Why biometrics will let us forget passwords forever
In the next few years, forgetting passwords will be a problem of the past, with more and more organisations using biometrics for authentication. By 2022, 60 percent of large companies will reduce their dependence on passwords, according to Gartner. Microsoft employees, meanwhile, are already authenticating using biometrics, and UK banks are trialling fingerprint to authorise purchases.
Of the 41,686 security incidents covered in the 2019 Verizon Data Breach Incident Report, 32 percent involved phishing and 29 percent involved stolen credentials, showing that replacing passwords with biometrics is warranted. Businesses, employees and consumers need a less complex and more secure way to authenticate, and using biometric authentication provides both. The storage of sensitive biometric data have raised security concerns, however, when implemented correctly and with proper storage, biometrics have a prominent place in our passwordless future.
Use biometrics for security, not convenience
Often biometrics replay existing passwords – a popular method for unlocking smartphones and accessing mobile apps. However, the password isn’t removed from the authentication process and biometrics are used as a shortcut to authenticate. Using biometrics for authentication only works if passwords are fully eliminated from the authentication process. This is a fundamental step towards passwordless authentication, as if a password still lingers in the background, the risk of data breach remains.
To obtain the full benefits of passwordless authentication, biometrics need to be used for security, not solely convenience, which means implementing policies that completely remove passwords from the authentication process. This means never being asked to create a password, enter a password or reset a password. With real passwordless authentication, the only way a person authenticates is by using a combination of biometrics.
Your biometric isn’t like your password
Despite stories on how researchers fool biometric sensors, actually pulling off a spoofing attack is very challenging. Infiltrating a password is straightforward – an attacker can easily type stolen credentials it into a keyboard, but biometric images can’t be directly entered into a sensor, first, they must be converted into an object. Therefore to succeed at using stolen fingerprint images, a hacker would have to make moulds of a person’s fingers good enough to trick a biometric sensor.
Even in the event of faked biometrics tricking a smartphone’s fingerprint sensor, biometric authentication systems include additional security measures to guard against such attacks. This includes liveness detection, which requires blinking or moving a finger to prove that a human is authenticating in real-time, and behavioural biometrics, which uses artificial intelligence to incorporate how people interact with their smartphones into the authentication process.
Of course, such spoofing attacks aren’t an issue if attackers are unable to obtain the biometric images in the first place. This brings into question the issue of proper storage of sensitive biometric images, which must start with encryption. Next, the images should not be stored in a sole location, e.g. on both a server and a smartphone, which means that if attackers infiltrate one database, they’ll only obtain a portion of the biometric image, rendering the data unusable.
Rethinking the role of biometrics in authentication
Given the success rate, attackers are unlikely to stop using passwords as infiltration vectors. Protecting companies from attacks attributed to stolen passwords demands a new approach to authentication – one that replaces knowledge-based methods with biometrics. That means viewing biometrics as a security tool instead of as a mechanism to speed up authentication. When biometrics let us say goodbye to passwords forever, we’ll be a step closer to more secure enterprises.
About the author
Jason Tooley is chief revenue officer at Veridium, a developer of frictionless digital authentication which supports businesses to become more secure through the adoption of biometric authentication solutions.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.