Should You Use Biometric Authentication?
Most people are familiar with Apple's Touch ID and Face ID capabilities, which enable users to unlock their devices with a fingerprint or merely a glance. These capabilities are known as biometric authentication since they use different aspects of human biology for authentication. Using Apple’s API, businesses can easily incorporate biometric authentication into their apps.
The rise of biometric authentication has helped combat several cybersecurity challenges. For example, Apple's Safari automatically generates highly-secure passwords for each website and stores them in a password manager that’s secured with biometric authentication. Security experts acknowledge these improvements, but warn that the technology has its own risks.
The rise of biometric authentication may have mitigated problems stemming from weak passwords, but they could introduce their own set of problems. Let's take a look at biometric authentication and how the technology could impact your small business.
What is Biometric Authentication?
Biometric authentication is a form of identification and access control that leverages the different aspects of human physiology, chemistry and behavior — collectively known as traits. Since no person is exactly the same, these traits serve as reliable differentiators between various users, enabling passwordless forms of authentication.
Each biometric trait must be:
- Possessed by everyone;
- Sufficiently different across individuals;
- Relatively invariant over time;
- Easy to collect and measure;
- Performant and reliable to measure;
- Acceptable for users to divulge;
- And, difficult to imitate.
The biometric authentication process involves capturing the biometric trait, such as a facial image or fingerprint, preprocessing the trait to remove artifacts or background noise and extracting the relevant features from the trait. These features are compared to the features extracted during an initial enrollment process to authenticate the user.
Most commercial biometric authentication uses fingerprints, facial recognition or voiceprints, but emerging research is focused on brain waves (electroencephalogram) and heart signals (electrocardiogram). Other projects are focused on detecting the veins in fingers rather than fingerprints, which are harder for criminals to fraudulently replicate.
How Biometrics Improve Cybersecurity
Strong passwords with two-factor authentication using USB security keys are a nearly-bulletproof authentication system. It's nearly impossible to guess strong passwords — even with password crackers — and it's even harder to physically-steal a USB security key from someone. In fact, Google nearly eliminated its cybersecurity problems this way.
Download our free Checklist of Biometric Authentication Tools to see how you can implement it in your business.
Of course, there's no shortage of data showing that people are notoriously bad at using strong passwords. More than half of people reuse passwords across business and personal accounts, share passwords with colleagues and failed to change their passwords following a phishing attack. Most people also avoid two-factor authentication at home and at work.
Fingerprint scans, facial recognition, voiceprints and other forms of biometric authentication could do a much better job and make life easier for users. There’s no need to generate and remember unique strong passwords for every online account or regularly change passwords to keep them secure. Users could authenticate with little more than a glance at a camera.
Why It's Not a Perfect Solution
Biometrics have certainly improved cybersecurity, but there are some important risks to keep in mind. For example, hackers could compromise biometric databases and sell a person's fingerprints or facial model to other criminals. It's also easy for criminals to lift fingerprints from a wine glass or take pictures from a distance to generate a facial model.
While the severity of these issues is debatable, collecting and exposing biometric data could be extremely damaging to individuals that cannot change their face or fingerprint. Regulations governing biometric data are only starting to surface, which means that businesses must consider the possibility of future compliance issues before implementing solutions.
There are several ways to mitigate these risks:
- Add two-factor authentication for a second layer of security after biometrics. That way, a criminal would need to steal your biometric information and a physical USB security key from you in order to successfully hack an account.
- Use strong passwords to avoid data breaches where biometric information may be stored. If criminals can't guess your passwords, they're less likely to access your biometric information or other sensitive data.
- Ensure that all devices are kept up-to-date, including core software and anti-virus/anti-malware solutions. Often times, a data breach comes from known vulnerabilities that weren't patched before attackers gained access.
Jungle Disk provides a comprehensive cybersecurity suite that's designed for small businesses with two to 250 employees. With a simple per-employee, per-month pricing model, small businesses have access to everything from active network protection (firewall) to password management solutions, making it easy to secure your organization.
How to Implement Biometrics
There are many different ways for small businesses to implement biometric authentication in the workplace — both internally and externally.
Don't forget to download our free Checklist of Biometric Authentication Tools to see how you can implement it in your business.
Many smartphones and laptops include biometric authentication capabilities, including Google Android, Apple iPhone and most modern laptops. Using these capabilities, businesses can ensure that data stored on an employee's device is safe, as well as enable them to generate strong passwords and manage them using biometric authentication as a "master key."
Small businesses developing external-facing software solutions may also want to consider biometric authentication to reduce data breach risks. For example, Google and Apple ecosystems often use APIs that leverage biometric authentication hardware to authenticate users. Identity Automation, Centrify and other providers offer similar solutions for other applications.
Before implementing these solutions, it’s important to update your company’s employee policies and/or privacy policies to cover any added risks. Avoid storing any biometric data and/or transmitting unencrypted data in order to reduce the risk of inadvertently divulging sensitive data to criminals through man-in-the-middle and other attacks.
The Bottom Line
Biometric authentication has become increasingly popular. With Google Android and Apple iPhone embracing the technology, many experts hope to mitigate data breaches by making it easier for users to securely authenticate with their favorite websites and applications. The problem is that these solutions could introduce their own set of problems.
The good news is that there are many third-party service providers that make it easy to authenticate using their secure biometric hardware. For instance, Apple provides access to its Face ID and Touch ID API for developers to improve security and reduce the need for users to remember potentially-insecure passwords to access their data.
If you're looking for ways to improve your cybersecurity, Jungle Disk provides a comprehensive cybersecurity suite that's designed for small businesses, with a simple per-employee, per-month pricing model and full-spectrum coverage.