When it comes to password managers, the humble combination of a username and password has secured our access to information since the start of IT. Although this model is still largely the norm, a paradigm shift is on the horizon as new passwordless solutions and technologies gain in popularity, such as biometrics, laying the foundation for a more secure standard for accessing information in the digital world.
About the author
Philip Black is Commercial Director at Nomidio.
Yet, while a combination of passwordless authentication and biometrics could transform digital authentication and security, misconceptions about privacy breaches, accuracy levels and security risks may hinder widespread adoption. This article will debunk some of the most common myths associated with passwordless authentication and biometrics, as well as the improvements that need to be made to the current passwordless model.
Myth: “Going passwordless is less secure”
Reality: There is already widespread agreement that today’s method of allowing people to prove ‘they are who they say they are’ through a username and password does more harm than good. In addition to passwords being hard to remember, offering a poor user experience and requiring significant help desk support for resets, they simply aren’t secure, no matter how complex you make them.
In fact, any traditional shared secrets such as passwords, PINs and consumers’ personally identifiable information (PII) are the root cause enabler for the majority of today’s most common cybersecurity attacks, as they are sharable and could also have been stolen in high profile data breaches and sold on the dark web.
The reality is that going passwordless is far safer than the current situation we are in now. In particular, introducing a multi-factor biometric check for authentication can help eliminate the vast majority of common attacks like credential stuffing and phishing. Credentials can’t be lost, stolen or shared when they are your own face and voice patterns – the legitimate user must actually be present to log-in, which leads nicely on to the next myth.
Myth: “Passwordless is unnecessary when you have 2FA in place”
Reality: This may seem a bit of an odd misconception, but it is an appropriate one to address given the multitude of approaches to passwordless authentication.
The logical response to address password security over the last few years has been to layer additional ‘factors’ on top of the password. By asking people to validate their identity based on ‘something they have’, by entering a one-time passcode sent to their mobile phone or email, it is possible to make life much harder for hackers. Also known as two-factor authentication or ‘2FA’, this approach is becoming mainstream, particularly in the world of e-commerce.
However, the weakness with all device-based approaches is that you are not authenticating a specific person, rather you are allowing whoever has access to the phone (or email account) to authorize the event. For example, if someone gets my pin code (phishing or over the shoulder) and “unlocks” the authorization, they could circumvent an authenticator app on my phone with a PIN. Further, does it really make sense for someone’s identity to be tied to their device? What happens if you’re trying to log-in to a work application to make a deadline while you’re out on the road and your phone runs out of battery?
Instead, a multi-factor authentication (MFA) cloud service based on biometrics has the potential to deliver a step-change in security and the user’s experience. Rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so the user can be authenticated on any device they’re logging in from.
Myth: “Biometric technology is an invasion of privacy”
Reality: It is easy to see how this misconception came about. Biometric authentication has seen rapid growth in the journey to going passwordless, as the technology balances protection with a frictionless user experience. However, you often hear stories about how live facial recognition is being used, almost always without consent, to ‘monitor’ and ‘keep tabs’ on a population, leading to fears that ‘Big Brother is watching you’.
However, facial comparison and recognition technologies used on mobile and cloud applications are very different – they are individualized, opt-in use cases. This means that an employee or consumer freely consents to enroll in the system to log into their account or add protection to their account with an additional layer of security.
In a well-designed biometric authentication system the user remains in absolute control and his or her biometric data is never actually shared with the sites, apps or businesses where the user logs-in. Instead, the biometric data is stored just once in a service that can undertake a check on behalf of multiple organizations. This is how we have designed Nomidio, so the user remains in total control, with their consent required before their Nomidio biometric ID can be checked. In fact, we’ve gone a stage further using secure multi-party computing to prove beyond doubt that a person’s biometric data can never be accessed or queried without their explicit consent.
Myth: “It is too expensive to deploy biometrics and the costs outweigh the benefits”
Reality: Biometrics is by no means a new technology and was first spoken of seriously at the start of the millennium as a way to primarily control access to, for example, bank vaults. For many years it was unable to spread beyond such niche markets due to the costs involved. So, while biometrics may have provided an obvious extra layer of security for some time, it’s been too costly to deploy the technology.
This is no longer the case. Recently, the economics have improved and with cloud-based SaaS deployments the complexity and barriers to entry have significantly reduced. This means that any organization, large or small, can deploy and scale a passwordless biometric authentication solution quickly and simply. The sophisticated biometric matching engines are now accessible via the cloud, removing the need for costly IT projects.
Further, taking a more long-term view of a cost-benefit analysis, taking advantage of these cloud-based deployments can help rid businesses of expensive regular security updates to hardware, as well as the need for users to waste time regularly resetting passwords and draining the resources of IT support teams.
The continuation of the password model is the reason why the large majority of breaches today aren’t really hacking but bad actors simply logging-in with valid user credentials they’ve obtained elsewhere. If we’re serious about tackling identity theft and data breaches, then we must finally put to bed some of the misconceptions around passwordless authentication and biometrics. If we’re serious about building a frictionless user experience alongside government-grade security, then it is hard to ignore the overwhelming benefits of multi-factor biometrics.