RSA conference serves up optimism for a passwordless future with biometrics

Mar 12, 2020, 5:13 pm EDT | Jim Nash

Categories Access Control | Biometrics News

passwordless technologies include biometrics, behavioral analytics, zero-knowledge proofs, QR codes and security keys

A biometrics industry analysis piece published on Forbes.com attempts to drive a few more nails in the coffin containing the hope that passwords can still effectively secure information systems.

Written by Louis Columbus, principal at manufacturing-software writer IQMS Inc., the piece is part history (protection based on something you know, something you have, and now something you are), part industry update and all argument that password use should be a standard red flag in due diligence.

IQMS writes manufacturing-execution-system and enterprise-resource-planning software. It is owned by the French maker of three-dimensional-design software Dassault Systèmes.

Columbus does some hand-waving when it comes to the significant hurdles vendors face in making biometrics-based security practical and reliable in business-critical and consumer settings.

He also, however, puts a stake in the ground in his analysis, declaring: “privileged admin passwords need to be the first to go.” That would impact a large population (but miniscule compared to the uncounted users out there) of technology influencers. And not to put too fine a point on it, but attacks preying on admin credentials are not exactly rare events.

Columbus said he toured last month’s RSA Conference 2020 paying particular attention to two or three dozen vendors marketing themselves as supporting passwordless authentication.

He gives a knuckle bump to privileged-access-management software maker Centrify Corp. Columbus said the firm was one of the few vendors present that “specifically mentioned support” for Apple Inc.’s Touch ID and Face ID, and Windows Hello, and displayed full support of the FIDO2 protocol.

Columbus reports being encouraged by the number of vendors showing real support for FIDO2. All 30 vendors who claimed support for authentication without passwords can demo Windows Hello and Windows Hello for Business capabilities, and all those claiming FIDO2 compliance were able to demonstrate it with Apple’s Touch ID. Combining multiple biometric modalities, however, could not be “conclusively” demonstrated by any, Columbus says. He also reports the NIST 800-53 standard is being rapidly adopted across the industry. The use of metadata generated by biometrics is an area of varying capability among vendors, though all claim to support analytics. Indeed, Columbus says a passwordless future draws nearer.