As the threat landscape broadens, it’s essential that organizations adopt techniques that bring greater security and ‘close the front door’ to attackers, as stolen credentials are still one of the biggest threats. But at the same time, it’s essential not to put more barriers in the way of users and bother authorized users with processes unless there is a risk. Fortunately, there are multiple methods of authentication that are more secure and run numerous risk checks invisibly in the background, such as geo-location, threat detection capabilities and biometrics.
Interestingly, our recent survey found that nearly half (49%) of the IT decision makers questioned predict that physical biometrics will be the most used method in five years’ time. It’s encouraging to see that many are ready to embrace adaptive authentication and passwordless technologies from biometrics to geographic-based capabilities in the near future. But some challenges remain, Jeff Nolan at SecureAuth discusses what the implications of biometrics, current use cases, and potential dangers are:
How biometrics are being used for authentication today and what’s to come
Biometrics are widely used for authentication on mobile devices and in call centers, and is growing in popularity on desktop computers. This includes proprietary approaches to fingerprints and more recently, facial and voice authentication in Windows 10. But the biometric authentication method that is most recognizable to consumers is Apple TouchID, a sophisticated fingerprint sensor and iOS service. While Android devices, notably Google and Samsung, feature their proprietary fingerprint biometrics sensors.
Of all the biometric technologies, fingerprints are proven and reliable with a low rate of false positives/negatives. Apple, Google and Samsung have invested in sensors that combine a protected core with integrated software services. All biometrics rely on sophisticated probability models that go well beyond simple imaging approaches. Combined with adaptive authentication frameworks, biometrics are a reliable and secure approach to authentication.
Additionally, call centers have been deploying voice authentication solutions that recognize a speaker associated with a known caller ID, and this technology has migrated into mobile apps for financial services companies in consumer banking and insurance. While facial recognition has grown in popularity and companies as diverse as Alibaba to USAA (insurance) offer it as an authentication method in their mobile apps.
Biometrics for authentication is a mainstream technology and with the large-scale shift to mobile and IoT, it will be critical to have reliable authentication technologies that go beyond the time worn password. This will enable employees and consumers to go passwordless at scale, helping to alleviate the risk and burden currently placed on themselves to stay protected.
A one-factor biometric future isn’t the answer
In many futuristic films, biometrics are presented as the standard form of authentication. For example, Minority Report, depicts a world where iris recognition is used as the main form of identity verification. But the dangers of one-factor biometric authentication are very real. No single authentication technique is beyond the reach of attackers and a security strategy that relies on multiple factors and adaptive risk analysis is the right approach for today and tomorrow.
Adaptive authentication includes techniques such as analysis of the authenticating IP address and comparing it against known bad IP’s associated with anomalous internet infrastructure used by attackers, geo-graphic location analysis, e.g. is the user in a known ‘bad’ location, and geo-velocity, e.g. did an improbable travel event occur, did the legitimate owner of the identity log in from New York, and an attacker tried to log in minutes later from Shanghai? Similarly, other techniques in ensuring that the phone numbers or mobile devices being used haven’t been subjected to fraudulent activity are essential. Such as phone porting fraud, or an attacker trying to use a virtual number versus an actual mobile phone number.
These techniques simultaneously strengthen prevention, detect risks and work invisibly to the user to help thwart attacker’s attempts with biometrics.
Password-free authentication is, as the name suggests, password-free… we must have something that can reliably assert identity for reliable authentication. Security professionals are fortunate to have many techniques that break away from the username/password paradigm and biometric factors are a critical enabler for passwordless on desktop, mobile, and headless IoT devices.
This article originally appeared in Biometricupdate.com on June 26, 2017.