Enterprise use of biometrics for security may see an uptick by organizations looking to defend themselves from attacks, but they must weigh the concerns against the benefits
The era of increased video meetings could boost organizational use of biometric security technology. Imagine, for example, if facial recognition allowed instant meeting access to authorized employees, while shutting out everyone else.
Most organizations aren’t ready for that kind of advanced use yet, and neither are the products now on the market. But experts say innovative use of biometrics is appealing, and with most enterprises already well positioned to adopt or expand their use of biometric authentication, companies could be more inclined to further explore its uses.
The question for 2021 and beyond, however, is will they?
The answer is a solid yes and no.
Security teams have already increased their use of biometrics for identity and access management (IAM) in recent years, and industry leaders predict more security departments will implement the technology in the near future. In its September 2020 report, “Navigating The Emerging Risks Of Biometric Technologies,” Forrester Research projected 60% of global security decision-makers polled were planning to implement or expand their use of fingerprint, facial or voice biometrics in 2021.
But not all security leaders agree on widespread biometric usage within the enterprise anytime soon. They caution against seeing biometrics as a single panacea for IAM challenges that continue to plague organizations, adding that regulatory and privacy concerns could be barriers to broad use of biometrics.
Biometric authentication’s proven history
The use of biometrics is hardly new. The use of fingerprints for identification goes back more than a century, while cybersecurity tools using fingerprints, iris scans and other biometric identifiers have helped organizations with highly sensitive security needs control access to physical and digital assets for decades.
Yet, biometrics have become more mainstream and commonplace only within the past decade. Apple introduced Face ID with its 2017 launch of the iPhone X. Washington Dulles International Airport launched its facial scans for international travelers in 2018. Microsoft also introduced in 2018 Microsoft Windows Hello, enabling the use of fingerprints, iris recognition or facial recognition as an authentication factor.
Biometric options for the enterprise
Security professionals now have multiple biometric options, each with its own pros and cons, according to Rob Clyde, managing partner with Clyde Consulting LLC, headquartered in Pleasant Grove, Utah, and ISACA board member.
“The advantages and challenges vary by the biometric, which provide a balance between convenience and security. Some of the top ones are relatively inexpensive, while some have serious privacy concerns,” he said.
Fingerprints, for example, have a long history of delivering results, and the technology needed to utilize fingerprints for identity and authentication is relatively inexpensive, Clyde said, adding that facial and iris recognition also have histories of delivering accurate results from relatively inexpensive, accessible tools.
On the other hand, more advanced biometric options, such as vein matching in the hand, palm geometry and retinal scanning, require more sophisticated and expensive technology, he said.
Meanwhile, emerging biometric options, such as those that analyze unique individual behavioral patterns or use an individual’s cardiac signature, aren’t ready for enterprise deployment.
“Some of these newer biometric solutions haven’t really been proven. We still have a way to go before we realize [their value],” said Merritt Maxim, vice president and research director serving security and risk professionals at Forrester.
Security challenges drive interest, adoption of biometrics
The global biometric system market is expected to see an 18% compound annual growth rate through 2025, with the market hitting $57.7 billion in just five years, according to a November 2020 Research and Markets report.
“There’s certainly a desire to move away from the username/password mechanism,” said Sounil Yu, CISO-in-residence at American-Israeli venture capital firm YL Ventures, noting that the use of username and passwords alone has not provided adequate security on the whole.
He said a better mechanism would retain both static and dynamic elements, which the username/password mechanism has with the username being static and the password more dynamic — although not often dynamic enough in real-world use. Multifactor authentication (MFA) and the growing use of tokens have moved many organizations away from the username/password mechanism, but Yu said he’s not seeing many security leaders yet adopt biometrics for the static part of evolving IAM protocols.
Still, some experts said CISOs have good reasons for their increasing interest in and adoption of biometrics. They recognize that their existing identity and access control measures have not been adequate against the onslaught of cyber attacks. They’ve even had trouble securing video conferencing sessions, as 2020 saw so many breached video meetings that it gave rise to the term Zoombombing.
Yu and others said biometric authentication certainly has some advantages for enterprise security. Biometric security technology is more difficult, if not nearly impossible, to spoof. They’re generally convenient for employees to use, with many becoming more comfortable with the technology due to the use of biometrics in their personal lives and consumer interactions.
But biometrics technology also has drawbacks, experts said. Fingerprints, for example, can be spoofed in some instances. And some other biometric technologies aren’t fully reliable. In 2020, many people realized facial recognition software didn’t work when wearing a pandemic mask. Some products can be costly or difficult to implement, particularly if used with legacy applications. Biometric technology also raises significant privacy concerns, with users already pushing back against its use in some cases.
Despite such challenges, experts said they expect more CISOs to adopt biometric security technology moving forward, adding it to the tools they use in their MFA environments, rather than using a biometric option as a standalone authentication mechanism.
“I think we’re going to see more apps take advantage of camera or voice recognition or even both because they are inexpensive and relatively straightforward to add to a product or to an enterprise application,” Clyde said.
Maxim said he expects some organizations to deploy biometrics for specific use cases, such as employee access to shared workstations. He doesn’t anticipate biometrics will be ubiquitous in IAM programs.
“I think, for the typical enterprise, that won’t be the likely scenario,” he said, “in part because there are other technologies that also provide a good level of security.”