FB pixel

Biometrics is not enough: Salesforce exec on enterprise MFA and digital identity

Biometrics is not enough: Salesforce exec on enterprise MFA and digital identity
 

Over the past years, multi-factor authentication (MFA) has spread across the world, entering every industry and reaching thousands of users. Many of us are using the technology several times a day to access our work or social media sites.

Cloud-based software giant Salesforce has been one of the companies following the trend, making MFA a mandatory requirement for its customers two years ago. But MFA, including those that rely on biometrics, is still facing challenges – from shifting regulations to the dangers of deepfakes.

Biometric Update sat down with Salesforce’s Principal Security Advisor Ivan Djordjevic to talk about the company’s MFA strategy, biometrics and digital identity.

Salesforce turned to MFA for good reasons: A vast majority of identity-related incidents in the cloud are based on misuse from the consumer side, meaning that people were not looking after their credentials, Djordjevic says.

“We know that username and password isn’t really a secure method, especially if you want to protect some valuable data,” he says. “ Using MFA is a really, really a strong protection for a large number of threats.”

Customers can choose to use their existing single sign-on (SSO) platform with any MFA provider that can integrate through standards such as FIDO2 and WebAuthn or SAML and OpenID Connect. Salesforce also offers an ecosystem of partners that build solutions on its AppExchange cloud marketplace for specific use cases.

Among more than 7,000 AppExchange apps are those from Onfido, Shufti Pro, Okta, Yoti, Signicat and other identity verification firms. Salesforce Ventures, the venture capital arm of Salesforce, has even invested in some of these firms, including Onfido and Auth0.

Cybercriminals, however, have come up with more sophisticated attacks at MFA, as witnessed during a January SIM swap attack on the U.S. Securities and Exchange Commission’s Twitter account. In October, top U.S. cybersecurity agencies urged digital identity and access management (IAM) developers and vendors to strengthen MFA against increasing attacks. In the wake of these events, companies such as Microsoft have been making more effort to speed up sluggish MFA adoption, in the tech giant’s case among its Entra customers.

Some experts have been urging a switch to more secure MFA methods, including biometrics. But this technology is not a silver bullet, Djordjevic cautions.

Laws such as the upcoming European Union AI Act plan to set up rigorous rules around biometric data. This is why having MFA systems that can protect biometrics is important, he adds.

“Going back to things like WebAuthn and FIDO standards which preserve biometrics on the device, from that perspective is good because you limit the exposure of biometrics,” says Djordjevic (Salesforce is a sponsor level member of the FIDO Alliance). “The problem with biometrics is that you cannot revoke them like you can change a password […] If you have something like cryptographic keys, a public private key you can revoke certificates.”

Another aspect of these challenges are deepfakes. Regardless of how biometrics are handled, whether they are kept on the device or on the server, the question is whether deepfakes can interfere with the process of authenticating and identifying a person.

The technology has exploded over the past several years and it now feels like facial recognition and voice recognition vendors are playing a game of catch-up, adds Djordjevic.

“Clearly, deepfakes are getting better and better in trying to trick the system,” he says. “It’s a difficult space.”

Biometric and multi-factor authentication remains an important component for security, but it is just a component. A more holistic approach is required because no one single control is sufficient, says Djordjevic: “That’s probably the main kind of mindset.”

Salesforce has also been offering its Salesforce Identity tool to enterprise customers. The company sees digital identity as a key component of digital services and it is fully integrated into its business processes such as sales, service and marketing user journeys, according to Djordjevic.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

UK government wades into private sector territory with mDL, digital wallet

The UK government has thrown the nation’s digital identity ecosystem into confusion with the revelation that the Gov.uk digital wallet…

 

Trump unveils landmark AI initiative called ‘Stargate’

Coinciding with his repeal of former President Joe Biden’s 2023 AI Executive Order that required AI companies to share safety…

 

Opinion: Mexico’s AI Bill highlights global trends in compliance and fair use

By Tony Porter, Chief Privacy Officer, Corsight AI The global regulatory landscape for AI is evolving at a breakneck pace,…

 

All eyes on AI Act exemptions as ban on high-risk AI systems nears

Despite being celebrated as the world’s first comprehensive AI legislation in the world, the European Union’s AI Act has left…

 

Idemia liveness detection tops DHS evaluation

Idemia Public Security has announced it scored the highest biometric accuracy and fairness in an assessment of its liveness detection…

 

Keyless adds $2M in funding to fuel North American expansion

Keyless has raised $2 million in a selective strategic funding round to support its plans for continued growth in 2025,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events