lolloj - Fotolia
As biometrics adoption continues to grow, the question of whether the technology will replace passwords has moved...
from if territory to when.
But the when question still looms. Despite a number of enterprises exploring biometric authentication systems that use a combination of fingerprint, voice and behavioral scanning, many companies still rely primarily on customer-generated usernames and passwords, and they haven't fully developed or deployed those biometric authentication systems yet.
Biometrics expert Bianca Lopes sees adoption continuing beyond mobile devices, especially in light of the many credential exposures. But Lopes, former chief data officer for security vendor BioConnect, believes several steps need to be taken before biometric authentication systems can replace passwords in most enterprises.
Here, Lopes explains how she sees biometrics eventually becoming the dominant form of authentication.
Bianca Lopes: The adoption rate for biometrics has seen massive growth. It's expected that, by 2020, 100% of smartphones will have biometrics, so then it becomes a question about which populations don't have smartphones, which is a small number, and it's becoming increasingly small[er]. So you'll start to see biometrics being used every day.
I also think that the fear -- or the realization of the implications -- of password breaches is going to force changes. All of the banks I see have a password-less biometric authentication project -- every single one of them. You don't have to be a genius to figure out the potential there.
But you do have to figure out which department owns authentication. Each department thinks they own the identity of the customer or user. It's a very siloed approach within most enterprises.
I talked at the  Cloud Identity Summit that we're still early [in] the conversation because it has been a secretive industry in a way. Biometrics was born out of security and law enforcement, and [a] lot of those technologies were on premises. But Apple changed the game by putting it in a convenient place for the everyday user.
Now, two things need to happen: we need better standards and protocols, and more transparency and education. For example, what is a biometric template? How does it work?
Some of your biometrics do, in fact, change over time; I age every minute of every day and my face changes every week. If you don't have what's called dynamic enrollment, then you're not capturing those facial changes. Your voice may change, and your behavior definitely changes based on context.
I think you'll start to see the coupling of biometric authentication systems with machine learning and contextual data because now we have better sensors that can pick that data up, and we can use it for identity and authentication that makes it really hard for attackers to beat. Imitating someone's behavior along with their face and their phone is going to become harder and harder.
Dig Deeper on Identity and access management
Related Q&A from Rob Wright
Will laws like GDPR and PSD2 force enterprises to change their identity management strategies? Expert Bianca Lopes talks regulations, self-sovereign ... Continue Reading
Equifax's CISO came under fire for having a music degree. David Shearer, CEO of (ISC)2, discusses what type of education infosec professionals should... Continue Reading
SearchSecurity talks with David Shearer, CEO of (ISC)2, about what is -- and isn't -- contributing to the cybersecurity skills shortage in the U.S., ... Continue Reading