In the last few years we’ve seen biometric authentication go from being the cool tech of the future, to a mainstream authentication method that we’re all starting to take for granted. This is largely due to global companies like Apple, Microsoft and Samsung championing the technology in their products, with fingerprint ID and facial recognition.
Recent research from Gartner predicted that by the end of 2020, enterprises that invest in new authentication methods, such as biometrics, would experience 50 per cent fewer identity-related security breaches than those who didn’t. Data breaches can have serious implications on a company, both in terms of reputation, and financially. The Equifax data breach in 2017 is estimated to have cost the company nearly $450 million, and with GDPR regulations in play, businesses could face sky-high fines if they don’t report data breaches to the relevant authorities within 72 hours. Given this, enterprise security is hot on the agenda for many businesses.
Yet, despite the rise of biometrics and the benefits the technology can bring to enterprise and consumer security, the password hasn’t been killed off just yet. Here are 5 reasons why:
1. You can’t encrypt data with biometrics
In order to secure data, it must be encrypted and passwords are an essential part of this process. While biometrics can act as a gate-keeper of sensitive data, the technology is limited in that it can only grant or deny access, not encrypt it. Take Apple’s Face ID, for example. Whilst the latest iPhone has the most sophisticated face mapping sensors and gives you the ability to unlock your device throughout the day with your face, the technology still requires a password at set-up to encode the data into the phone’s internal storage. Inputting your password is also a must every time the phone is rebooted, or on occasions when biometrics do not pass authentication.
Properly designed encryption systems assume an attacker has huge resources and full knowledge of everything except one single piece of information: the decryption key. This is all that must be kept secret, and biometrics alone won’t be sufficient in keeping the decryption key away from unwanted eyes.
2. Biometrics can’t be updated
Biometrics are often viewed as a convenient alternative to passwords because humans don’t have to remember different credentials for every single online account. People also often assume that because biometrics are intrinsically linked to an individual’s body part, the data is far harder to steal. After all, stolen or weak passwords account for 81 per cent of confirmed data breaches, but a criminal would have to go to extreme lengths to steal an iris or fingerprint, right? Wrong.
Biometric data can still be leaked or stolen by criminals, but unlike passwords, it can’t be reset. Take fingerprints for example. They’re left on everything we touch, and at the beginning of 2017 new research warned that hackers could copy fingerprints from high-resolution photographs.
Biometric data is also just as vulnerable to being leaked in a breach. In 2014, hackers working for the Chinese government broke into computer systems at the Office of Personnel Management and stole data that included the fingerprints of 5.6 million people. Although there’s room for improvement when it comes to password habits if they are leaked in a breach, a simple reset to something strong and unique, will ensure your online accounts are still protected.
3. Biometrics are tied to your device
We increasingly access data from multiple devices, for example, when switching from a desktop to a tablet and passwords remain constant no matter the device or your location. Right now, biometrics do not have this capability: they are tied to specific devices. For example, you can’t just unlock any website on a desktop computer with facial recognition. This is why the majority of mobile, desktop and web apps require a password at set up, as there needs to be a method of authentication that remains constant.
Whilst biometrics remain in relative early stages, this could prove inconvenient for someone who has to switch between authentication methods depending on the device they’re on.
4. The problem of bias in biometrics
A major concern surrounding biometrics that researchers have discussed is the issue of bias being inherent to the software’s development. For example, MIT researchers found facial recognition systems were biased towards white men.
On the other hand, passwords are unbiased when it comes to the owner or subject of the authentication. If such flaws with biometrics remain a concern, along with questions over accuracy, and slow adoption, passwords remain a universal and effective identity and access management solution.
5. Multiple security authentication factors are preferred
Cyber threats are evolving at a rate that exceeds security teams’ ability to keep up with them. In an evolving threat landscape, and in high security and business environments, the best security method is multifactor authentication. If a password is stolen in a breach, the hacker will still need a second piece of information, such as a fingerprint, before they gain access to the information. Biometrics can help to add this additional layer into the multifactor security mix, but passwords will still remain a central facet.
Even with advances to authentication methods, and the rise of biometrics, passwords are here to stay. Not only are they essential to encrypting data in a way that biometrics simply cannot achieve, but they are the only method that works in every context, on any device, and are unbiased when it comes to the data subject.
You have ultimate control over how secure a password is – including the symbols, letters, numbers chosen, and tools like password managers simplify the burden of having to create, and remember, multiple long, strong and unique passwords for multiple accounts. Implementing a password management solution within a business not only ensures the security of an entire organisation, but is hugely convenient for employees – passwords are stored and encrypted, and accounts can then be accessed from one portal with just one click.
Sandor Palfy, CTO of IAM at LogMeIn
Image Credit: Anton Watman / Shutterstock