The recent news from HSBC about its planned use of voice recognition and touch security is the latest in a line of announcements from banks looking to take a step closer to biometrics. Traditional authentication methods have been failing for some time and banks are now looking for a more effective process. Technology can now look at specific biometric details like the shape of a larynx and vocal tract, and this is much more difficult to steal than a password – hence the shift to so-called ‘biometric banking’.
Passwords aren't working
Quite simply, passwords aren’t working for the banking industry. They are too difficult for customers to remember and too easy for hackers to steal. With innovative technology now available and able to analyse specific biometric details, banks are making it as difficult as possible for a criminal to impersonate a customer.
This biometrics announcement from HSBC once again brings the issue of authentication to the fore, but it’s not just the banking industry trying to find a more effective way to securely prove user identity. Apple’s introduction of TouchID in 2013 is one key driver for this, which put biometrics into the hands of millions of individuals across the world. In turn, this has driven a new wave of consumer expectations when it comes to proving your identity – if I can use biometrics to unlock my phone, why can’t I use it for other services?
The enterprise is no exception to these changing expectations. Mobiles and bring-your-own-device (BYOD) strategies are enabling employees to become more productive and have more flexibility than ever before. Yet the growing prevalence of mobile in the workplace also presents some significant security challenges when it comes to authentication and identity and access management (IAM).
Just as consumers are looking for ease of use in mobile banking, employees too are demanding more services and quicker accessibility on mobile devices. In order to meet the demand for instant access while reducing the risk of data breaches, it’s vital that proper access controls are applied. Organisations can extend existing IAM controls to mobile devices, thereby ensuring that existing policies and rules on information access are also applied to mobile.
BYOD: The perfect application for biometrics
The growing variety of devices entering the workplace means that policies based on specific devices are impractical, so it’s important that organisations base controls for mobile on the user’s identity and not the device itself. Control should be placed on what information the user is authorised to access. This helps IT to minimise the risk of a breach while simultaneously enabling employees to take advantage of BYOD policies and work more effectively.
An effective mobile authentication strategy
There are three key points to consider when it comes to an effective mobile authentication strategy:
- Ensuring policies are not reinvented but are extended to mobile devices. This makes access controls easy for security to manage as they can quickly revoke access in the event of a device being compromised
- Improving usability of mobile platforms. Some legacy apps use a web interface and are not built for mobile, but aren’t likely to be updated for some time. Using single sign-on (SSO) for both native and web can help here
- Using adaptive authentication methods to balance security with convenience. It’s important to remember that access levels should be different for each user – while some individuals need access to sensitive data, others only need non-critical information. Levels of authentication should be different depending on the level of access required
The role of single sign-on
When it comes to the enterprise, SSO is essential. A frustrated user, having to sign into various applications on various devices, is likely to work around security controls for quicker and easier access. The use of SSO improves the user experience and removes the temptation to find a way around security. It also reduces the likelihood of re-used, weak passwords which in turn improves security.
When it comes to implementation of SSO, security teams can centralise the management of access rights by establishing a service around which mobile devices can be connected. Users gain access to a single app on their device by entering just one password, giving them immediate access to all available business applications. Security teams can also use a centrally managed access point to restrict access to a device in the event that it is lost or stolen.
However, with varying levels of access needed by employees across the business, there are times when security teams need to ramp up security with additional authentication methods. This is where biometrics come in.
Biometrics in business
When it comes to the enterprise, biometrics is an interesting topic. Some security teams see biometrics as the pinnacle of security, while others view it as a problem as it can be difficult to manage, questioning its usefulness within a mobile IAM strategy.
However, biometrics – such as a fingerprint or heartbeat – are the perfect example of how organisations are looking to simplify access for users while ensuring the highest possible levels of security. This growing trend is being driven by better hardware and software alongside advances in biometric technology, such as HSBC’s analysis of the voice through over 100 unique identifiers such as speed, cadence, and pronunciation.
Every company is different, so there is no ‘one size fits all’ when it comes to an enterprise mobile authentication strategy. Biometrics will work for some – such as in the banking industry – but won’t be right for others. This is dependent on numerous factors, including number of users and the sensitivity of data that needs to be accessed. What’s important is that security teams integrate and manage devices centrally if they are to make the best decision for the organisation and effectively enforce policies.
David Mount, director, security solutions consulting EMEA, Micro Focus