Over the years, there has been a lot of hype about the potential of biometrics for authentication and other purposes, but the lack of availability to consumers meant adoption was behind the hype curve. Device manufacturers have since changed this picture with native biometric support of mobile and tablet devices.
In a broader sense, it is important to understand the benefits of biometrics and how they can fit into an organization’s security strategy.
The death of the password – are we there yet?
Biometrics are used for individuals to authenticate to a service or a device. In some instances, authorization of a transaction has been built into applications. Due to its many intuitive uses, biometrics have long been a favorite of those who sing the tales of the demise of the password. While it is unlikely that we’ll get rid of passwords anytime soon, biometrics can offer a lot of value.
Why biometrics?
Biometrics have some significant benefits. Their adoption into ever more uses bring with it a number of benefits.
For a start, biometrics are user-friendly. After years of passwords and pins on fiddly mobile device keyboards, having a simple fingerprint reader is a welcomed alternative, particularly when, as Deloitte research noted, biometric readers are used on main devices, on average, 30 times a day.
Another benefit of biometrics is increased accountability. As biometrics rely on something you are, the days of sharing authenticators could be numbered.
Biometrics also are cheap. The device manufacturers have already distributed upwards of a billion readers to date.
Lastly, where the system is properly architected, biometrics can have the advantage that attacks won’t scale. Proper design entails not using the representation of the body feature as a secret and, in turn, not storing such representations in a central location. Often it is these databases that are a target for motivated attackers.
How do I embed biometrics in my digital strategy?
Organizations should definitely consider using biometrics in their consumer authentication strategy, but this should be part of a wider security model. Having a single factor (in this case of biometrics, something you are) might be enough for simple uses – for example, to log into your electricity provider to review your latest bill. This will not be enough for other uses, though, such as authorizing a major payment from your bank current account. There are a few things to keep in mind for organizations in all industries:
- Balance a good user experience with appropriate security. Happy consumers can be a real differentiator; lack of security can lead to significant losses and cause real damage to your company’s reputation.
- Make customer authentication and use of biometrics a part of a wider strategy. For some use cases, a fingerprint might be enough to authenticate. In other cases, you want another factor, such as out-of-band authentication. In some, very high-value use cases, you might even want to continuously monitor that your authenticated user is still likely to be the same user. This is known as behavioral biometrics.
- What do you do if your main authentication mechanism is breached? Do you have a fall-back plan? Will you have strong protection for the consumer to increase adoption in the first place? Are you able to detect and respond to such an event? Your authentication strategy should be part of a much wider security-by-design strategy.
Multifactor authentication is here to stay, and biometrics are fast gaining pace. As part of your overall customer-facing initiatives, build in a strong authentication mechanism, and leverage the growing presence of biometrics to enhance security and user experience.
Kristian Alsing, head of identity and access management, Deloitte UK
[ISACA Now Blog]
