The biometrics ecosystem is evolving at a rapid pace and providing incredible benefits to enterprises that adopt the technology, especially when these now-commonplace features are applied for cybersecurity.
Although people are already familiar with using a thumbprint or facial recognition to unlock their mobile device or complete an online purchase with it, the real power of biometrics extends far beyond these simple features and experiences.
As massive data breaches spilling millions of user passwords and shared secrets become a familiar part of our everyday lives, so does the reality of malicious hackers leveraging these credentials to cause widespread damage. Due to the sheer number of compromised user credentials available from these spills identity theft is at an all-time high, potential GDPR fines loom over many organizations, and there is an atmosphere of distrust.
This is where biometrics can provide an answer because these features we rely on for convenience can also have a groundbreaking impact on security and privacy. Providing that we follow a hard and fast rule — that biometrics are combined with public-key cryptography.
In order to properly leverage biometrics, however, IT and security teams should first understand the key elements that make it such a powerful tool to combat today’s ever-evolving threat landscape and, how to begin implementing it without requiring a complete overhaul of security infrastructure.
The Biometrics Ecosystem
One of the most powerful aspects of the biometrics ecosystem as it relates to cybersecurity is that it replaces the shared "something you know" factor of user authentication with the difficult to reproduce "something you are” factor. Whereas passwords and shared secrets can be stolen and duplicated, every person’s biometrics are completely unique.
In turn the devices that match biometrics to their enrolled templates have grown in sophistication and are already in our hands. The vast majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate (FAR) which makes it extremely difficult to mimic a biometric template.
Using these sensors paired with standards-based authentication such as Fast IDentity Online (FIDO) protocols that eliminates shared secrets creates significant friction for the bad actors who weaponize credentials for fraud through account takeover. It also disrupts a hacker’s attack vector (and thus their economic model) as they can no longer focus on huge server stockpiles of user credentials and must instead go to individual devices to attempt to obtain a single user’s credentials.
This shift makes it virtually impossible to have the mass credential breaches like the ones we are experiencing on an almost daily basis today.
Select a Use Case and a Secure Model
When launching a biometrics strategy, IT and security teams should look for areas where biometrics can have the greatest effect while creating the least amount of friction, and begin deploying the capabilities there. Oftentimes this is with internal facing applications that don’t directly impact customers. Or, they can take the route of securing consumer-facing apps since biometrics are so popular with their users and consumer devices with advanced capabilities are readily available.
Even the most forward-thinking organizations can balk at biometrics when they think it requires an unmanageable set of changes, such as the addition of special hardware, gutting of associated solutions or the taking on of unacceptable kinds of risk such as custodianship of biometrics.
However, the best way to implement biometrics into the security framework is through a deliberate and gradual process using a solution that is built upon mobile-centric FIDO standards. FIDO-based solutions are built to play nicely with security products already in place, and the strength of the standard ensures that users — not the enterprise — are the stewards of biometrics.
Make User Experience A Top Priority
Finally, despite all of the security benefits the biometrics ecosystem provides, if the user experience is clunky it will be difficult for users to adopt. The good news is that providing an easy-to-use, uniform experience for biometrics is rather simple due to the sophistication of today’s mobile devices. Every employee already has a company or personal smartphone and experience using biometrics to unlock the phone make a payment.
The biometrics ecosystem provides incredible opportunity to create a more secure online world while building upon the experience smartphones have proven to deliver their users. Enterprises that want to roll out biometrics-based services today are poised to fully capitalize on it.
Thanks to the sophistication and ubiquity of the devices, and to the availability of solutions built upon open standards-based decentralized architectures, migrating to a true password-less state is within reach. Once it’s deployed — even on a limited basis — my guess is that the enterprise will begin to see other areas for implementation across the enterprise.