As organizations work to prioritize cybersecurity and develop trust in online interactions, innovative solutions to identity and access management (IAM) are emerging to create convenient and secure systems for authentication. Companies are looking for methods to manage access, stop data breaches, and have confidence in the identity of the person completing any transaction. Maintaining control over who can access what and where they are able to gain access is key for an organization to secure its data and protect its reputation. But while some methods for verification allow the company to manage access, others dilute their control over security and fall short of actually verifying an individual’s identity.
Methods used in multi-factor authentication
Multi-factor authorization (MFA) methods have become the industry standard and commonly employ a mix of passwords, one-time passwords (OTP) sent to a different device or biometric measurements. By using a combination of these, companies can reduce the threat of a data breach by 80-90%. Professionals think of these as three categories for authentication, things you know, things you have, and things you are. Passwords and safety questions are things you know. These methods are particularly susceptible to phishing and need to be backed up with another method. OTPs and physical tokens are based on things you have. By sending a passcode to another device, you prove you possess access to that device. Of course, tokens and phones can be handed off or misplaced, and confirming a device is not the same as confirming the person using it.
Identity-bound biometric measurements give the user a convenient way to authenticate who they are. Fingerprints, voice recognition, and other biometric methods are nontransferable; they can’t be lost, stolen, or faked. But beyond a secure method for authentication and the convenience for the user, companies are also considering the best ways to manage access and retain control over the integrity of their cybersecurity practices.
Device-based and identity-bound approaches
Even with biometric authentication methods, organizations need to understand differences in the level of security device-based biometrics offer versus identity-bound approaches. One of the key security differences is who has control over the biometric enrollment. With device-based biometrics, the power of enrollment is given to the user rather than the company. The user’s identity is enrolled and stored on the device, giving anyone with access to the device the ability to enroll additional users. When companies surrender the power of enrollment, they develop a security blind spot. They can verify that an enrolled user acted on an approved device, but this falls short of the company actually confirming that the enrolled user is the authorized user they intend to have access. What is being verified is an encrypted key from a device that ultimately has no direct connection to the person themselves.
Identity-bound biometrics have users enroll their biometric measurements, which the organization then stores. For example, the data from a fingerprint is enrolled with the company, encrypted, algorithmically changed, and stored to be paired with the input from a user logging in, going through the same encryption and algorithmic process. By centralizing the biometric templates, organizations gain two distinct advantages. First, they can grant or restrict access to a single user across multiple devices and locations. This means that the authentication needed to log in can be verified from any device rather than enrolling a user onto every device they need access to, giving the user the flexibility to switch from device to device without re-enrollment. This agility and convenience are especially important when a worker deals with sensitive information, like financial statements across multiple locations.
Second, centralized enrollment also closes the security gap present in device-based options where unauthorized enrollments are possible based on access to the device. By maintaining the power to choose who has and does not have access centrally rather than on the device, unauthorized users cannot exploit device access to gain entry to the system at large.
While biometrics offer a secure way to confirm a person’s identity, how that data is stored and managed impacts its level of security and, even more importantly, its integrity. In order to build trust and maintain a good reputation, companies need to factor in their own visibility into the identity of users accessing their systems beyond what a person knows or what they own and into the realm of actually verifying who they are. By keeping the power of enrollment, companies can stop data breaches or leaks, manage access across platforms and devices, and trust that the user is whom they say they are.