Tech News and Analysis

6 min read

Exploring Biometrics and Trust at the Corporate Level

Biometric measurements should be part of any multifactor authentication (MFA) strategy, but choose your methods carefully: Some only establish trust at the device level.

As the world continues to move essential functions to digital environments, companies need trustworthy methods for verifying who is behind the screen. Multifactor authentication (MFA) has become the standard for preventing cyberattacks, with the US National Cyber Security chief saying it could prevent 80% to 90% of attacks. MFA works by requiring multiple layers of authentication, such as one-time passwords (OTPs), physical hardware tokens, or soft tokens.

While these do a better job of securing access and data than traditional passwords, what are they really verifying? In the case of SMS-delivered OTPs, the system is verifying your access to a phone; with hardware tokens, it's access to a physical card or device. But none of these require the actual person to confirm they are who they say they are. These methods rely on the assumption that the only person accessing these devices is their owner. Clearly, it's a device, rather than a person, that is being verified. So what can organizations do to improve on traditional MFA methods and build trust with the people behind each digital interaction?

Some methods for MFA verification, including hardware tokens and SMS-based OTPs, have been widely adopted, but they present clear challenges for organizations. Phone-based options require access to a smartphone — not something everyone has and not something companies want out in all environments. Token-based systems are not much better; tokens can be lost, forgotten, or easily handed to another user. The clear solution is to have a biometric measurement that is entirely unique to the user as part of any MFA strategy. But not all biometric methods are created equal, and some still only establish trust at the device level.

Limitations of Device-Based Biometrics
Device-based biometrics, such as a fingerprint captured using the built-in sensor on a phone, PC, or dongle, are stored within the device that they are captured on. These systems offer a high level of convenience for the user, as well as strong security for personal use cases. However, device-based biometrics fall into the same trap as other MFA methods — it is still the device, and oftentimes an encrypted key, being verified, rather than the individual person.

Another security concern is that a device-based biometric authentication method unwittingly places the high-trust function of enrollment, or determining access privileges, into the user's control. This opens the possibility for unauthorized delegation where access is granted to someone other than the original person it was assigned to. For example, if a user goes into their iPhone and has TouchID enabled, they can enroll any fingerprints they'd like, including one that isn't theirs. This fundamentally removes an organization's ability to trust who is using the device.

Once again we see that this method confirms a device, not a user. Device-based biometrics are convenient but still don't provide the level of security necessary for completing critical tasks with trust on both sides.

Benefits of Identity Vetting Using Biometrics
Identity verification and binding with biometrics takes a different approach. It endeavors to verify the precise, unique individual human rather than the holder of a device. The first step here is creating a biometric measurement to use like a signature for a person — a piece of data that is uniquely tied to them and can confirm their presence at the authentication step. By first establishing a biometric signature and then storing that centrally rather than on a device, organizations can have something to compare biometric data to.

For example, our company's technique, identity-bound biometrics (IBB), has organizations enroll and store biometric data centrally so that it remains immutable. This returns to the organization the power of determining access privileges instead of leaving device access open to the user. IBB offers high integrity and trust that someone is who they say they are and has the capacity to positively identify the individual — not just their device, token, phone, or anything else. In the digital world we live in, this is how to establish trust.

By utilizing a centrally stored biometric method, organizations are able to support people who need to have access across multiple devices and locations without any additional enrollment or process. They can simply walk up to a workstation, scan their biometric, and quickly login. Storing the encrypted biometric data centrally allows access to be granted for multiple places and devices across the organization.

Lastly, with better sensors and larger sets of data points captured about the user's biometric, IBB is more accurate than most device-based biometric methods.

How IBB Works as a Centralized Biometric Method
IBB utilizes hardware, such as a camera on a mobile device or a fingerprint scanner, to scan the user's biometric input, confirming thousands (rather than hundreds) of data points. Once the biometric is scanned, it is sent through an end-to-end encrypted process and algorithmically altered to create a biometric template. This means that there are no actual fingerprints or measurements stored on the company's server — rather, a unique template that acts like a lock with an individual's biometric data as the key.

Besides the end-to-end encryption, IBB eliminates bad actors who threaten other places in the process as well. Using isolated, non-recreatable single sessions for each interaction eliminates the threat of a man-in-the-middle style interception and replay of the data. This allows for biometric data to be safely stored and managed centrally, rather than tied to individual devices.

Consider, for example, a bank teller who works in multiple branches. They deal with highly sensitive financial data on a regular basis but still need to be able to work from multiple locations and at different workstations throughout their day. Rather than enrolling them on a series of individual devices, the bank can employ IBB to allow the teller to work across devices companywide, while verifying who specifically is gaining access and completing transactions. The bank knows who is enrolled in the system, it knows that enrollment hasn't changed, and it has the flexibility to allow access only where required. This setup makes it extremely convenient for the teller to log into the system but also provides a higher level of integrity and trust for the employer.

In a digital world where access is happening from everywhere, and people are all "behind the screens," being able to trust that a specific individual has completed a login or transaction is critical. The standard MFA methods many organizations employ can only establish trust through something the user knows (a password) or has (a smartphone). Identity verification and binding using biometrics should be part of every MFA strategy so that the organization can maintain security and control while users enjoy a convenient biometric authentication experience. With higher integrity and convenience, organizations can streamline operations and build trust for themselves, their employees, and their customers.