Why biometrics are on track to replace the password
Opening a new account at some banks —including Natwest, HSBC, TSB, and Lloyds Banking Group — is literally as easy as taking a selfie. New customers can download the bank’s app, take a photo of themselves, and submit it with a picture of their personal identification, such as a passport or a driving license.
A real-time biometrics check powered by facial recognition, cross-checks the uploaded photo ID with the photo to authenticate the application within a few minutes. Thanks to biometrics — which encompass unique physical and behavioral human characteristics — there is no need to visit a branch or use another form of authentication.
This technology is not just for banks. Biometrics, which can use unique identifiers such as fingerprints, face, iris and/or voice, already being used to make human identity authentication a bit more secure. This new security technology is highlighted in the cybersecurity episode of the four-part End of the Beginning video series produced by Samsung NEXT.
Passwords are passé
Biometrics represent a major change in how digital transactions are secured, according to Raymond Liao, managing director at Samsung NEXT Ventures. He predicts that biometrics are on the verge of going mainstream, and will eventually replace passwords.
One of the primary weaknesses of passwords is that people often repeat or simplify passwords in the interest of convenience, and that makes them too easy to guess. Also, passwords are often not protected well enough from hackers, as is evident from massive data breaches that seem to be in the news almost every week. “Passwords are no longer a sufficient security barrier,” Liao says.
Gartner agrees that passwords are on their way out, and predicts that 60 percent of large enterprises and 90 percent of midsize enterprises will implement passwordless options in more than 50 percent of use cases by 2022.
According to Liao, biometrics will lead the way in the password-less world. “They are so secure and convenient,” he says.
Liao expects different types of biometrics — such as face, iris, and fingerprints —to be used for different applications. “Let’s say you want to unlock your phone,” he says. “Most people would prefer a convenient hands-free approach and camera-based facial or eye recognition would be the preferred way. But the face is not as secure a modality, and you might want to use fingerprint to authenticate a financial transaction.”
A new data paradigm
Replacing passwords with biometrics will also change how people relate to their data, from how they access and store information to how they interact and process it.
Biometric identification and verification could remove the hassle of remembering passwords and PINs. Moreover, users won’t have to worry about constantly updating their passwords to ensure their credentials are not hacked.
With password or security questions, access to data currently depends on shared secrets between users and central authorities — such as banks, government agencies, and network administrators. Biometrics will replace the current “what you know” password method with “what you are,” relying on people to validate themselves with unique personal characteristics to verify their identity and get access to their data.
The use of biometrics should lead to an increased sense of security because everyone’s identifiers are unique to them, and not as easy to fake. But that’s also what makes them tricky. If someone’s fingerprint, iris, face or any other biometric identifier is compromised, they can’t get another one.
One of the biggest challenges for companies rolling out biometric authentication systems is to ensure that they don’t somehow expose such sensitive information.
The solution, according to Liao, is to avoid storing biometrics data in a centralized repository. “Instead,” he says, “let credentials stay in users’ mobile devices and use standards-based authentication, such as Fast Identity Online (FIDO) protocols to verify users.”
HYPR, a New York-based startup, is working on a decentralized authentication approach in which biometric credentials are stored safely on user devices. The idea is to eliminate the use of centralized databases of passwords and other credentials — forcing hackers to attack devices individually, thus diffusing the threat of mass credential breaches.
Bojan Simic, co-founder and chief technology officer at HYPR, says the decentralized security approach creates significant friction for the bad actors who weaponize credentials for fraud through account takeover.
“It also disrupts a hacker’s attack vector,” he says, “as they can no longer focus on huge server stockpiles of user credentials and must instead go to individual devices to attempt to obtain a single user’s credentials.”
The use of biometrics should help eliminate fraud and reduce the risk of large-scale data breaches. “Cybersecurity teams will succeed with biometrics if they embrace it as a gradual process,” Bojan says. “Find areas of your business where biometrics can have the greatest effect quickly and deploy the capabilities there. This can be for internal use cases or consumer-facing apps.”
For enterprises interested in better safeguards against hackers, Liao says biometrics offer the “practical combination of security and convenience.”
To learn more about how technology will fundamentally reshape the way we live, work, and move, watch our new four-part video series, “End of the Beginning.”