Tweet
When it comes to password managers, the humble combination of a username and password has secured our access to information since the start of IT. Although this model is still largely the norm, a paradigm shift is on the horizon as new passwordless solutions and technologies gain in popularity, such as biometrics, laying the foundation for a more secure standard for accessing information in the digital world.
About the author
Philip Black is Commercial Director at Nomidio.
Yet, while a combination of passwordless authentication and biometrics could transform digital authentication and security, misconceptions about privacy breaches, accuracy levels and security risks may hinder widespread adoption. This article will debunk some of the most common myths associated with passwordless authentication and biometrics, as well as the improvements that need to be made to the current passwordless model.
[HEADING=1]Myth: âGoing passwordless is less secureâ[/HEADING]
Reality: There is already widespread agreement that todayâs method of allowing people to prove âthey are who they say they areâ through a username and password does more harm than good. In addition to passwords being hard to remember, offering a poor user experience and requiring significant help desk support for resets, they simply arenât secure, no matter how complex you make them.
In fact, any traditional shared secrets such as passwords, PINs and consumersâ personally identifiable information (PII) are the root cause enabler for the majority of todayâs most common cybersecurity attacks, as they are sharable and could also have been stolen in high profile data breaches and sold on the dark web.
The reality is that going passwordless is far safer than the current situation we are in now. In particular, introducing a multi-factor biometric check for authentication can help eliminate the vast majority of common attacks like credential stuffing and phishing. Credentials canât be lost, stolen or shared when they are your own face and voice patterns â the legitimate user must actually be present to log-in, which leads nicely on to the next myth.
[HEADING=1]Myth: âPasswordless is unnecessary when you have 2FA in placeâ[/HEADING]
Reality: This may seem a bit of an odd misconception, but it is an appropriate one to address given the multitude of approaches to passwordless authentication.
The logical response to address password security over the last few years has been to layer additional âfactorsâ on top of the password. By asking people to validate their identity based on âsomething they haveâ, by entering a one-time passcode sent to their mobile phone or email, it is possible to make life much harder for hackers. Also known as two-factor authentication or â2FAâ, this approach is becoming mainstream, particularly in the world of e-commerce.
However, the weakness with all device-based approaches is that you are not authenticating a specific person, rather you are allowing whoever has access to the phone (or email account) to authorize the event. For example, if someone gets my pin code (phishing or over the shoulder) and âunlocksâ the authorization, they could circumvent an authenticator app on my phone with a PIN. Further, does it really make sense for someoneâs identity to be tied to their device? What happens if youâre trying to log-in to a work application to make a deadline while youâre out on the road and your phone runs out of battery?
Instead, a multi-factor authentication (MFA) cloud service based on biometrics has the potential to deliver a step-change in security and the userâs experience. Rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so the user can be authenticated on any device theyâre logging in from.
[HEADING=1]Myth: âBiometric technology is an invasion of privacyâ[/HEADING]
Reality: It is easy to see how this misconception came about. Biometric authentication has seen rapid growth in the journey to going passwordless, as the technology balances protection with a frictionless user experience. However, you often hear stories about how live facial recognition is being used, almost always without consent, to âmonitorâ and âkeep tabsâ on a population, leading to fears that âBig Brother is watching youâ.
However, facial comparison and recognition technologies used on mobile and cloud applications are very different â they are individualized, opt-in use cases. This means that an employee or consumer freely consents to enroll in the system to log into their account or add protection to their account with an additional layer of security.
In a well-designed biometric authentication system the user remains in absolute control and his or her biometric data is never actually shared with the sites, apps or businesses where the user logs-in. Instead, the biometric data is stored just once in a service that can undertake a check on behalf of multiple organizations. This is how we have designed Nomidio, so the user remains in total control, with their consent required before their Nomidio biometric ID can be checked. In fact, weâve gone a stage further using secure multi-party computing to prove beyond doubt that a personâs biometric data can never be accessed or queried without their explicit consent.
[HEADING=1]Myth: âIt is too expensive to deploy biometrics and the costs outweigh the benefitsâ[/HEADING]
Reality: Biometrics is by no means a new technology and was first spoken of seriously at the start of the millennium as a way to primarily control access to, for example, bank vaults. For many years it was unable to spread beyond such niche markets due to the costs involved. So, while biometrics may have provided an obvious extra layer of security for some time, itâs been too costly to deploy the technology.
This is no longer the case. Recently, the economics have improved and with cloud-based SaaS deployments the complexity and barriers to entry have significantly reduced. This means that any organization, large or small, can deploy and scale a passwordless biometric authentication solution quickly and simply. The sophisticated biometric matching engines are now accessible via the cloud, removing the need for costly IT projects.
Further, taking a more long-term view of a cost-benefit analysis, taking advantage of these cloud-based deployments can help rid businesses of expensive regular security updates to hardware, as well as the need for users to waste time regularly resetting passwords and draining the resources of IT support teams.
[HEADING=1]Myth busted[/HEADING]
The continuation of the password model is the reason why the large majority of breaches today arenât really hacking but bad actors simply logging-in with valid user credentials theyâve obtained elsewhere. If weâre serious about tackling identity theft and data breaches, then we must finally put to bed some of the misconceptions around passwordless authentication and biometrics. If weâre serious about building a frictionless user experience alongside government-grade security, then it is hard to ignore the overwhelming benefits of multi-factor biometrics.
[ul]
[li]Weâve featured the best business VPN.[/li][/ul]
Continue readingâŚ
About the author
Philip Black is Commercial Director at Nomidio.
Yet, while a combination of passwordless authentication and biometrics could transform digital authentication and security, misconceptions about privacy breaches, accuracy levels and security risks may hinder widespread adoption. This article will debunk some of the most common myths associated with passwordless authentication and biometrics, as well as the improvements that need to be made to the current passwordless model.
[HEADING=1]Myth: âGoing passwordless is less secureâ[/HEADING]
Reality: There is already widespread agreement that todayâs method of allowing people to prove âthey are who they say they areâ through a username and password does more harm than good. In addition to passwords being hard to remember, offering a poor user experience and requiring significant help desk support for resets, they simply arenât secure, no matter how complex you make them.
In fact, any traditional shared secrets such as passwords, PINs and consumersâ personally identifiable information (PII) are the root cause enabler for the majority of todayâs most common cybersecurity attacks, as they are sharable and could also have been stolen in high profile data breaches and sold on the dark web.
The reality is that going passwordless is far safer than the current situation we are in now. In particular, introducing a multi-factor biometric check for authentication can help eliminate the vast majority of common attacks like credential stuffing and phishing. Credentials canât be lost, stolen or shared when they are your own face and voice patterns â the legitimate user must actually be present to log-in, which leads nicely on to the next myth.
[HEADING=1]Myth: âPasswordless is unnecessary when you have 2FA in placeâ[/HEADING]
Reality: This may seem a bit of an odd misconception, but it is an appropriate one to address given the multitude of approaches to passwordless authentication.
The logical response to address password security over the last few years has been to layer additional âfactorsâ on top of the password. By asking people to validate their identity based on âsomething they haveâ, by entering a one-time passcode sent to their mobile phone or email, it is possible to make life much harder for hackers. Also known as two-factor authentication or â2FAâ, this approach is becoming mainstream, particularly in the world of e-commerce.
However, the weakness with all device-based approaches is that you are not authenticating a specific person, rather you are allowing whoever has access to the phone (or email account) to authorize the event. For example, if someone gets my pin code (phishing or over the shoulder) and âunlocksâ the authorization, they could circumvent an authenticator app on my phone with a PIN. Further, does it really make sense for someoneâs identity to be tied to their device? What happens if youâre trying to log-in to a work application to make a deadline while youâre out on the road and your phone runs out of battery?
Instead, a multi-factor authentication (MFA) cloud service based on biometrics has the potential to deliver a step-change in security and the userâs experience. Rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so the user can be authenticated on any device theyâre logging in from.
[HEADING=1]Myth: âBiometric technology is an invasion of privacyâ[/HEADING]
Reality: It is easy to see how this misconception came about. Biometric authentication has seen rapid growth in the journey to going passwordless, as the technology balances protection with a frictionless user experience. However, you often hear stories about how live facial recognition is being used, almost always without consent, to âmonitorâ and âkeep tabsâ on a population, leading to fears that âBig Brother is watching youâ.
However, facial comparison and recognition technologies used on mobile and cloud applications are very different â they are individualized, opt-in use cases. This means that an employee or consumer freely consents to enroll in the system to log into their account or add protection to their account with an additional layer of security.
In a well-designed biometric authentication system the user remains in absolute control and his or her biometric data is never actually shared with the sites, apps or businesses where the user logs-in. Instead, the biometric data is stored just once in a service that can undertake a check on behalf of multiple organizations. This is how we have designed Nomidio, so the user remains in total control, with their consent required before their Nomidio biometric ID can be checked. In fact, weâve gone a stage further using secure multi-party computing to prove beyond doubt that a personâs biometric data can never be accessed or queried without their explicit consent.
[HEADING=1]Myth: âIt is too expensive to deploy biometrics and the costs outweigh the benefitsâ[/HEADING]
Reality: Biometrics is by no means a new technology and was first spoken of seriously at the start of the millennium as a way to primarily control access to, for example, bank vaults. For many years it was unable to spread beyond such niche markets due to the costs involved. So, while biometrics may have provided an obvious extra layer of security for some time, itâs been too costly to deploy the technology.
This is no longer the case. Recently, the economics have improved and with cloud-based SaaS deployments the complexity and barriers to entry have significantly reduced. This means that any organization, large or small, can deploy and scale a passwordless biometric authentication solution quickly and simply. The sophisticated biometric matching engines are now accessible via the cloud, removing the need for costly IT projects.
Further, taking a more long-term view of a cost-benefit analysis, taking advantage of these cloud-based deployments can help rid businesses of expensive regular security updates to hardware, as well as the need for users to waste time regularly resetting passwords and draining the resources of IT support teams.
[HEADING=1]Myth busted[/HEADING]
The continuation of the password model is the reason why the large majority of breaches today arenât really hacking but bad actors simply logging-in with valid user credentials theyâve obtained elsewhere. If weâre serious about tackling identity theft and data breaches, then we must finally put to bed some of the misconceptions around passwordless authentication and biometrics. If weâre serious about building a frictionless user experience alongside government-grade security, then it is hard to ignore the overwhelming benefits of multi-factor biometrics.
[ul]
[li]Weâve featured the best business VPN.[/li][/ul]
Continue readingâŚ