The rate of adoption of any access security infrastructure is ultimately determined by the ability of the user.
Speaking to SC Magazine, David Ting, CTO of Imprivata, admitted that as the healthcare industry takes control of access and identity via biometrics, the banking industry is facing a deeper password problem with increased regulation on data security and auditing such as the Basel Accords, Sarbanes Oxley and EU Data Protection Directive.
This is alongside the challenges of a fast-paced working environment (often in a customer-facing role) that means users are required to log on/log off from multiple applications, several times each day.
He said: “When staff are forced to use complex passwords for each of these applications, they are tempted to cut corners when it comes to password security. This is where jotting down login credentials and password sharing becomes a real issue, meaning that password-only authentication in a banking environment could be viewed as inherently flawed. In the banking industry, strong, or two-factor authentication, where a password is combined with another form of authentication, such as a smartcard, token or biometric, is ideal for user convenience, productivity and security.”
Asked how biometrics have benefited the healthcare industry, and could move into banking security, Ting commented that clinical staff are changing uniforms and easily losing access tools, and the industry was trying to bring in a solution. With banking though, it is a little easier as there is less movement and terminal sharing between staff.
He said: “The technology in place needs to fit seamlessly into the working practices of the staff, enhancing workflows and making life easier wherever possible. If this simplicity can be achieved, and the authentication process is negligible for the users, there will be no temptation to cut security corners when accessing confidential data.
“The best security measure can be defeated by end-users if it is perceived as being cumbersome or interfering with user productivity. After all, users are not measured based on whether they have been security conscious, but on how productive they have been at their primary function.”
He also commented that in a banking environment, extra steps that are taken to strengthen password-based access can be particularly reassuring for internal IT staff who have the responsibility of securing the network. However the benefits also extend to valuable customers and corporate partners who will appreciate that efforts are being made to keep private information safely where it belongs at all times.
On a separate issue, Ting was asked if banking passwords should be refreshed from the ‘select three digits from your password' authentication.
He said: “It should be refreshed, I have never changed mine but I always worry about security with online banking. Capping risk with the cost of online banking and technology can offset the cost of a loss, it is all about risk and the cost of mitigation.
“The cost of getting them to authenticate a user (with biometric solutions) would be very expensive. I would love to see a one-time password or fingerprint but it will not take off for a few years yet.”