Authenticating who is truly behind any action, whether it’s logging into Twitter or accessing a bank account, is the biggest challenge in security today.
At the enterprise level, this reality is infinitely more critical: businesses need to completely secure access to their systems and data and be certain that only those who are granted access have it. At the same time, companies must also make sure their employees are able to work as productively as possible — and constant and stringent security protections would certainly get in the way of “business as usual.” These situations create a dichotomy that firms and security experts have struggled to overcome.
To date, PINS, passwords, and OTP hardware have been the compromise of choice: enough to authenticate a user’s access, but not so burdensome that employees can’t get their jobs done. The problem? They don’t work. In 2016, the five biggest data breaches – including headline-making cases like Yahoo! and the DNC — all involved compromised, weak or reused passwords. That’s more than troubling — that’s a call for a total security reset.
Still, if the security issue isn’t convincing enough, just take a look at the numbers:
- The average enterprise spends $180,000 annually on password resets per 1k end users
- The average enterprise loses 1,000 hours/year to password resets per 1k end users
- On average, 20% – 50% of all help desk calls are for password resets
Talk about adding insult to injury: passwords aren’t just failing; they’re costing us money.
A security overhaul is an expensive and scary prospect for most enterprises: assessing vendors; buying and deploying new software and hardware; developing and enacting new procedures. It’s no wonder companies have been dragging their feet on making such a big change. But what many organizations likely don’t realize is that an investment they’ve already made is also a door to a new level of security: mobile devices.
It does seem perplexing, given the amount of security headaches BYOD and MDM have given organizations over the past decade, but innate in mobile hardware are all the components needed for an emerging and objectively stronger method of enterprise security: biometrics. From the camera to the accelerometer to the oft-used TouchID pad, a full suite of security features is already at our fingertips:
Fingerprint: We’re all familiar with fingerprint scanners: first introduced in 2011, on the Motorola Atrix 4G, TouchID and similar technologies are now a de facto hardware feature on our mobile devices. First introduced to allow us to bypass the lock screen security passcode, many apps now deploy it as an authentication measure. Fingerprinting has long been the most popular biometric application, in the physical and digital world, so it’s no wonder that it holds the ranking as the most popular mobile biometric. And even though there are (founded) concerns about spoofing, the broad commercial deployment and adoption of fingerprint scanners make it an ideal practice for enterprise biometric security – though, likely best as part of a multi-factor authentication sequence.
Face: The popularity of selfies led mobile device manufacturers to put a camera in the front of the phone; now, enterprises can take advantage of this tiny upgrade to implement facial recognition as an employee authentication factor. Facial recognition software uses algorithms to identify and authenticate distinguishing facial features, and additional security measures can be put in place by requiring active biometrics – that is, asking a person to smile, nod or blink to authenticate. Of course, many employees may be wary of taking a selfie in a meeting in order to do something like accessing their email, so enterprises should take note about when and how facial recognition is required for access.
Hand Recognition: A newer biometric, hand recognition uses the flash and rear-facing camera to take a photo of a person’s four fingerprints – increasing the security level above regular fingerprint recognition. Additionally, the use of flash addresses some of the concerns encountered in the front-facing camera because there are fewer issues with lighting that can lead to an inaccurate reading.
Iris Scan: Iris scanning is showing promise in enterprise deployments – especially after the launch last year of the Samsung Galaxy Note, which was one of the first mobile devices to come equipped with an iris scanner. The unfortunate demise of that device has taken the technology back a few steps, but rumors that the iPhone 8 could replace TouchID with iris scanning may put this technology back in rotation in a significant way.
Behavioral: A phone’s hardware and software bring along a suite of solutions that make ongoing and continuous authentication possible. While we’ve been discussing physical biometrics – using parts of a person to identify them – it’s also possible (and increasingly promising) to use a person’s actions. Behavioral biometrics can be measured by a device’s myriad sensors: has the device moved to a new location, has the microphone picked up your voice recently, how is it being carried, does the movement pattern and gait match yours, when was the last time the camera captured your face, etc. Through constant, passive data collection, your phone can be “confident” that it’s still you using the device and won’t continually ask for credentials or log you out; however, if the confidence score drops below a specified level, either because you’ve moved to an unfamiliar area or haven’t used the phone in a while, the app might ask you to log in with your physical biometric again.
Our mobile devices provide that “last mile” needed to empower biometrics. Biometrics provide a realistic solution to the problems of weak and inappropriate authentication solutions, while at the same time delivering convenient, people-centric authentication solutions to the latest mobile devices. Convenient biometric authentication allows a business to support a greater level of features for its mobile workforce and can even be integrated into Enterprise Mobility Management (EMM) solutions to enable strong security policies to be enforced for mobile solutions. It also solves the cost headache associated with passwords: biometric authentication can reduce password resets, help desk requests, and support calls by up to 50 percent, according to Gartner.
There are many things to consider on the journey to killing enterprise passwords, but thanks to mobile devices, hardware doesn’t need to be one of them.