Biometrics are growing in popularity as an alternative to less secure forms of authentication and are gaining wider acceptance among consumers and employees. According to a report by IBM, 67 percent of people are already comfortable using biometric identifiers, and 87 percent feel they will be comfortable doing so in the near future. Millennials, who tend to be more tech-savvy, report a 75 percent acceptance rate.
This increased familiarity with biometrics makes it easier for businesses to take advantage of emerging trends in the identity and access management (IAM) space, thus providing security solutions with the potential to replace passwords, PINs and other easily compromised identifiers.
Biometrics in Action
The most common and recognized forms of biometric authentication are biological:
• Voice recognition relies on vocal patterns, and the market is expected to see significant growth through 2026.
• Fingerprint scans are used for everything from smartphone access to biometric locks.
• Facial scans are detailed but require proof of the user’s actual presence to be effective.
• Palm or vein scans, a newer solution, look for the unique vein patterns in users’ hands.
• Iris scans detect patterns in the eye and are often portrayed in popular media as the preferred form of entry for top-secret areas.
Many of these options are already used in consumer devices and common transactions, such as online payments or banking. However, biological identifiers can be mimicked or hacked in a variety of ways. This necessitates a more granular and personal approach to biometric identification as the IAM environment increases in complexity.
Continuous Authentication to Streamline User Experiences
Speed and user experience remain important when considering any changes in security measures. This is especially true for businesses in which complex processes create diverse access requirements for employees. Users at every level could quickly find themselves bogged down with numerous authentication requests, many of which require more than one identifying factor. With the concept of zero trust gaining traction as a viable approach to security, a situation could emerge in which users spend more time proving their identities than actually working.
Behavioral biometrics may be able to bridge the gap by providing a way to integrate sensitive, secure biometric identifiers into a continuous authentication model. For continuous authentication to be successful, the system must have a way of verifying a user’s true identity throughout the duration of a session. Any subtle changes in behavior could indicate the session has been compromised and necessitate a revocation of access to prevent data compromise.
Behavioral Biometrics: The Next Step?
Unlike biological factors, behavioral biometrics are identifiers associated with the way a user normally acts. These include:
• Unique vocal inflections, such as quirks in emphasis or pronunciation
• Keystroke patterns and typing habits
• Touchscreen gestures
• Eye movements and blinking patterns
• Skin characteristics
• Blood flow patterns
• Grip strength or pressure
Through improved data mining and machine learning (ML) technology, it’s possible to build an incredibly personal profile of each user based on these behavioral characteristics. This requires sophisticated ongoing monitoring and ML systems powerful enough to pinpoint tiny anomalies, but the technology exists to make such biometric options feasible for normal business use.
However, because of the complexity of behavioral biometrics, implementation involves a detailed assessment of security needs and workflows to determine if such a solution is practical in any given use case. If the goal is continuous authentication, behavioral biometrics will play a role in calculating the “authentication score” required to determine when to grant or deny access during users’ sessions.
Understanding Biometrics and Privacy
Government agencies have already implemented a number of regulations dictating how user information, including identifying factors, can be handled, but the rapid adoption of biometrics has left gaps in laws. As biometric authentication becomes more common, businesses need to be aware of new rules going into effect and how to maintain compliance without compromising security.
Some options, such as device-based authentication, let businesses bypass some of the security issues associated with collecting and storing identifiers by allowing users to save biometric information on individual devices instead of in a central location on the network. When third-party authentication services are used, they require careful evaluation prior to implementation to ensure all practices adhere to current compliance regulations. Providers must be committed to continued compliance as additional laws regarding consent, data ownership and the right to privacy are passed to prevent financial and legal consequences for the businesses using their services.
Despite the potential compliance and privacy challenges, 86 percent of people say they would choose biometrics over a password as a secure identifier. The increased sophistication of malicious attacks and rapid rise in identity theft and data breaches indicate the need for a better form of authentication. Evolving biometric options show promise as alternative solutions for businesses seeking a stronger, more reliable approach to IAM security.