For over 50 years, passwords have served as access controls for technology. Paradoxically, as the technology that we use in our everyday lives has rapidly evolved to meet our every need, passwords and security have largely remained unchanged since their inception. Today, the average American has more than 130 online accounts associated with a single email – many of which use similar, if not identical passwords. Over 80% of people surveyed by SecureAuth said they reuse the same password for multiple accounts; this poses a problem for account security, as the strength of a password decreases the more times it is used across multiple platforms or services, allowing for easier penetration by malicious actors. Luckily, payment providers, retail businesses, and tech companies are beginning to explore the next era of authentication: biometrics. The best part of the next era – it’s already upon us. To get a glimpse of the future, you simply need to look at your phone.
Advantages and Flexibility of Biometrics
As password security becomes increasingly fragile, and as the number of passwords consumers must keep track of increases exponentially, consumers have been looking to switch to different methods of authenticating their identities. Biometric authentication does not require a reset because there is no way for consumers to lose or forget their authentication method. Transitioning from password-based to biometric authentication is desirable to most consumers, who believe that biometrics are faster and easier than using passwords. Instead of customers typing out a password, consumers can now pay, enter a stadium, or access their online banking with a touch or a glance.
The time savings provided by biometric authentication are evident. The versatility of biometric authentication defines the growth potential of the technology; biometric authentication can extend far beyond getting into a mobile phone or paying for coffee without a card. Biometric authentication could be used to enter a movie theater if an account is associated with a ticket purchase, or to ensure the correct prescription is going to the right person. It can provide iron-clad proof of the identity of someone who is trying to gain access to a bank account or any other sensitive data. There are abundant uses for the technology, and we have just begun to scratch the surface of uses for biometric authentication.
Barriers to Adoption
Even with all the benefits of biometric authentication, critics still warn of the negative impacts of widespread adoption. For the most part, however, consumers are willing to sacrifice the shortcomings of biometric authentication for the convenience that it provides.
Currently, passwords are inherently private. Since we use secret passwords, outside entities are not supposed to know them. However, moving from passwords to biometrics essentially moves from securing the private to securing the public; biometric information is public because it is on display on our bodies everywhere we go, all the time. With any use of personal or private information comes the need to regulate the use of that data to protect consumers.
Since the use of biometrics is relatively new and quickly expanding, minimal regulation surrounding its use is in place today. The lack of regulation leads to questions surrounding the classification and security of biometric information such a how do we categorize biometric information, and how do we secure this fixed information? Is there a need to establish the equivalent of PCI to secure biometric information, and does it fall under HIPPA, even if the consumer consents to the use of their information? Who will be responsible for the management and security? Will the government handle our data and communicate with every organization that uses it, or will each organization keep and secure their own copy of everyone’s information? Each scenario presents opportunities for malicious attacks, and although there is no current evidence for using digital biometric signatures for anything other than stealing and keeping it, as time passes and ways of unmasking the data become a reality, our identities could be compromised permanently.
Privacy concerns pose a highly-debated barrier to biometrics. A current example of the use of biometrics in infrastructure is India’s biometric database for its 1.3 billion citizens. This database can be used for services ranging from paying taxes, to collecting welfare, but there is fear that India is infringing on the rights of its citizens by making enrollment in the database mandatory. Where do we draw the line concerning user privacy? What attributes are fair game for collection and analysis and what crosses the line to knowing too much about the user and their behaviors? How can the custodians of this data ensure that is protected and rendered useless if stolen? As biometric authentication becomes ubiquitous, we will need to seriously consider what data is being collected, how it is being used, and how it can be secured.
The Assured Spread of Biometric Authentication
Regardless of whether you have a positive or negative attitude towards biometric authentication, the technology is here to stay. The ease of use and security tied to it allows for any process, service, or device which requires user authentication. With the growth in device connectivity and the boom of the Internet of Things (IoT), more devices will interface with our lives and have capabilities that require identity verification. Consumers will not want to take the time to enter a password on every device that they interact with. It is not difficult to consider a future in which some devices may not even have keys to enter a password, but instead perform voice recognition, retina scanning, or any other biometric authentication method to validate the user.
No matter how secure biometric authentication is, the adoption of it is still subject to consumer preferences and business system readiness. Even with advances in tokenization, there are a plethora of privacy concerns and legal ramifications for holding biological markers of consumers. Even though the path for biometric authentication isn’t set in stone, we will be paying attention to the spread of the technology. Before diving headfirst into accepting biometric authentication as a part of our everyday lives, a thorough analysis of infrastructure, regulation, and security requirements will be required.
For further discussion, contact Mason Zurovchak at [email protected]