Taking a Risk-Based Approach to Biometrics

Biometric authentication — using the unique biological characteristics of an individual to verify their identity — has been around since the dawn of humankind.

Think about it: humans use facial and voice recognition every day to identify each other. Signature recognition came about when the first contracts were originally created, and fingerprints evolved as a means of verifying identity centuries ago. Now, as technology becomes more advanced, biometrics are being used to secure access, computer systems, and valuable data. But can a risk-based approach to biometrics help to create better authentication systems?

Biometrics are Perceived to be Secure and Reliable

For the most part, using biometric data to verify identity is seen as a secure authentication solution. Individual biometric data is unique, and verifying identity through biometrics is something humans successfully accomplish every day. In our minds it is the most reliable and natural form of authentication. As we strive to make technology more human, using biometrics to verify identity is a natural progression towards achieving this goal.

There are many forms of biometric authentication technologies which have been developed through the years. Retinas, irises, fingerprints, faces, voices, palms, signatures, and even DNA strands have all been used to verify identity. Some of these technologies have seen more commercial success than others, with fingerprint and facial recognition even being incorporated into our everyday consumer devices.

Part of the reason that biometric authentication methods are so appealing is their simple user experience. Using your thumb or face to unlock your phone is far easier than having to type in a PIN code. Authentication factors that require the user to memorise a code or password, on the flip side, face greater resistance. This often leads to poor security practices, like password reuse and sticky note reminders — habits that increase the risk of a breach.

Biometric authentication in commercial environments has also found some success. The primary barrier to entry that organisations face when considering deploying these solutions is the cost of procuring, deploying, and managing the physical hardware which enable biometric authentication. Biometric scanners are generally not included in standard enterprise devices, and integrating the biometric system into an authentication solution comes with added overhead and complexity.

However, as biometric technology continues to evolve, these solutions are becoming simpler and more economical. But are biometrics secure? Can they a replace traditional authentication mechanisms like usernames and passwords?

Biometric Data is Unique but Not Private

Although biometric data may be unique, it is not private. Unlike a password, which is a secret phrase or word only you should know, fingerprints and faces are in the public domain. You leave your fingerprints on surfaces everywhere you go, and your image is captured and stored in more places than you realise.

The fact that biometrics are so easily accessible means systems using this data for authentication purposes risk being compromised. Fingerprints can be lifted off smooth surfaces and high-resolution images can be used to clone them. Facial recognition can be fooled with photographs obtained from social media and even iris scanners can be compromised.

Any system storing information runs the risk of being compromised. Biometric systems that essentially store analog information in a digital format are no different. A compromise affecting a biometric system not only puts the data at risk, the privacy implications of an unauthorised third-party having access to fundamental individual human traits could also have severe repercussions. Since biometric data is unique and only used to identify individuals, the compromised information could be used to decipher other distinctive attributes jeopardising the personal identity of those affected. And, because biometric identifiers are immutable, they cannot be reset like passwords, which makes the consequences of a biometric data breach permanent.

Biometric authentication is convenient and does provide some security, but it is not infallible. Relying solely on biometrics to protect systems and the confidential data they store does not provide the enterprise security needed in today’s interconnected online world.

Multi-Factor Authentication Can be Used to Reinforce Biometrics

Multi-Factor Authentication (MFA) has been proven to be the best practice when it comes to authentication. By requiring users to submit multiple factors to verify their identity, this layered approach to security applies the necessary defence-in-depth safeguards needed to protect modern systems and applications.

Submitting a password along with a fingerprint when authenticating is far more secure than submitting a single factor. If a biometric factor such as a fingerprint or image has been compromised, an attacker would still need to possess a compromised password before gaining access. Adopting a multi-layered approach to authentication is by far the leading solution for protecting system access. However, the level of security can be raised even higher by adding context to the mix.

Leveraging multiple context factors such as location or IP address provides an additional layer of protection. This solution improves security by dynamically adapting the authentication flow. It accomplishes this by rating the inherent risk after interrogating context data obtained from the user and the device. Based on the risk rating, the system then either grants access, denies access, or prompts the user to submit an additional form of identity verification, effectively creating an Adaptive Multi-Factor Authentication (AMFA) solution.

Okta’s AMFA with Biometric Support: Security Without Compromising Usability

Okta AMFA uses this contextual and adaptive approach. By helping your authentication solution respond to changing circumstances and unusual events, it ensures identities remain secure without overburdening users. It can be used effectively alongside biometric systems with full support for biometrics-based factors including Windows Hello and Apple Touch ID.

With Okta AMFA, you can give your users the superior usability of biometrics and ensure your systems remain secure.

Would you like to know more? Check out Biometrics for Authentication: The Risks and Potential Rewards and also learn how to Use Behavior and Context to Secure Access.