What is biometric authentication? It’s time to bury the password

By Brian Foster, SVP Product Management, MobileIron 

Humans are not the best when it comes to security – and it’s hardly likely we are going to get any better. It is therefore surprising that, despite advanced technological capabilities being available, we seem to enjoy making things harder for ourselves by using a mode of authentication that is no longer fit for purpose – the password. Passwords are ingrained in our society. They’ve been around for 60 years, but that also means that they have long outlived their potential as the safest way to secure our digital, private, and work lives.

The pain of passwords

Passwords are the enterprise’s greatest nemesis.It is well-documented that they are the leading cause of data breaches. In the 2019 Data Breach Investigations Report, for instance, Verizon found that stolen user credentials account for 80% of data breaches. Perhaps less documented, but equally troubling, is the pain of administering passwords.

Passwords provide a troublesome experience for both endusers and IT departments. Password management has proved to be a very costly endeavour for companies. The World Economic Forum reported that over half of IT help desk budgets were allocated to password resets. Today, fingerprint readers and facial recognition software are available on most mobile phones, and most users prefer them to using passcodes because of the high convenience factor. Thus, replacing the password with biometrics will not only improve the user experience of necessary security protocols, but will also break the budgetary burden IT departments are experiencing as a result of passwords.

A matter of convenience?

Inevitably, people expect the same seamless and convenient user experience across their professional life as well as their personal one. Not to mention that having to set up and remember a different password for each different website is not very practical and leads to poor password hygiene: users resort to reusing passwords for both personal and professional use, which presents an additional security risk.

The best alternative is a form of sign-on that most of us are already utilising to some degree in our daily lives: biometric data. Biometric data measures a person’s physical characteristics to verify their identity. The most common types are the aforementioned fingerprint scanners and facial recognition software, or voice-recognition software such as the one used for digital assistants likeSiri or Google Assistant. Clearly, the main benefit of this is the user experience: users can be authenticated instantly using inherent physical attributes, with the help of devices that people always carry with them, such as their smartphones.

Biometric benefits

Biometrics also have major benefits from a security perspective. Firstly, a simplified user experience means that people are less likely to resort to writing their passwords in a word document, using untrustworthy password-management apps or jotting them down on random scraps of paper, which can lead to compromised credentials. There’s no need for resetting credentials either. Once an individual’s biometric data is gathered, the system is set for good.

Secondly, biometrics are usually part of a multi-factor authentication (MFA) process, which provides an additional layer of user verification for high risk environments. Biometric data is a very accurate and relatively hard to replicate form of authentication as it is, but using it as only one step of an authentication procedure is the ideal security etiquette.  And the best example of this is using a MFA system with biometric data as part of a zerotrust approach to cybersecurity.

Beyond passwords, beyond trust

A zerotrust approach is a security concept that functions on the basis of ‘guilty, until proven innocent’. It follows the idea that the perimeter is an outdated model of security and that organisations should not trust anyone, regardless of whether they’re outside or inside the perimeter. Rather, everything should be verified before being allowed access. In this way, the enterprise can quickly eliminate threats as soon as they are spotted trying to breach their systems, whereas with the old perimeter approach, an intruder would be able to access everything inside the perimeter once it had breached the firewall and until it was eventually spotted. And with over half of breaches taking months to be discovered (Verizon), the damages that can be inflicted once someone infiltrates a perimeter are substantial. Clearly, the perimeter approach is no longer working.

As organisations increasingly employ cloud technologies and the workforce becomes progressively mobile, the need for security solutions extends outside a contained physical perimeter, anyway. A zerotrust approach recognises the enterprise’s need for flexibility. It verifies things beyond just a user’s ID through the use of biometrics. It extends across a dynamic environment and it can validate things such as the user’s location, device or network before allowing access.

Most businesses seem to acknowledge the password-less, zerotrust approach as the best way to secure their organisation. In fact, a Spiceworks survey revealed that biometric identification is utilised in 62% of companies and 24% plan to employ this technology within two years. So, the situation looks promising: we can eliminate passwords and replace them with biometric data, and the onus is on the technology industry to drive security forward by doing so.