While the idea of using biometrics for authentication is becoming more mainstream – helped along by the fact that many consumer devices, such as smartphones and laptops, now support biometrics – organizations still have to consider how to effectively implement biometrics within their environments.
"It's hard to envision a future that doesn't have biometrics," says Gartner VP and analyst Ant Allan. "The question is, 'What is the most effective way to use biometrics?'"
According to SailPoint CISO Rex Booth, by commoditizing biometrics for cyber, "we're merging what was a high-stakes means of identification – fingerprints and crime scenes – with relatively low-stakes scenarios, such as unlocking your phone, all for the sake of convenience. I'm not sure that's a worthwhile trade-off."
For many enterprises, concerns over how the biometrics information is stored or what would happen if the data were stolen is typically the responsibility of the third-party vendor offering biometrics technology. Still, if that third-party vendor gets breached and the enterprise's authentication data finds its way to the Dark Web, some blame will eventually land on the CISO's desk. Regardless of the stolen data’s value to the thieves, no one should assume that criminals – given enough time and access to powerful equipment – won't be able to eventually unlock authentication data.
An enterprise using biometrics as a routine authentication approach could ultimately hurt the enterprise's security, along with the security of all employees, contractors, and partners who need access to enterprise systems, Booth adds.
"As somebody whose fingerprints are on file in a CCP database somewhere thanks to the OPM hack in 2015, I've accepted that I've lost control of my biometrics," he says. "But that doesn't mean I want to use them everywhere and risk losing further control for low-reward use cases. They should be reserved for meaningful scenarios."
Build MFA by Combining Strategies
One common enterprise authentication strategy for biometrics is to embrace the original intent behind multifactor authentication (MFA). A popular criticism of enterprise MFA implementations is that they tend to use the weakest possible authentication approaches, such as unencrypted numbers sent via SMS, which is highly susceptible to man-in-the-middle attacks.
The better approach is to use a couple of high-security approaches, such as continuous authentication (CA) and behavioral analytics (BA). CA concentrates on which systems are being accessed and what actions are being initiated. BA verifies user identity by comparing many dozens of different factors, such as errors per 100 keystrokes, typing speed, angle a phone is held, characteristics of the phone, and time of day.
By definition, CA does not stop once an authentication is confirmed but continually watches to see if the user misbehaves an hour later. After all, an insider attack will just about always pass the authentication hurdle because the attacker truly does have credentials – the user simply abuses the privilege by trying to steal money or data or to sabotage the system.
A very good tactic to make BA more secure is frequently changing which attributes are considered and what users will be asked to do to confirm their identities.
"Users can't really predict what they will be prompted to do and when they will be prompted to do it," and that makes it much more difficult for a fraudster to be prepared, Allan says.
MFA creates a more secure, layered approach so that the entire authentication doesn't rest on a single point of failure. MFA might look like CA plus BA plus something physical, such as a FIDO token.
An authenticator app also can further strengthen security. If the enterprise authentication program includes four or five highly secure approaches, then biometrics can indeed serve as a convenient first step. That would mean the biometrics could have a lenient setting, reducing user frustration without undermining the overall authentication effort.
Add Piggybacking to MFA
One way to lower authentication costs is by trusting and leveraging the biometrics within smartphones that people already carry with them – an effort known as piggybacking. The plus side is that this comes with a lower cost; the downside is that IT and security have little to no say in how the biometrics are administered or protected. But if a sufficiently robust MFA is in place, even lenient settings may not be a problem.
"I think [piggybacking] is a great first step," says Damon McDougald, the global identity lead at Accenture. "Is [security doing biometrics themselves] necessary, or is it just creating friction?"
Gartner's Allan also approves of the piggyback biometrics approach.
"It's something the users are already familiar with, and you're avoiding paying for a third-party product and everything you need to wrap around it," he says. "But the choice is technology is being made by somebody else. How is it being configured? The enrollment is not something you have control of."
McDougald stresses that excessive friction with any form of authentication could deliver an unintended problem.
"Humans are very creative when we have a problem. We'll just bypass the authentication — and the bad guys can exploit that," he says.