Beyond Biometrics: The Future of Authentication
As organizations become more and more digitally connected, concerns about secure access seem to loom larger than ever. With more users connecting to more resources, how can organizations ensure people requesting access are who they say they are?
As the digital risks associated with identity access and management continue to evolve, I’ve found myself bombarded with questions about biometrics as a means of authenticating users. How strong of an authentication method is it, really? What about the privacy issues? Is it true twins can fool a voice verification system? Are the one-in-a-million odds of a false face match low enough? Will biometrics live up to all the hype?
Since Apple’s announcement of Face ID on the iPhone X, people are talking about biometric authentication as if it’s the be-all and end-all for authentication today—and, at the same time, questioning whether it can stand up to the challenge of delivering secure, reliable authentication over the long term.
The problem is, those are the wrong questions. They only make sense if you’re operating on the assumption that biometric authentication is intended to supplant all the methods of authentication that came before it and that it, too, will eventually be eclipsed by the next major advance in authentication technology.
Those assumptions saddle a single form of authentication with unreasonable pressure to perform. In reality, biometric authentication is no silver bullet (and was never intended to be one). Like all forms of authentication, it works best as one of several means of proving someone is who they claim to be, and discussions of its merit need to take place in that context.
The strength of many surpasses the power of one
When facial recognition took center stage last year, smartphone passcodes didn’t just go away. Today, the passcode continues to function as a second factor for higher-risk authentication scenarios—when you haven’t unlocked your phone for a certain amount of time, for example, or when your phone fails to recognize you several times in a row. And, of course, a number of other authentication factors, ranging from tokens to one-time SMS codes, are still required for certain types of interactions and transactions. It seems reasonable to go so far as to say the very reason a biometric authentication method like Face ID works as a convenient way to authenticate someone is precisely because it isn’t the only method at work. Rather, it’s one of many authentication methods working together to maximize security.
A useful comparison lies in the primary authentication mechanism for the one asset everyone wants to keep secure: money. Your debit card, which provides access to all the cash you have in the bank, is protected by a simple four-digit PIN. It’s as if just four numerals stand in the way of someone cleaning out your bank accounts. In the bigger picture, though, there’s a lot more than your PIN protecting your cash. Every time you use your debit card, multiple technologies—artificial intelligence, machine learning, data analytics—are working in concert to protect that transaction by assessing the risk it presents and following up with appropriate action, such as requiring more stringent authentication or even declining the transaction altogether.
Sure, card fraud happens. But it happens far less often than it would if your four-digit PIN were really the only protection the bank had in place. That protection is truly effective as part of an approach that combines multiple factors together to form a much stronger whole.
What’s good for the consumer is good for the enterprise
In the same way that a PIN isn’t the only thing protecting your bank account funds, biometrics shouldn’t be the only method of authentication an enterprise counts on to verify a user’s identity. In and of itself, biometric authentication is no silver bullet for protecting an enterprise’s digital assets, and no one should expect it to be. But it’s inarguably a formidable weapon in the enterprise arsenal. It can’t be easily stolen the way, say, a password can. And used in combination with other credentials, it provides a secure and extremely convenient way to authenticate users.
When it comes to biometrics, there’s a strong argument to be made for protecting enterprise applications the way we protect consumer transactions, not just relying on any single authentication method, but instead also factoring in information about user, location, device and behavior—and yes, maybe even four-digit PINs. When that information doesn’t provide enough assurance for the action a user is trying to perform, then we can look for additional methods of proof if the risk warrants it. Viewed through that lens, biometrics can provide the enterprise a powerful means of ensuring that users are who they say they are and help navigate the changing landscape of identity risks. And with less intrusive methods of biometric authentication emerging—including advances like keystroke dynamics and gait analysis—and more companies planning to adopt it, I’m confident biometrics is here to stay. But the ultimate goal for identity and access management is not to find the unbreakable or “unhackable” code for authentication; rather, it’s to layer security to create a much stronger identity assurance posture.