Connect with us

Hi, what are you looking for?


Identity & Access

Beyond Biometrics: The Future of Authentication

As organizations become more and more digitally connected, concerns about secure access seem to loom larger than ever. With more users connecting to more resources, how can organizations ensure people requesting access are who they say they are? 

As organizations become more and more digitally connected, concerns about secure access seem to loom larger than ever. With more users connecting to more resources, how can organizations ensure people requesting access are who they say they are? 

As the digital risks associated with identity access and management continue to evolve, I’ve found myself bombarded with questions about biometrics as a means of authenticating users. How strong of an authentication method is it, really? What about the privacy issues? Is it true twins can fool a voice verification system? Are the one-in-a-million odds of a false face match low enough? Will biometrics live up to all the hype? 

Since Apple’s announcement of Face ID on the iPhone X, people are talking about biometric authentication as if it’s the be-all and end-all for authentication today—and, at the same time, questioning whether it can stand up to the challenge of delivering secure, reliable authentication over the long term. 

The problem is, those are the wrong questions. They only make sense if you’re operating on the assumption that biometric authentication is intended to supplant all the methods of authentication that came before it and that it, too, will eventually be eclipsed by the next major advance in authentication technology. 

Those assumptions saddle a single form of authentication with unreasonable pressure to perform. In reality, biometric authentication is no silver bullet (and was never intended to be one). Like all forms of authentication, it works best as one of several means of proving someone is who they claim to be, and discussions of its merit need to take place in that context. 

The strength of many surpasses the power of one

When facial recognition took center stage last year, smartphone passcodes didn’t just go away. Today, the passcode continues to function as a second factor for higher-risk authentication scenarios—when you haven’t unlocked your phone for a certain amount of time, for example, or when your phone fails to recognize you several times in a row. And, of course, a number of other authentication factors, ranging from tokens to one-time SMS codes, are still required for certain types of interactions and transactions. It seems reasonable to go so far as to say the very reason a biometric authentication method like Face ID works as a convenient way to authenticate someone is precisely because it isn’t the only method at work. Rather, it’s one of many authentication methods working together to maximize security.

Advertisement. Scroll to continue reading.

A useful comparison lies in the primary authentication mechanism for the one asset everyone wants to keep secure: money. Your debit card, which provides access to all the cash you have in the bank, is protected by a simple four-digit PIN. It’s as if just four numerals stand in the way of someone cleaning out your bank accounts. In the bigger picture, though, there’s a lot more than your PIN protecting your cash. Every time you use your debit card, multiple technologies—artificial intelligence, machine learning, data analytics—are working in concert to protect that transaction by assessing the risk it presents and following up with appropriate action, such as requiring more stringent authentication or even declining the transaction altogether.

Sure, card fraud happens. But it happens far less often than it would if your four-digit PIN were really the only protection the bank had in place. That protection is truly effective as part of an approach that combines multiple factors together to form a much stronger whole. 

What’s good for the consumer is good for the enterprise

In the same way that a PIN isn’t the only thing protecting your bank account funds, biometrics shouldn’t be the only method of authentication an enterprise counts on to verify a user’s identity. In and of itself, biometric authentication is no silver bullet for protecting an enterprise’s digital assets, and no one should expect it to be. But it’s inarguably a formidable weapon in the enterprise arsenal. It can’t be easily stolen the way, say, a password can. And used in combination with other credentials, it provides a secure and extremely convenient way to authenticate users.

When it comes to biometrics, there’s a strong argument to be made for protecting enterprise applications the way we protect consumer transactions, not just relying on any single authentication method, but instead also factoring in information about user, location, device and behavior—and yes, maybe even four-digit PINs. When that information doesn’t provide enough assurance for the action a user is trying to perform, then we can look for additional methods of proof if the risk warrants it. Viewed through that lens, biometrics can provide the enterprise a powerful means of ensuring that users are who they say they are and help navigate the changing landscape of identity risks. And with less intrusive methods of biometric authentication emerging—including advances like keystroke dynamics and gait analysis—and more companies planning to adopt it, I’m confident biometrics is here to stay. But the ultimate goal for identity and access management is not to find the unbreakable or “unhackable” code for authentication; rather, it’s to layer security to create a much stronger identity assurance posture.

RelatedCan Biometrics Solve the Authentication Problem?



RelatedU.S. Army to Protect Warfighters With Continuous Biometric Authentication 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.