Can Biometric Authentication Solve Our IAM Problems?

Biometrics Authentication in IAM Systems

Most office workers will tell you that proper management of a company's digital assets is one of the major problems system administrators face. In theory, a reliable Identity and Access Management (IAM) system is the first and most important step towards overcoming this challenge. Most office workers will also tell you, however, that they have yet to see a truly well-designed and properly configured IAM system.

While the world is moving forward, IAM systems are sitting still

Here's a recent incident that illustrates the problem rather clearly. In late 2018, a member of Microsoft's support team somehow managed to lose their workplace login credentials. The username and password fell into the hands of crooks who spent at least three months reading through email messages and other information that belongs to an undisclosed number of Outlook users. Although Microsoft doesn't appear to be too keen on sharing many details, the information we've got is enough to conclude that the Redmond-based software giant made a few mistakes.

For example, we may not know the exact position of the support person that got their credentials exposed, but we know that they had access to things like email messages, attachments, subject lines, and sender and recipient addresses. Even if you think that a support person should have access to this type of data, the breach disclosure pointed out that the attack came from outside Microsoft's network which, in itself, suggests that two important things were missing: two-factor authentication and geolocation restrictions. In other words, all that stood between the attackers and people's personal information was a set of login credentials.

Can biometrics help companies protect their data?

We've talked about how the password is slowly but surely becoming the authentication method of yesteryear. Although it was reliable enough some time ago, in the modern threat landscape, it is starting to show its flaws. And yet, even multi-billion-dollar giants like Microsoft still rely on it for some pretty important tasks.

For the time being, the only real alternative comes in the form of biometric authentication. But how likely are companies to start implementing biometrics into their backend infrastructure? And how many problems will this solve?

Nobody can really answer the first question definitively, but it's fair to say that unless we come up with another revolutionary way of giving the right people access to the right information, biometrics will probably be a part of our office routine at one point in the future. There are, of course, obstacles like the investment in hardware components, but as the technology evolves, the prices are going down, and sooner or later, the benefits will outweigh the initial outlay. There are certainly quite a few benefits.

No more weak passwords

In an IAM system, employees have one password with which they access all the information they need to do their job. This certainly makes day-to-day activities much easier, but it also creates a problem.

Because we have a one-password-to-rule-them-all scenario, you must make sure that employees use a strong password. Experience has taught us that left to their own devices, users just won't do it. Even if you put specific requirements, like, for example, mandatory use of digits and special characters, people will still come up with something like "Password123!". When they’re trying to protect their own social media accounts, this is hardly ideal, but when corporate data is on the line, the stakes are much higher, especially for the people who are in charge of keeping it safe.

The implementation of a biometric authentication system eliminates this problem. People can't have easy-to-guess fingerprints or retinas, and the biometric data will never be susceptible to brute-force or dictionary attacks.

No more reused passwords

Some of you will try to nudge employees towards better passwords by not only enforcing requirements for the use of numbers and symbols but also by disallowing known passwords or keyboard patterns. Even this can't guarantee that they will treat their passwords right.

Most likely, some of them already have a reasonably strong password which they use for their personal accounts. They will probably think that creating and remembering another strong password is just not worth the effort, so they'll just use their personal one. Then, one of the online services they use will get breached, and their password will end up on a credential stuffing list. If, like Microsoft, you have configured your systems to be accessible from anywhere in the world, this could soon turn into a rather big problem.

Biometrics eliminates the threat in two ways. First, biometric authentication requires the physical presence of a person which severely limits the ability of hackers who like accessing information remotely. In addition to this, we have yet to see lists of biometric details that have been stolen from one online service and can be used against another.

No more forgotten passwords

You can try to go around people's reluctance to take security seriously by taking the password creation process into your own hands. Every employee gets a long, complex, and unique password without which they can't do their job. While some may argue that this means "forcing" security down people's throats, others will say that there's nothing wrong with it as long as the valuable data is protected.

Unfortunately, there is a problem because in most cases, people will try to memorize the long, complex password you've given them, and inevitably, some will fail to do so. Those who can't be bothered with remembering it will write it down on a piece of paper or stick it to their monitors which isn't exactly commendable behavior, either.

When people forget their passwords and/or lose the yellow pieces of paper they've written them on, they need to have them reset. And this is a waste of time both for the employees and for the sysadmins. For obvious reasons, this won't be a problem in a biometrics-based IAM system.

No more unhappy employees

Why are more and more smartphones and tablets equipped with biometric authentication? Well, as we have established so far, login mechanisms of this sort have certain advantages over the traditional username-and-password scheme. The main reason why vendors are letting us unlock our devices with our fingerprints, faces, and, more recently, retinas, however, is because it's so much more convenient.

Remembering a single strong, long, and unique password requires a not insignificant mental effort, and typing it takes valuable time. By contrast, anyone with a fingerprint reader or face recognition on their mobile phone will tell you that biometric authentication is much easier and all but instantaneous.

Putting as fewer obstacles in front of employees as possible can improve their morale and productivity. That's what the boss wants, and that's what biometric authentication promises. So, what are we waiting for, then?

Things we need to consider before we get too excited about biometrics

Implementing biometric authentication can certainly solve many problems companies are currently experiencing with their IAM systems, but unfortunately, doing it is not as straightforward as installing a few fingerprint readers.

As we mentioned at the beginning of the article, setting up a biometric system costs money which is bound to upset the accountants, but even if they cave in, sysadmins should still keep one or two things in the back of their minds.

For example, they shouldn't forget that although it has come a long way, the technology is still not perfect. If it was, we wouldn't have had a password as a backup authentication mechanism on our face-recognizing and fingerprint-reading smartphones.

As soon as we make it reliable enough, we will start implementing it, that much is certain. The more popular it becomes, however, the more likely it is to fall in the cybercriminals' sights. So far, we have yet to see any large-scale, successful attacks on biometric authentication systems in the wild. Let's just say, however, that over the years, we have introduced many new pieces of technology that are supposed to make our online lives more secure and convenient. The crooks have attacked all of them, and with most, they successfully found a way around them. Whether biometrics will be among the few exceptions is for time to tell.

April 19, 2019

Leave a Reply