Guest post by: Prince Kapoor
They say two-factor authentication is not 100% perfect, but nothing is when it comes to security! Nevertheless, it is certainly better than any single factor authentication including biometric authentication. This article explains how.
No matter if you are talking about physical security, identity management, or authorization, authentication is one of the most crucial elements of any security strategy. Now even though there are multiple authentication technologies available out there, most of the traditional authentication methods rely on just a single factor or element. For example, if I say, “Hey! I am Serrah.” How would you know if I really am Serrah? Just because I said that doesn’t mean I am really Serrah. Well, the situation gets worse when you talk about an online world where you are dealing with highly sensitive data that can cost you millions of dollars. Obviously, an enterprise can’t just run on an honor system.
Every day thousands of transactions occur based on the single factor authentication which is generally a password, but hey, we all know how safe passwords are! Recent research indicated that around 23% of office desk workers in the US and UK share their work related passwords with one or more colleagues. Passwords are soon going to be a thing of past, and the latest hype in this scenario is the implementation of a biometric authentication solution.
While many technology experts are talking about how a biometric authentication solution is the ultimate authentication solution to address the imperfect password problem, unfortunately, it is not. Many companies are adopting it with caution. As per research by CEB, the biometric authentication adoption rate is as low as 20% around the globe. The big reasons behind this low adoption can be as follows:
Biometrics are already hackable
The first and the most important reason behind slow biometric adoption is that biometric solutions also don’t guarantee 100% security, they are hackable too. Biometric data was never designed to be kept secret. Most people ensure to not share their password with others but how many people have you seen wearing gloves everywhere to avoid leaving fingerprints?
Hackers have already invented ways to bypass biometric authentication. Do you know Jan Krissler, one of the famous names in the hacking world, utilized high-resolution photos including one from a Government Press Office to successfully comprehend fingerprints of Germany’s defense minister? Shocking, isn’t it? Tech savvy’s always promote biometric saying the solution is evolving but so are hackers. Users are able to safeguard their passwords by limiting the sharing or not reusing the same passwords across multiple sites but limiting the spread of a biometric solution is a lot more difficult. Swiping a finger might look much more convenient than typing a long string of text, but it comes at a cost.
Biometrics come with big consequences
Secondly, a stolen biometric can have more severe consequences than a stolen password. Unlike a password, a biometric is intensely personal and represents a user’s identity and thus a stolen biometric can be used for falsifying criminal records too. In the recent US Government breach, the fingerprints of around 5.6 million and social security numbers of around 21.5 million people were hacked. Experts say that the ability to misuse this data was limited to the event but this probability is definitely going to grow in future breaches.
Biometrics contain a lack of revocability
The last concern with the biometrics solutions is their lack of revocability. You can’t just toss away and replace your fingerprint with a new one like you can with passwords. Rather biometric is something permanently associated with you. Experts are experimenting with various biometric templates like one-way encryption, salting, etc. to reduce the damage, but just like in the case of passwords, there will always be some poorly designed solutions that can cause biometric data leakage. Despite many advancements in the security area, it is the user’s identity which will always be at risk.
So if biometric authentication is not perfect, what is?
Well, absolute security never exists, nor will it ever. But implementing two-factor authentication or multi-factor authentication can definitely help. The solution requires users to prove their identity with something they have combined with something they know. This something that the user has can also be a biometric or a simple hardware token like a personal handset too. If the personal handset is serving as a sufficient authentication form, biometrics are not even necessary.
Enterprise owners must understand that biometric authentication or any single factor authentication is not enough to keep its users safe. Every single factor authentication technology that you are using is making you more and more vulnerable. The day is not so far when two-factor authentication will become the first priority to fight against cyber criminals.
What do you think of this article? Let us know in the comments below or on Google+, Twitter, or Facebook.
Prince Kapoor is Marketing Analyst Lead at LoginRadius, A leading CIAM Provider. While not working, you can find him in the gym or giving random health advice to his colleagues which no one agrees on :D. If you too want some of his advice (on health or on marketing), you can reach him on Twitter.