Providing strong authentication so that only authorised individuals and devices get access to what they are allowed is a cornerstone of any good security program.
However, proving that people are who they say they are has been a challenge with digital security since computers have been in use. Biometrics offers a great way to authenticate individuals into systems, applications and data.
The reasoning is simple: since everyone has a unique biological identity, let's apply that single biological identity to cyber space to establish trust.
Biometrics contribute to what is called a 'multi-factor' authentication scheme and can vastly improve identity proofing by pairing 'something you know', such as a username and password combination, with 'something you are', making it much more difficult for a criminal to hack into systems pretending to be you.
Fingerprint biometrics usually afford the easiest user interface – simply place your index finger or thumb on a reader and authentication takes place. However, the use of a fingerprint biometric often requires a separate device. Historically, the primary challenge with tying a biometric to a cyber identity has been costs associated with rolling out an additional device to 'read' the biometric.
Having the ability to use a device an individual already has to perform the biometric reading allows the organisation to keep the costs low. Examples of these devices would be voice biometrics, which typically can be done over a standard telephone or mobile device, and facial recognition, which can utilise the camera found on most smartphones.
The user interaction is pretty straightforward and since most people have a telephone or smartphone, the organisation does not need to purchase, distribute and support additional hardware. The challenge is to have a backup method of multi-factor authentication if the biometric fails to authenticate.
Although biometrics are recognised as a legitimate form of multi-factor authentication, concerns exist around false negatives, or the biometric actually failing to authenticate the correct individual. One way around this is to treat a biometric as an additional 'form factor' – in essence using it as the second factor in a multi-factor authentication scheme.
In this scenario, the user would have a username/password/pin combination and would then be asked to use a biometric, such as facial recognition or fingerprint. If the authentication fails to establish trust using this combination of form factors, then the user would be asked to authenticate utilising another previously registered second form factor.
This could be the person's mobile device with a securely loaded one-time password generator; whereby the user enters a six-digit number that is 'bound' to the authentication.
There are several innovative technologies in the pipeline that are becoming reliable enough to be considered as viable alternatives to more mainstream biometrics. One option is asking a user to key in a passphrase, essentially establishing a question and corresponding challenge response.
The software not only verifies the accuracy of the response to the challenge question, but also determines how a user types, using variables such as the speed between each letter being typed. From this, the software determines if the individual is the correct person.
In this example, the more the user interacts with the biometric system, the more accurate it becomes. Another method is utilising an individual's cognitive abilities. For example, presenting a set of pictures and asking the user to choose the combination that only the individual would know and be able to identify.
So the question becomes 'based on the advantages of biometrics, why haven't they been more widely adopted in the enterprise?' The answer is primarily focused on the costs associated with the devices that perform the reading of the biometric.
Another issue is usability. If a device (say a fingerprint reader) is being utilised and that device isn't available from where the user is attempting to log in or gain access, the user experience is less than ideal. Having a dual-purpose device – telephone or smartphone, which the user already has in his or her possession – makes the costs and usability much more reasonable for wider use in the future.
Tracy Hulver is chief identity strategist at Verizon