Earlier this month, I attended the 2016 Interop Conference in Las Vegas. While I had many discussions with attendees on a variety of identity and access security topics, I was surprised by the number of questions about biometrics and multi-factor authentication (MFA). The majority of people asking these questions were interested in better understanding if and how biometrics should be used as part of their authentication process. Since this topic came up so often at Interop, I’m guessing a lot of you have similar questions. So, I thought it would be helpful to provide some additional biometrics and our point our view on them.
The State of Biometric Authentication
For decades, we’ve all seen biometric authentication used in spy movies, but over the last few years it has become a legitimate authentication option for all organizations to use in the real world. With smartphone adoption skyrocketing globally and more and more people becoming aware of the security risks and user hassles associated with password authentication, biometric authentication has emerged as an alternative to passwords. Biometric authentication is seen as stronger and more secure than passwords.
There are a number of different types of biometric authentication currently in use or being developed, including heartbeat, typing speed, vein patterns in the whites of the eye or in the skin, walking gait, and long-term behavior patterns. Selfie authentication was introduced earlier this year, while some organizations are using retinal scanning and voice recognition. However, the most common type of biometric authentication is fingerprint scanning.
Most mobile devices now contain a mobile fingerprint scanning sensor (analyst firms IDC and Acuity predict more than 500 million sensors will exist in 2016). Pervasive use makes this a viable option for nearly all organizations, regardless of industry. Additionally, since companies no longer have to manage or purchase the hardware component, the cost to implement this form of biometric authentication is often more affordable than other methods.
While fingerprint scanning and biometric authentication is a growing trend, there are potential drawbacks of which you should be aware. The most serious being that if a biometric authentication factor is compromised, you can’t change it. It’s not like a password, which can be reset. Biometric authentication methods, such as fingerprints, voice recognition, and iris scans, can be particularly risky because they’re so easy to steal for people with the interest and means. Looking specifically at fingerprints, we touch everything and leave fingerprints that can be lifted with relative ease. Way back in 2002, gummy bears were used to fool a fingerprint recognition device. And in March, researchers discovered a way to create a fake fingerprint accurate enough to fool a smartphone using an Inkjet printer.
Biometrics within Multi-Factor Authentication
Biometrics can be very valuable as a part of multi-factor authentication. Using a fingerprint, for example, as one of two or three forms of authentication, minimizes the drawbacks mentioned earlier. As long as you’re using multiple forms of authentication, there’s no more risk associated with biometrics than there is with any other authentication factor.
We’re seeing many customers utilize biometrics in this way - as one of several forms of required authentication. Adhering to the “what you know, what you have, what you are” philosophy of MFA, most organizations are, or already have, replaced costly tokens with the smartphones people already own. It’s easy to use fingerprint scans in combination with smartphones to fulfill the “what you are” factor.
Biometrics are a very good authentication factor when deploying adaptive authentication. They can provide a nice additional layer of authentication if someone is trying to access your systems during times or from places outside the network, that fall outside the norm.
Whenever customers ask us about biometrics, it always leads back to a conversation of MFA because without MFA, you shouldn’t be using biometrics at all. If asked to pick a single authentication method regardless of company or industry, in most cases, I would say a one-time password (OTP), such as Google Authentication or SMS OTP is the best option.
Overall, the authentication methods you require of users should be dictated by policy, and policy should be driven by factors such as roles, entitlements, and risk scores, as well as adaptive aspects such as location, time of day, and time of week. That type of approach can only be implemented if you’re using multi-factor authentication though. Making the switch to multi-factor authentication as part of a comprehensive identity and access management solution is the best and most secure approach for managing user access.
Other blog posts that might interest you: