Biometrics are seen as a positive step forward in authentication, but employees maintain privacy concerns.
According to a survey of 4013 workers across the UK, France and the Netherlands, the Okta Passwordless Future Report found that 78% of respondents use an insecure method to help them remember their password, including: using the same passwords for multiple accounts (34%), writing passwords down (26%), 17% typing passwords on a phone or computer (17%) and using well-known passwords (6%).
Dr Maria Bada, research associate at Cambridge University, said: “Passwords are often quite revealing. They are created on the spot, so users might choose something that is readily to mind or something with emotional significance.
“Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this and with a little research they can easily guess a password.”
The research also found that 70% of respondents believe biometrics would benefit the workplace, but 86% have some reservations about sharing biometrics with employers.
Todd McKinnon, CEO and co-founder of Okta, said: “Passwords have failed us as an authentication factor, and enterprises need to move beyond our reliance on this ineffective method.”
Speaking to Infosecurity, McKinnon said that Okta sees the role of biometrics is the “last mile” and the value it provides is for the policy layer, and you need to determine what your policy is.
“There is still a bunch of work that has to happen to map that, and to have access to a certain server or application, so I envisage that there will be different levels that are high or low risk,” he added.
McKinnon pointed to the need for a central policy to link all of the biometric access data together for the appropriate scenario. He said that Okta provides the technology to enable access, but it is up to the customer to determine how they enable access, whether it is via a personal phone or a corporate device, “based on the resources you are trying to access.”
On the issue of trusting employees, McKinnon said that there are too many bad user experience cases where a person cannot get a text on a personal phone, or too much data is collected due to privacy issues “because the policy is not flexible and the company does not have the right resource to check, so they over-collect information.”
Dr Bada said: “Biometric technology can be promising in creating a passwordless future, but it's essential to create an environment of trust, while ensuring privacy and personal data protection.’’