Biometrics, previously the stuff of science fiction, are now a familiar part of daily life with many people routinely gaining access to their phones with fingerprint and facial recognition. It stands to reason that this form of authentication will become more widespread; after all, we see barriers to technology use coming down everywhere. As biometrics authenticate users through something they are, not through something they know, they help the digital world become seamless through friction-free connectivity, writes Jasmit Sagoo, pictured, Head of Solutions Engineering, International at authentication product company Auth0.
Every day we hear about hacks, breaches, scams, and frauds. Consumers are understandably concerned. One survey found that 86 per cent are interested in using biometrics to verify identity or make payments and that 70pc think they’re easier. This suggests that IT and cybersecurity professionals are knocking at an open door when they plan to integrate biometrics into their login flows. That’s encouraging; indeed, a 2018 survey by Spiceworks found that 62pc of enterprises were already using biometrics.
As part of the drive towards robust multi-factor authentication, biometrics add a strong additional layer of verification security. After all, biometrics cannot be guessed or compromised by being written down. Instead, consumers can identify who they are without really trying. Authentication isn’t only about security and privacy; it must be convenient too. In this, biometrics perform well because they make use of something that just is about that person – no friction, but no compromise on security either.
How, then, are biometrics being used? There are a number of ways:
1.Fingerprints: gaining access to something through a fingerprint is now fairly familiar. It’s one of the most widespread biometric authentication technologies and is used to secure mobile devices, laptops; even cars;
2.Facial recognition: a person’s unique facial anatomy can also be used to unlock smartphones but also to verify identity for credit card payments. When Mastercard rolled out what frequently became referred to as ‘selfie pay’, the system required customers to blink into the camera. That way, the integrity of the verification couldn’t be compromised by simply pointing the camera at a photo of the card holder’s face;
3.Voice recognition: this form of authentication uses the unique pitch, tone, and frequencies of an individual’s voice to authenticate them. It has been in widespread use for years by telephone banking and the customer support centres of other organisations; and
4.Retina/iris recognition: harder to implement, this form of verification requires infrared light, a specialised camera and the right conditions to work. With all that in place though, it is extremely accurate and so is used to grant access to high security installations.
Less common, but with great promise for the future, is gait recognition, which verifies someone by the way they walk and offers potential for unlocking car doors as well as granting building access, and vein recognition. This works by verifying the pattern of blood vessels in an individual’s hand – anatomy that is unique to each person.
Behavioural biometrics are another emerging innovation that will help make online authentication more intuitive and seamless for users, while simultaneously improving security. Paolo Gasti, co-founder and chief technology officer at biometric authentication solutions provider Keyless, explains: “Behavioural technology uses deep learning methods to extract unique patterns that represent how a user interacts with their devices, for example, recognising unique patterns in how a user types or swipes when using their devices. These patterns can then be transformed into biometric templates, which can then be used to offer continuous or frequent authentication.”
It’s clear that biometric authentication has much to offer. Not least, a high level of security and convenience for users. Despite this, the earlier cited Spiceworks survey did reveal a number of perceived barriers to biometric adoption. These include concerns around the storage of biometric data, cost, and upgrade requirements.
Companies are right to approach the implementation of any authentication system with the appropriate mindset. Cybersecurity evolves at a rapid pace and expertise is required to stay abreast of the latest risks, threats, and developments. With this in mind, security professionals implementing biometric authentication should be prepared for:
Ongoing risk mitigation
As with all cybersecurity measures, hackers evolve their approaches to find new ways to crack biometric authentication systems. Identity access management professionals must work to continually find any potential gaps and remedy them.
Continuous biometric authentication
Authenticating on a rolling basis makes sense regardless of which verification method is used. ‘Zero-trust’ is becoming the norm with frequent authentication replacing a one-time event at the first point of access request. In this way, an authentication score is calculated in real time. For this to work though, it becomes even more important that the method of authentication doesn’t introduce friction to the process (and user frustration as a result).
Biometrics in identity access management are still fairly new and so regulations are evolving all the time. Data protection, paramount in all situations, is a sensitive issue with biometrics. After all, biometric data can’t be changed like a password – if it’s hacked, it’s compromised forever. Companies with modern authentication system management can help ensure compliance with relevant regulations and consumer trust in the integrity of their data protection.
Gasti says: “Advancements in privacy-first authentication methods, like distributed authentication, can enable us to uniquely identify a genuine user via their biometrics across any device – thus allowing fast, frictionless access and high assurance – without needing to actually process or store biometric data. In simpler terms, privacy-first technologies can allow businesses to take advantage of the usability and security benefits of omnichannel biometrics without any risk to privacy or compliance.”
Customers, employees, suppliers, and other stakeholders all have to verify their identity to access devices, applications and systems. It’s a part of daily life – when we work, shop and interact. What we have to be cognisant of is, what do people trust the most today? Their own biometrics. Indeed, many have grown up with biometric technology. It provides an exciting way for verification to be secure and convenient and is ideal for companies rightly concerned about the experience of their user interface. As with all cybersecurity, biometric authentication relies on effective implementation and modern management to remain robust, secure, and simple to use.