No longer the stuff of science fiction, or restricted to highly sensitive or military-grade applications, biometric authentication has become the de facto standard for mobile users—from unlocking your smartphone to making payments on the go. Enterprises have been slower than individual users to adopt biometrics, but that seems to be changing. According to a recent Spiceworks survey of 500 companies in North America and Europe, 62 percent report using some form of biometrics today while 86 percent expect to be doing so by 2020.
Many organizations are now evaluating the use of biometric authentication methods, such as fingerprint scanning and facial recognition, to reduce end-user friction, make collaboration easier, share information more effectively and, as a result, promote higher workforce productivity. Careful planning and a few simple best practices can help achieve these goals while maintaining a secure and cost-effective solution.
1. Take Advantage of the Biometric Capabilities that Users Already Own
If cost has been holding you back from adopting or expanding biometrics, you’re not alone. In a recent Spiceworks survey, 67 percent of companies cited cost as the biggest barrier to adoption. But biometric authentication no longer requires expensive or proprietary hardware to implement. Today, all major smartphone and laptop platforms include some form of device-native biometrics. And these platforms are continually improving: high-definition cameras, infrared sensors and augmented reality have expanded the possibilities to include retina scanning, 3-D facial recognition and improved liveness detection. According to Apple, the advanced technologies used by Face ID on the iPhone X have decreased the possibility of a random match to one-in-a-million, compared with 1:50,000 on previous-generation devices. Mobile-based biometrics also provide the security benefit of being stored locally on the mobile device, often in a secure hardware module, which eliminates the possibility of biometric templates being stolen in transit or from a centralized database.
2. Think Multi-Factor Authentication
From a security perspective, it’s important to consider biometrics as part of a comprehensive multi-factor authentication approach. Consider that with Apple’s Touch ID, there is a 1-in-50,000 chance that a random person could successfully unlock your phone with their fingerprint. While that is certainly better than the probability for a 4-digit PIN (1 chance in 10,000), it is far worse than the probability for most passwords. When security matters, biometrics should be used in combination with passwords, risk-based analytics or other complementary authentication methods. One of the most common techniques is to combine smartphone biometrics with mobile push technology. When a user attempts to log in from a PC, for example, they get a push notification on their phone prompting further authentication with a fingerprint or face scan to complete the login process. In this way, the user can demonstrate both that she is in possession of a registered device and that she is in fact the person to whom the device is registered. Such an approach reduces the risk of a hacker being able to compromise the user’s identity credentials, while at the same time minimizing friction for the user, since it authenticates in more than one way while only requiring the user to perform one action.
3. Take a Risk-Based Approach
Biometric authentication may not be the right choice for every use case, so it’s a good idea to first target applications and user populations where biometrics can provide the greatest security and cost advantages. Do you have SaaS applications or web portals that allow internet-based access to sensitive or personally identifiable information? Are these applications protected with only a password? If so, smartphone biometrics can provide an efficient and cost-effective way to add a second factor of authentication. Mobile biometrics are also a great way to introduce a second factor for external users including partners, clients and customers. With these extended user populations, issuing and managing authentication credentials can be problematic and costly—hardware tokens must be physically shipped, users may forget passwords and PINs, and certificates must be issued, renewed and revoked. Biometrics eliminate these challenges and costs by putting the control of authentication credentials back into the hands (pun intended) of the user.
4. Don’t Break the Bank on Legacy Apps
Adding multi-factor authentication to VPN or SaaS applications shouldn’t be particularly difficult or costly as these applications are likely to support standards-based integration using SAML (typical in SaaS applications) or RADIUS (as is often the case with VPNs). But what about the legacy or custom applications that your organization is still using on-premises? To avoid a long, expensive integration that requires dedicated agents or custom code, consider integrating biometrics at the network layer. Next-generation firewalls (NGFW) often provide SAML and/or RADIUS connection points for integration with most authentication services. By intercepting traffic bound for a particular legacy app, the NGFW can enforce biometrics (or any secondary authentication) even if the target application is unaware. For cloud applications that do not support SAML, secure web gateways (SWG) or Cloud Access Security Brokers (CASB) can provide a similar control point when used in proxy mode.
5. Look to the Future
Biometric-based authentication methods have evolved a great deal in a very short time, from fingerprint scans to retinal scans to 3D facial recognition. In the process, they’ve become less intrusive while continuing to add more security to user logins. This trend will continue as more solutions emerge that rely on methods that intrude even less on the user—methods such as keystroke biometrics that don’t require any action other than users just doing what they would normally do anyway. Combined with behavioral analytics and machine learning, as well as risk analytics, biometrics is on its way to shaping a future in which authentication ultimately becomes completely invisible to the user. The best way to prepare for this future is to choose a multi-factor authentication solution that already offers a range of authentication options and has a track record of adding new capabilities as they emerge.
# # #
Visit RSA online to learn more about how the company is continually evolving and refining biometrics capabilities for RSA SecurID Access, the authentication solution that’s part of the complete RSA SecurID Suite for identity and access management.
Author: Dave Taku
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: Biometrics, Biometrics-Based Authentication, Multi-Factor Authentication, Identity & Access Management, RSA SecurID, RSA SecurID Access