The use of biometrics for authentication has become increasingly popular, with many consumer devices now supporting this technology. However, organizations must carefully consider how to effectively implement biometrics within their environments. The challenge lies in determining the most effective way to use biometrics.
According to Gartner VP and analyst Ant Allan, it is hard to envision a future without biometrics. The question, however, is how to use biometrics in the most efficient manner. Sailpoint CISO Rex Booth argues that while biometrics offer convenience, there may be a trade-off in terms of security. He questions whether the use of biometrics in low-stakes scenarios, such as unlocking a phone, is worth the potential risks.
One major concern for enterprises is how biometric information is stored and what would happen if that data is stolen. Typically, the responsibility for the security of biometric data lies with the third-party vendor offering the biometrics technology. However, if a breach occurs and the authentication data is exposed, blame will ultimately fall on the CISO’s desk. Criminals, given enough time and access to powerful equipment, can eventually unlock authentication data, regardless of its value to them.
Booth warns that using biometrics as a routine authentication approach could potentially harm the enterprise’s security, as well as the security of employees, contractors, and partners who require access to enterprise systems. He advocates for reserving biometrics for meaningful scenarios rather than using them everywhere.
One authentication strategy for biometrics is to combine different approaches to create a multifactor authentication (MFA) system. This involves using high-security approaches such as continuous authentication (CA) and behavioral analytics (BA). CA focuses on the systems being accessed and the actions being taken, while BA verifies user identity by analyzing various factors such as typing speed, phone characteristics, and time of day.
Continuous authentication does not stop once an authentication is confirmed; it continuously monitors user behavior to detect any anomalies. By frequently changing which attributes are considered for behavioral analytics, authentication becomes more secure, making it difficult for fraudsters to be prepared. MFA creates a layered approach to authentication, reducing the risk of relying on a single point of failure.
To further enhance security, organizations can leverage the biometrics already present in smartphones through a method known as piggybacking. This approach trusts and utilizes the biometrics stored in smartphones, resulting in lower costs. However, IT and security have limited control over how the biometrics are administered and protected. If a robust MFA system is in place, lenient settings for biometrics may not pose a problem.
Damon McDougald, the global Identity lead at Accenture, believes that piggybacking is a great first step as it leverages technology that users are already familiar with. Gartner’s Ant Allan also supports this approach, acknowledging the cost-saving benefits and user convenience. However, McDougald warns against excessive friction in the authentication process, as it may lead to users bypassing authentication, which can be exploited by malicious actors.
In conclusion, while biometrics offer convenience and improved user experience, organizations must carefully consider how to implement them effectively. By combining different authentication approaches within a multifactor authentication system and leveraging existing biometrics on smartphones, enterprises can enhance security and mitigate some of the potential risks associated with biometrics.