Biometrics: the future of security

Risk Management03 May 2023

Joe Palmer iProov bids a farewell to passwords

‘Incorrect password. Click here to reset’

‘Please add a capital letter and a number’

‘Your new password cannot be the same as your old password’

These are messages we’ve all seen pop up on our phones and laptops countless times - and not ones that bring us joy. Amid a busy working day, there’s likely nothing more sigh-inducing.

Passwords are a central part of working life, but it’s no secret they’re becoming increasingly inadequate both as a security feature and from a user experience perspective.

Research from Microsoft indicates password-based attacks rose by 74% between July 2021 and June 2022, with 32% of businesses and 24% of charities in the UK being victim to a cyberattack over the last year. Amid an economic downturn while businesses have even less cash to play with, the cut in spending on cybersecurity and the rising cost of cyber insurance costs is also making businesses more appealing targets.

Businesses need to move beyond passwords by fully understanding the risks they create and what the strongest alternatives are.

Is the payroll password the same as Twitter’s?

Few things make a hacker’s job easier than password sharing. Once they have one password that works, it’s relatively easy to successfully compromise other apps and accounts.

According to a recent study by Password Manager, 47% of workers admitted to abusing credentials tied to a former employer after leaving the company with 44% saying they were able to regain access to company networks and resources via someone still working at the organization.

Password managers are often touted as a secure solution to password sharing by adding a new layer of security to the existing password rich infrastructure. Yet the past few months have seen multiple attacks on password managers - such as LastPass and Norton LifeLock.

With thousands of customers being notified that their stored passwords have been accessed, are there any options left to preserve the value of passwords?

What’s the alternative?

Multi-factor authentication (MFA) has gained some momentum in the enterprise world in the last few years and does help strengthen the security of passwords. However, according to The Cyber Readiness Institute still less than half (46%) have implemented MFA, while only 13% mandate its use.

While MFA like SMS one-time passwords (OTPs) and multi-device app authentication are certainly more secure than a password alone, they are still, ultimately, underpinned by passwords. This means the accounts are remain highly vulnerable to phishing attacks and compromise as they can easily be shared. MFA that uses passwords is essentially just applying a band-aid over the existing problem.

The answer is migrating to an un-shareable credential, like biometrics. Unlike a note on your desktop or unprotected password folder in a company shared drive, biometrics always belong to the user and cannot be transferred or compromised online in the same way or at the same scale.

You can forget a password, but you can’t lose your face – and vice versa, a criminal can steal and quickly share a password, but your face is much trickier to spoof. Not forgetting that it’s a far better user experience too.

Biometrics: the un-shareable credential with potential

Some organisations might wince at the thought of adding biometric authentication into their systems. But modern solutions aren’t storing your employees’ fingerprints in an Excel spreadsheet somewhere with all their personal information.

Today, there are ways of implementing biometrics whereby the data is highly encrypted and separate from personal identifiers.

Cloud-based systems are both more secure and convenient, making it easy to integrate into existing enterprise security infrastructure and more resistant to attack. This is because cloud can support AI-powered intelligent software defences that evolve constantly and quickly adapt to navigate new threats online.

Considering a workplace environment, where laptops and smartphones all already come with cameras, face biometrics also means organisations don’t have to fork out for new hardware to improve security. Users also only need to look at a screen to verify themselves, providing the highest level of accessibility and inclusivity via the most passive authentication experience.

Avoid paying the ultimate price

Businesses have shown they are slow to deviate away from what they know – just look at the low MFA adoption figures mentioned earlier. And in a difficult economy, the adage of “if it isn’t broke” can often apply. But too many businesses leaders are underestimating the value of effective security and the price they could pay if attacked.

With half of UK SMEs having ever been victim to a cyber-attack, integrating a phishing-proof, robust biometric authentication system is the single best way organisations can arm themselves against attacks that can so easily mean the end of their business. It’s better for employees and the business.

After all, paying the ultimate price under the weight of repairs, reparations and reputation is far more costly than the investment in better security today.

Joe Palmer is Chief Product and Innovation Officer at iProov

Main image courtesy of iStockPhoto.com