DAVE WATERSON, CTO & Founder, SentryBay
The innovations that we see in consumer tech are so often replicated in the workplace as a means to satisfy the expectations of employees. So, it was with interest that we read about Apple, Microsoft and Google’s intentions to support the FIDO Alliance standard and enable end-to-end passwordless authentication using biometrics or a device PIN.
This promises that users will no longer need to sign into every website or app on every device they use and instead will access theirFIDO-enabled credentials across multiple mobiles, laptops and tablets to get instant access.
In principle this sounds great: a faster and more straightforward way to navigate across devices and platforms without having to remember a lot of different passwords. For those who just use one password and hope for the best, it also appears to offer more security, protecting them against dangerous account takeovers, data breaches and even the threat of identity theft.
But there’s a problem with this approach and it lies in the emphasis that is being placed on biometrics. The global biometric market is expected to grow from $42.9 billion in 2022 to 82.9 billion by 2027. That suggests almost a doubling in how biometric systems are being incorporated into everything from consumer electronics to automotive verticals.
This is not, however, the answer to the growing cybersecurity problem, at least not on its own. In fact it just introduces another layer of risk.
For sure, the use of an iris, face, voice or fingerprint to open a smartphone is convenient. But it’s important to remember that it is the digital representation of that fingerprint that is stored, and if that is then stolen, it can be used in exactly the same way as a stolen password. More problematic is the inability to change or update biometrics. Once exposed, the apps, websites and bank accounts that depended on that fingerprint or iris recognition to deliver access can be used repeatedly.
There have been cases where facial information found online (who hasn’t got an Instagram, LinkedIn orFacebook account?) and with a strong biometric identifier, has been used to spoof the identity of individuals.
Amongst consumers, despite the desire for privacy, convenience is a highly influential factor, and this is already encouraging widespread biometric authentication use. For organisations however, any gap in the corporate armour represents too high a risk and needs plugging. The threat of a cyber criminal gaining access to the company network by breaching an employee’s biometric log-in exposes them unnecessarily to the loss of sensitive data, impact on customers and a damaged reputation.
Like all security solutions, biometrics have their place.But instead of being seen as a panacea for all cybersecurity ills, they must be regarded as just one element in a layered approach. Combined with a range of solutions that thwart potential attackers on multiple fronts, biometrics can be a powerful deterrent. Used in isolation as a replacement for passwords is asking for trouble, particularly in the workplace.