Biometrics: A Stepping-Stone To Eliminating The Password Forever
September 13, 2017 - Once thought of as exotic and futuristic, the use of biometrics as a means of authentication is quickly becoming mainstream. The concept is based on the fact that each person is unique and can be identified by his or her intrinsic physical or behavioral traits. This premise can serve as a powerful security measure, proving extremely valuable to organizations and their employees.
If you are a frequent traveler, you may have already experienced biometric authentication firsthand. The Transportation Security Administration (TSA) has been testing the technology at airports in Atlanta and Denver in the hopes of speeding up airport security. The deployed fingerprint readers compare passengers’ fingerprints with ones that were provided when the passenger enrolled in TSA PreCheck. The goal is for fingerprints to one day serve as a permanent boarding pass and ID for flyers.
Fingerprints were recognized as a useful tool for identification far earlier than you might think. As early as 500 B.C., the Babylonians recorded fingerprints on clay tablets for business transactions. Modern-day biometric systems began to emerge in everyday applications toward the end of the 20th century. Touch ID became commonplace with the emergence of the iPhone 5S and then 3-D touch with the iPhone 6S.
Beyond fingerprints, many organizations have also started to incorporate other biometrics when authenticating end users. In 2016, MasterCard announced the capability for customers to use facial biometrics for payment authentication, often referred to as “selfie pay.” Tapping into the user’s smartphone camera, the individual can verify their identity just by showing their face. Apple may also be moving toward facial biometrics with the release of iPhone 8, which is rumored to feature infrared facial recognition that may complement or replace the phone’s fingerprint sensor.
With the large-scale shift to mobile and the internet of things (IoT), biometrics will be critical to authentication technologies that go beyond the antiquated use of passwords. However, it is important to recognize that biometric authentication is not a silver bullet. No single authentication technique is beyond the reach of attackers. True identity security must rely on multiple factors combined with risk analysis -- a technology known as adaptive access control.
Systems that employ adaptive access controls analyze multiple attributes of an authentication to assess the inherent risk of the request. For example, attributes of a device may be analyzed by the adaptive engine to determine if the device has been seen before. The location of the authenticating user may be taken into account, as well as the internet address from which the user is connecting. Even the way a user physically interacts with his or her desktop and device -- a technology known as behavioral biometrics -- can be analyzed.
Behavioral biometrics is an intriguing new technology being applied to adaptive access control solutions. This is a perfect match because it involves the analysis of a user’s physical behavior. It’s nearly impossible for attackers to mimic a user’s behavior down to their keystroke dynamics and mouse movement. The technology analyzes these traits so precisely that the human eye would have no chance to observe them. Many organizations have already begun to harness the potential of behavioral biometrics, including credit bureau Experian, the Pentagon, the U.S. Army and Visa.
The application of behavioral biometric technology in authentication holds great potential for organizations across a wide range of industries. Imagine a situation where a user logs into his or her online banking application with a username and password. If the bank augmented its application with behavioral biometrics, it would know with a greater level of confidence that it is the correct user logging in. Now imagine that a malicious user gets a hold of someone’s device. The malicious user would be asked for an additional factor of authentication or the session would be ended before significant damage could occur. Organizations can take this a step further by enabling passwordless authentication, which takes a user through a similar scenario without ever having to enter a password. Instead, it would rely on biometric authentication and other adaptive authentication methods.
The time has come to say farewell to the password and to embrace stronger methods of user authentication. There are no more excuses we can make -- an Everest-sized mountain of evidence leaves little doubt. Breaches are relentless and continue to point to stolen credentials as a high-value target for attackers. They are extremely valuable on the dark web and a powerful tool for today’s cybercriminals. Many organizations are already stepping into the passwordless future, and rightly so. I can think of no other solution that would have a larger impact in today’s threat landscape.
This article originally appeared on September 13, 2017, in Forbes.com