Biometric security is on a sharp growth curve, according to a number of recent research reports. The technology is on the rise in large part due to the fact that many mobile users have become comfortable using tools such as fingerprint identification for access.
But does biometrics have a huge role to play in corporate security programs? We asked several experts to weigh in on the pros and cons of biometric security.
First, here’s a look at some of the market projections.
Juniper Research, in a recent report, says more than 770 million biometric authentication applications will be downloaded each year by 2019. That’s up from just 6 million this year. The report cites Apple’s combination of its Touch ID authentication to tokenization in NFC payments as an example of high profile adoptions of biometrics.
The Juniper study says fingerprint authentication will account for the overwhelming majority of apps, driven by increasing deployment of fingerprint scanners within smartphones.
Another report, by Acuity Market Intelligence, forecasts that rising demand for smartphones, tablets and wearable mobile devices that incorporate biometrics will drive a global market of 2.5 billion users with nearly 4.8 billion biometric devices by 2020. Within three years, biometrics will become a standard feature on smartphones as well as other mobile devices, Acuity says.
And ABI Research says overall revenues for the biometrics market are expected to hit $13.8 billion in 2015. The majority of revenues in most biometric recognition technologies are still coming from governmental entities, ABI notes. But due to increased consumer acceptance of biometric tools, consumer and enterprise segments are predicted to catch up with governmental spending in late 2017, becoming the dominant portion of the market.
Security experts see both positives and negatives with biometrics technology.
On the plus side, biometrics is an effective way to prove the true identity of individual users.
"The most obvious benefit is that it ‘proves’ a person’s identity with greater level of assurance,” says Jason Taule, CSO at FEI Systems, a provider of health-related technology products. “The presumption of course is that the biometric is used in combination with something the person knows. This is very important in situations where the access is to higher-level systems [or] resources.”
Windsor Holden, research director at Juniper Research
With biometrics, “you know that the individual accessing secure areas or information is not just an individual holding the proper credential, but is in fact the person who has been granted access,” says Maxine Most, a principal at Acuity Market Intelligence. “This improves security and provides an audit trail.”
Biometrics can also provide increased convenience. “Although there are clear differences between differing biometric options [for example, fingerprints versus iris scan], the advantage of using this technology for authentication is that a person cannot forget it like they can with a password, nor can they leave it behind or have it stolen like they might with a token,” Taule says. “This can also translate into lower work volumes for the help desk and potentially labor savings.”
Unlike password-based methods, biometrics provides “strong authentication”, by which someone cannot later repudiate having taken an action, Taule says. And depending on how the system is implemented, there’s the potential to use biometrics to authenticate to a portal or access authority, which then affords access to other resources.
Biometrics, if done correctly “can solve many problems with only using user [identification] and passwords,” says Mary Chaney, senior team leader, Incident Response & Data Management, at financial services company GE Capital Americas.
“If you use a dynamic/behavioral biometric measure, like keystroke dynamics, you can gain the advantage of two-factor authentication,” Chaney says. Using keystroke dynamics allows organizations to measure each person’s keystroke dwell time (how long a key is held down) and flight time (the amount of time between keystrokes), Chaney says.
“In this scenario, just simply typing in your password will give you two-factor authentication,” Chaney says. “In addition, keystroke dynamics are very accurate and not very intrusive for the user, which are two of the biggest challenges with using biometrics in any security program.”
Another huge benefit of using biometrics is that it’s extremely hard to fake, Chaney says. “When measuring both [physiological and dynamic data], the information collected is unique for each individual and rarely changes over time,” she says. “Once done correctly there is nothing more to do or even remember in some cases. Lost IDs or forgotten passwords may be rendered nonexistent.”
Because personal data is extremely difficult to counterfeit, “biometric identifiers could be used to facilitate both physical access, for example, to certain parts of an enterprise complex, or virtual access [to] selected sites on a corporate intranet,” says Windsor Holden, research director at Juniper Research.
“These log-ins can be linked directly to a specific action, meaning that if there is a security breach from within the organization, the person who is responsible can rapidly be identified,” Holden says.
And biometrics can be used to incorporate bring-your-own-device (BYOD) into corporate security strategies, “as they link an individual to access via their personal mobile device,” Most says.
On the negative side, two of the biggest drawbacks of biometrics over the years—high costs and privacy concerns—are still issues, according to experts.
“There are typically very large startup costs to getting the infrastructure in place to make use of biometrics,” Taule says. “This is also true of second-factor physical tokens as well.”
As for privacy, it remains a major concern “because you are collecting data not only about a person, but information that makes that person unique,” Chaney says. “Many people inherently find this intrusive and a violation of their rights.”
User acceptance “can be a significant challenge, especially if individuals are uncomfortable with the idea of biometrics and see the technology as privacy invasive,” Most says. “This can create user resistance and intentional failure to acquire or authenticate via biometric readers/sensors.”
It’s important not to forget that all of the biometric data has to be digitally recorded and stored, and the security around this data must be planned out and access limited appropriately, Chaney says. ”In addition, these ‘super’ highly privileged access users must also be monitored and subjected to even higher level of security,” she says.
A major concern is if the servers storing biometric information is hacked, Holden says. “if a person’s biometric information is stolen, that could have extremely serious consequences for that individual,” he says.
Another big challenge is determining who should use biometrics technology, as well as when and where, Chaney says. “Every end user will have to submit to an examination to collect their individual data,” she says.
That process can be a daunting task for any corporate security program, Chaney says. “Hopefully, as you build out a layered security defense you will find that it is not necessary for all assets to be protected with biometrics technology,” she says. “As with any security program you must first assess what needs to be protected and then decide the level of protection.”
Integration into the security program is another issue. “Obviously there are greater barriers to entry and startup costs to get these systems up and running, compared to the relatively simple and easy deployment of password-based solutions,” Taule says.
Lack of accuracy is another potential problem. “There are solutions that can overcome these concerns, but there are factors to be considered that can hinder system effectiveness,” Taule says. “For example, if using a voice print or thumb print, what happens if someone becomes hoarse or cuts their finger?” he says.
One of the biggest challenges is the process by which the biometric is originally captured and bound to an identity, Taule says. “Often this is accomplished in person, but this has high overhead costs and is highly inconvenient for distributed organizations."