Biometric security technology readies for corporate prime time
Companies are turning to biometric security technology to improve user authentication and experience, but its use presents unique challenges that could slow enterprise adoption.
Cybersecurity expert Adrian Asher is a harsh critic of passwords.
The CISO for London Stock Exchange Group called them "dumb, antiquated [and] a flawed technology."
Asking humans to remember increasingly longer and more complex passwords when computers can quickly guess them "is just a flawed premise," Asher said. When Asher started in his current position two years ago, he was determined to implement biometric authentication, a technology that he describes as more efficient and more effective.
Asher is rolling out a biometrics platform from Veridium Ltd. that uses touchless finger and facial recognition technology to authenticate users. He started the implementation six months ago, providing the biometric security technology to workers who access corporate systems from outside the office.
Now, each time a worker wants to log in, he or she can choose between using either finger identification or facial recognition. Workers must also provide a second authentication to log in when accessing corporate systems from outside the office, following the standard practice of two-factor authentication in such circumstances.
He's sold on biometrics technology, and believes that other CISOs will come around to his way of thinking.
"I do believe it will be a replacement for everyone," Asher said.
He's not alone in that assessment: PwC's "Global State of Information Security Survey 2018" found that 60% of the 9,500 respondents said their companies are adopting biometrics.
Proponents of biometrics such as Asher believe the technology offers key advantages such as improved security and a better user experience. Yet, they and other cybersecurity experts say biometric security technology platforms also present unique challenges that could slow -- or even derail -- enterprise adoption.
Biometric authentication: Risk vs. reward
Richard Kneeleymanaging director of cybersecurity and privacy practice, PwC U.S.
Certainly, cybersecurity experts aren't promoting biometrics as a cure-all solution.
"Most security is a layer of the solution, not the single solution. Biometrics might end up being just another layer you use," said Richard Kneeley, a managing director of cybersecurity and privacy practice at PwC U.S.
Biometrics use an individual's unique physical characteristics for identification and access control. Biometric platforms most commonly use fingerprints or facial recognition, but some use retina scans and voice recognition to identify and authenticate individual users.
Some experts extend biometrics to include technology that uses unique behavioral patterns to identify and authenticate individuals, but others consider behavioral analytics to be completely separate from biometrics.
Kneeley said organizations are beginning to use biometrics, pointing to the use of voice recognition security systems at some financial institutions as examples. Some highly secured institutions use retina scans to authenticate workers -- although he and others noted that such uses are usually deployed in conjunction with human guards who also verify workers' identities.
But Kneeley said he hasn't yet seen widespread implementation of biometric platforms to replace passwords and other longstanding security measures.
"I've never seen biometrics as just standing alone without other security measures," he said. "While biometrics is exciting and neat and would make life easier, there are still some concerns about it."
Yehuda Lindell, an associate professor in the computer science department at Bar-Ilan University in Israel and a leading cryptographic researcher, said enterprise cybersecurity leaders are right to hesitate before adopting biometrics platforms.
Both Kneeley and Lindell, who is also co-founder and chief scientist at security firm Unbound Tech Ltd., said biometric security technology isn't foolproof. They pointed to various reports that have shown fingerprint, retina and voice recognition technologies aren't infallible.
Not all users are comfortable with the technology, either: Even individuals who are OK with using their fingerprints to access their smartphones for personal use sometimes balk at allowing their companies to scan their faces.
There are also questions about what happens if stored biometric information is breached, Lindell said. He highlighted an important point: Users can change their passwords if the password data is hacked, but they can't change their fingerprints, retinas or faces if the images stored in the security platforms are compromised.
Meanwhile, Kneeley said many organizations have a hard time wrapping their arms around how they'd roll out biometric-based platforms across the plethora of devices they've deployed to workers and how they'd integrate such technology with existing security measures.
"The complexity can be overwhelming for a lot of our enterprise clients," he added.
Still, Lindell said he believes biometric security technology has value -- just not as a stand-alone solution.
"In my opinion, the real strength of biometrics is that [organizations] can use it as an additional authentication," he said. "That's why I think people should be looking at it."
The privacy question
Asher acknowledged some of those same issues and challenges with biometrics, but he remains convinced that biometrics offer better security at lower costs than ubiquitous passwords. He's continuing to expand his use of the biometric platform and plans to soon have more of his workforce use the technology instead of passwords.
He agreed that workers might not want to be in front of cameras to log in, which is why he chose a platform that offered the use of either facial recognition or four-finger identification. He also recognizes the need to ensure the privacy and security of workers' biometric information.
"We needed to be very happy with the privacy story," he said.
Asher picked Veridium, in part, because it only stores half of the users' biometric data, with the other half remaining on each user's device -- reducing the risk of bad actors getting their hands on anyone's full slate of biometric data.
Asher said he also strategized on educating the company's 6,000 workers on how the new biometric platform works, its benefits and the company's safeguards for protecting the employees' own biometrics information.
"Overall, we didn't get any pushback," he said. "It's more of a carrot instead of stick; they saw it was easier than remembering a long password."