By Andrew Peel, is an identity and access management expert at PA Consulting, the global innovation and transformation consultancy
Biometrics technology can only be an effective part of any organisation’s digital security approach if implemented as part of a wider and coherent framework. Such a framework would consist of three key elements: consistent identity management (knowing who has access and what they are entitled to do), a risk-based approach to authenticate the identity of the person attempting to access a system and thirdly, effective authorisation to provide appropriate access to the resources to which that person is entitled.
The rapid adoption of biometric technology in our daily lives through platforms such as mobile phones has created a widespread familiarity, acceptance and comfort with using fingerprints or faces for everything from accessing an app to approving a financial transaction.
The existence of robust and trusted biometric authentication mechanisms – that are based on open standards and carried around in our pockets – provide opportunities for organisations to move away from insecure passwords or clumsy hardware fobs to authenticate users accessing their services.
Although biometric authentication can reduce risk, improve user experience and provide an organisation with greater assurance as to the identity of the person attempting to access its resources – that’s as far as it goes.
Biometric verification on its own doesn’t determine, for example, if the account being used is still valid, nor does it provide the ability to control what the user can and cannot do once they’ve been authenticated, or even monitor and audit such access. An organisation consequently continues to be exposed to the increased risk of a security breach and data loss.
Whilst biometrics should be a key tool in any organisation’s digital security approach, they can only be truly effective if implemented as part of a wider coherent identity and access management framework composed of, and enforced by, policies, technology, procedures and processes.
Such a framework consists of three elements that together enforce an organisation’s information and security policies: identity management, authentication and authorisation.
Establish a consistent approach to managing identities – knowing who has access and what they are entitled to do
Although the power of biometric authentication is its ability to verify that the person using an account is indeed who they say they are, its effectiveness is determined by the accuracy of the underlying identity information of the associated account.
The accuracy of the identity information determines both the authentication decision (i.e. whether the account is still valid) and what happens once that decision has been made – determining who the user is, what access and services they are entitled to, when and how they should be provided -and then removed in a timely manner when no longer required.
The framework needs to employ an approach for maintaining accurate identity information through a combination of effective processes and procedures enforced by enabling technology, including standardised Joiners, Movers and Leavers (“JML”) and recertification and approval processes automatically fed by accurate and trusted sources of data (such as HR systems). This ensures approved stakeholders are provided with timely and appropriate access to systems and resources, and that their access is updated or removed when they change roles, no longer require access or leave. It also ensures provision of a single accurate and traceable view of who has access to which resources.
Establish a risk-based approach to authenticate the identity of the person attempting to access a system
The use of biometrics to verify the identity of somebody attempting to access an organisation’s resources will be determined by the authentication approach defined within the framework.
Even here, the use of biometrics should only be one of a toolkit of adaptive authentication mechanisms used to verify an identity –determined by the perceived risk of the connection based on factors such as the location, time, device, and the sensitivity of resources the user is attempting to access.
An adaptive authentication approach will utilise this perceived risk to determine which authentication mechanisms should be employed, with a higher risk potentially requiring a multi-factor approach composed of multiple mechanisms, including biometrics.
Ensure effective authorisation to provide appropriate access to the resources to which they are entitled.
Finally, biometric authentication provides greater confidence in the identity of the person attempting to access resources. The authorisation element of the framework then ensures these verified users are only provided with appropriate access to the resources and services they are attempting to use.
Although the authorisation decision itself may be taken by the local resource, it is reliant upon the accuracy of the identity information provided – such as who the individual is, what they’re allowed to do, where, and when – with access potentially determined by a user’s role, their individual attributes, or even the context of their access e.g. location or device.
Ultimately, maintaining an effective authorisation mechanism combines technology and robust controls. With a coherent identity and access management framework in place, organisations can harness the benefits of biometric authorisation to reduce risk and improve user experience.