, which allows hackers easy access to the network. Biometrics don’t share the same weaknesses as passwords, but allowing them to occupy the same single factor authentication position as passwords invites the same issues.
Hackers may not be able to steal biometrics the way they can with passwords. However they can find ways to just slip past the login portal in the first place, and given that in this scenario only one layer of authentication exists…the idea should send chills through you.
So this pivot between biometric authentication and multifactor authentication occurred in part because enterprises looked poised to make the same mistake they had made before. Fortunately, the conversation changed mainly due to one key observation.
Multifactor Authentication Just Works
Here’s the thing about authentication and cybersecurity in general; nothing works perfectly and deflects 100 percent of all cyber-attacks. That’s why the detection and response model has supplanted the previous prevention model.
At the same time, MFA works better than virtually any other authentication model at deflecting or deterring a vast majority of attacks via compromised accounts or login portals. The more barriers and checks between the initial access request and the granting of that access, the safer your data remains.
Moreover, many of these factors don’t (as some theorize) inhibit login processes and thus stifle workflows. In fact, most of them operate under the surface, never observed unless something detects a potential threat.
In other words, it just works. Biometric authentication forms a vital part of multifactor authentication, but it can’t go it alone. It needs support to work optimally.
Additionally, the understanding of biometrics continues to evolve.
Behavioral Biometrics: A New Kind of Future
When we talk about biometrics, we tend to think of physical biometrics: fingerprints, facial recognition, voice recognition, etc. These remain a vital part of the conversation.
Yet a new breed of biometrics, behavioral biometrics, rose to prominence as more enterprises and cybersecurity professionals recognized that authentication couldn’t end at the login stage. As mentioned above, even MFA can’t find all the compromised accounts. Hackers will inevitably get through and could cause havoc if unchallenged.
Behavioral biometrics extends authentication beyond the login page, to the everyday activities of users and employees. It creates baselines for behaviors, including the typing patterns of users, which hackers can’t possibly replicate. It extends your visibility over the accounts which interact with your most sensitive data and provides that extra layer to your security.
This article only serves to highlight how the conversation around cybersecurity changes as the needs and demands of businesses and the threat landscape evolves. Nothing in this industry is set-it-and-forget-it. You need active engagement for proper results. It really is that simple.
Learn more in the Identity Management, Privileged Access Management, and Biometric Authentication Buyer’s Guides.