Since the dawn of the information age, businesses have been using “something you know” passwords to secure access to company data.
However, in today’s data-breach-of-the-week landscape, the password is no longer a sufficient method of protecting precious information.
Data leaks and password dumps, specifically hackers breaking into computer systems and releasing lists of usernames and passwords on the open web, are now regular occurrences. In response, security professionals are exploring how to reduce the impact of this ever present threat.
During the last couple of years, multi-factor authentication has become more ubiquitous, and now it might be the time for biometric technologies to finally come to the fore as an alternative system of authentication.
The Opportunity of Biometrics
Instead of “something you know,” biometrics are “something you are,” and there are two main categories — physiological and behavioral.
Physiological biometrics include everything from fingerprints to voice, heartbeat, facial and iris pattern recognition, whereas behavioral biometrics include factors such as left/right handedness, hand tremor, navigation patterns and keystroke dynamics.
Since behavioral biometrics lack the immediate uniqueness characteristic provided by physiological techniques, these factors are not optimal as a single-form of authentication. Instead, these methods are best used in conjunction with other data, like physiological biometrics or device data, like IP or hardware attributes.
The opportunity for security professionals is to find the right combination of physiological biometrics, behavioral biometrics and password authentication to enhance their company’s overall identity and access management strategy.
Google is taking things one step further with their Project Abacus, which combines both types of biometrics to reduce, but not eliminate, the use of passwords. It has already been successfully tested in academic environments, but it remains to be seen how it will fare elsewhere.
The Challenges of Biometrics
The move towards using behavioral and physiological biometrics as part of a primary or alternate authentication factor is not without its challenges.
For biometric authentication to become mainstream in a business context, it assumes that all employees — not just some — have access to the appropriate biometric readers. Many companies cannot afford the costs associated with giving each employee access to a behavioral or physiological biometric reader.
Whose Fingerprints Are These?
Companies also need to carefully consider which types or combinations of biometric technologies to use as a form of authentication.
We live in a world where even fingerprints can be hacked. Cyber crooks have been known to create fake fingerprints from impressions on glassware or from photos in the public domain.
Dirt, oils, smudges and other types of wear and tear can also compromise these devices. The mechanisms used to authenticate users are so sensitive that calluses, blisters, cuts and burns can inhibit access to information.
Businesses are also running into challenges when it comes to managing the multitude of devices being used to access secure data. Companies need to ask themselves whether they are going to make biometric readers available on all devices including desktops, tablets, mobiles, wearables and so forth.
Ever Present Privacy Issues
There is also the privacy angle — there always is, isn’t there? If “something you are” can uniquely identify you, then it must follow that it can be classified as personal data, which has its own unique set of privacy repercussions and requirements.
This is more in the case of physiological biometrics, but we shouldn’t completely rule out the possibility of these repercussions and requirements also applying to behavioral biometrics.
Even if you find a way of not classifying this information as personal data, biometrics are not something you can simply change. Meaning, if your LinkedIn password is compromised, you can simply change it. However, if your iris pattern or navigation dynamics are comprised, your options are very limited, to say the least.
The rise of the “deskless workforce” has presented another obstacle for security professionals. Today’s organizations have extensive distributed workforces — “deskless workers” who work at home, on the road or connect exclusively to cloud services, so they don’t need anything other than an internet connection to get their work done.
Security professionals need to consider how they will authenticate users outside the office. The same consideration needs to made for independent contractors who require access to company data from their personal and business devices.
Solutions like identity and access management, enterprise mobility management and security as a service, are targeted at managing the risk inherent to this workforce.
Biometrics: What You Need to Know
While businesses are moving towards or at least considering using biometrics as a type of authentication, the technology has some ways to go in order to become a mainstay in business. Developers need to find ways to make the technology easier to deploy, easier to use and find the right balance between requiring “something you know” versus “something you are.”
Even then, companies need to understand the difference between behavioral and physiological biometric authentication and when/how to leverage one, the other or both.
The best approach is to choose a combination of these techniques in conjunction with a password to enhance your company’s identity and access management strategy. The new technologies on the horizon promise to offer the best of all three worlds and it will be interesting to see if these systems become a mainstay in the corporate world.
This Guest blog has been written by Alvaro Hoyos from OneLogin. He leads risk management, security, and compliance efforts.
You can’t stop all attacks but you can reduce their impact and ensure a rapid recovery if you are hit. Take our free online cyber security test now.