Passwordless authentication does not equate to biometrics in the workplace

The enterprise IAM movement towards passwordless authentication does not appear to drive uptake of facial recognition in the workplace. Instead, organizations are harmonizing around a common set of methods and modalities.
In 2015 Microsoft announced that Windows 10 would feature an entirely new authentication framework called Hello which includes the ability to enable biometrics such as facial and fingerprint recognition as a native method of authenticating end users. In the seven years since and the release of Windows 11, Microsoft says that more than 150 million people worldwide use biometrics to access work and there are over 1.4 Bn active Windows devices and PC globally. This represents about 11% of the entire Windows ecosystem. While it is unknown the division between face and fingerprint, its largely believed that fingerprint is the leading biometric method in use.
In 2017 Apple announced that the iPhone X and iPad Pro would feature FaceID as the native method of authenticating users and a successor to TouchID their previous fingerprint authentication technology. And while Apple doesn’t publish enterprise use data there are 1.8 Bn active Apple devices globally—its estimated that 50% use FaceID. In contrast, the new Mac line of laptops continue to feature TouchID and Apple executives have no plans to add facial recognition to their lines of personal and professional grade laptops.
It turns out that despite the potential of biometrics in workplace, the most widely used combination for passwordless and multi-factor authentication in the enterprise is leveraging a smartphone as the second authentication factor to enable access workplace applications.
The three common authentication methods are mobile authenticator apps (such as Microsoft Authenticator and Google Authenticator), push authentication (tap to approve/deny), and SMS-based one-time codes, which despite their vulnerabilities and weaknesses persist. For higher security requirements and environments, the movement towards passwordless doesn’t appear to be towards facial recognition or fingerprint either, but rather by using hardware-based devices (such as Yubikey and SecurID) and hardware-based security tokens instead.
Although there are a variety of country-level policies and regulations limiting and/or restricting the use of facial recognition and other biometric technologies, its relatively minimal use within enterprises appears to be pragmatic. Organizations are implementing a more universal, repeatable authentication journey based on what people are already doing at the time, such as touching and typing, inline with the user flow of that experience.
About the author
Carla Roncato is the Founder of Authora Research and Evangelist at the OpenID Foundation. Carla was previously the primary analyst at the Enterprise Strategy Group (ESG) covering identity and access management, data privacy, and zero trust security. She has been featured in Computer Weekly, SG Magazine, TechTarget, Wall Street Journal and a keynote speaker at Trend Micro CloudSec Conference and Open Banking Security Summit. Find Carla on Twitter and LinkedIn.
Article Topics
access management | authentication | biometric authentication | enterprise | fingerprint biometrics | identity access management (IAM) | mobile authentication | multifactor authentication | passwordless authentication
Comments