Overwhelmed with Passwords? Consider FIDO-Based Biometric Authentication

Security is a never-ending nightmare for IT and end users alike. All too often, security administrators within enterprises respond to the latest headlines about cyber breaches by doubling down on passwords. They demand that users make passwords ever more complex and longer, with numbers, special characters, and a mix of upper- and lowercase letters. And they force users to change passwords often.

These security administrators are right to be vigilant. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak, or default passwords.

The trouble is, users are overwhelmed by multiple, complex passwords. The average user has 27 passwords, according to a recent Intel survey. As a result, they turn to sticky notes, password managers, and shortcuts, such as using the same password for multiple systems, to jog their memories. These shortcuts give hackers something to go after as they look for ways to compromise accounts. Even if users do practice good password hygiene, they can still be tricked into giving passwords away through phishing attacks.

Another way companies attempt to boost security is by providing a second authentication factor. Users log in with an RSA hard token or the app sends a code or one-time password (OTP) to their smartphone. The user types it in and the app matches the two.
But if someone steals the user’s phone and gains access to that person’s email, the thief can log on to the user’s applications. Indeed, the National Standards Institute of Technology (NIST) no longer recommends two-factor authentication systems that use SMS because of their many insecurities.

There is another solution. FIDO-based biometric authentication offers the security of strong passwords, but it is much easier for people to use and less expensive for companies to manage and maintain.

How Biometric Authentication Works

A consumer-grade biometric authentication solution that is not FIDO compliant works this way: A mobile device is used to capture biometric data, such as a fingerprint. A predefined policy determines which form of biometric authentication the system will request. When the user wants to access the application, he or she simply touches the fingerprint template to be authenticated.

This type of authentication is easier and more convenient because users no longer need to remember complex passwords—nonduplicative biometrics do the job for them. But this method of authentication is no more secure than a strong password.

Greater Security

But what if you’re a security administrator for an enterprise in the financial services or healthcare sector that requires greater security?

With biometric-based authentication, you have options. For starters, you can take advantage of more accurate biometric modalities. Face scans are one example. Face scanners don’t work with a photo that can be photo-shopped; they require the user to move to ensure liveness. In the future, Biometric authentication can also be based on behavior, such as the way the user types or holds the phone or says a password to deliver even greater accuracy and security.

Another way to achieve heavy-duty security is through the use of enterprise-grade FIDO-based biometric authentication, which uses both local and server-based authentication.

The server component enforces authentication policies. For example, less risky operations such as reading a document might require a fingerprint scan, while those that present greater risks might demand a more secure form of authentication such as a facial scan. Security administrators can even set policies that specify which applications can access the server.

Enterprise-grade FIDO-based biometric solutions also employ a PKI-based infrastructure, which uses public and private key cryptography. The biometric template and the private key are encrypted and stored in the OS of the customer device, where hackers can’t intercept them.

The encrypted public key is sent to the FIDO server located behind the corporate firewall. Even if the device is lost, the biometric template stored on it can’t be used because the public key on the server can be de-provisioned. Previous approaches used server-side authentication, which stored credentials on servers behind the financial institution firewalls, creating an attractive repository for hackers.

Security will always be a necessary evil. But FIDO-based enterprise-level biometric authentication makes logging on an easier, more convenient experience for end users. And it gives security administrators far greater control over the process so that they can better manage and mitigate security risks.