Getty Images

Biometric revolution in IAM: The future of authentication

The IAM landscape is experiencing profound change thanks to the advent of biometrics. Learn about the latest advantages and key benefits of biometrics in identity

This article can also be found in the Premium Editorial Download: Computer Weekly: Authorised access only – biometrics in the workplace

The landscape of identity and access management (IAM) is undergoing a profound transformation, driven by the integration of biometric technologies. This evolution marks a significant shift from traditional authentication methods to more advanced, secure and user-friendly biometric services.

This comprehensive article delves into precisely that – the latest advancements in biometric technologies in the realm of IAM. 

We will explore a range of innovative offerings, from the widely recognised facial-recognition systems to the more nuanced and emerging field of behavioural biometrics. Our analysis will focus not only on the technological prowess of these systems, but also on their implications for security and privacy.

IAM is an essential security component within businesses and organisations, ensuring only authorised individuals can gain access to the company network and data. The overall aim of IAM is to implement strong user authentication to protect any data stored or transferred on the system.

Traditionally, effective IAM has been achieved in the following ways:

  • Password Verification: Passwords have been the primary method for preventing unauthorised access for decades. Protecting various aspects of the network, from user accounts to files, and areas that should only be accessed by a system administrator. 
  • Multi-factor Authentication (MFA): MFA increases security beyond traditional passwords, requiring users to provide multiple forms of identification before being granted access to a network or application. For example, this could involve a user being sent a one-time password (OTP) to their smartphone that they will need to input during the login process. 
  • Physical ID Cards: In some organisations, staff and authorised visitors are provided with ID cards to grant them access to restricted areas of a physical building. 
  • Contactless Payment Cards: Similar to ID cards, contactless smart cards have built-in chips and use radio frequency (RF) technology to store and transfer data. Most people will be familiar with this technology when using their debit or credit card, and business bank cards can sometimes be issued to pay for expenses.

Focusing on the four traditional IAM methods discussed in the previous section, we will consider their limitations and the potential risks, before examining how biometrics can help to increase security, protect against the latest threats and provide long-term protection against threats we’re yet to face. 

Password verification: Vulnerabilities

Although passwords have been key to implementing a successful IAM strategy for a long time, they still present vulnerabilities that can provide opportunities for cyber criminals. 

One such vulnerability is users sharing passwords, often the case when an individual has forgotten their unique password. This can potentially lead to unauthorised access, and possibly even result in data being stolen and misused. 

At the same time, improper removal of access during offboarding, mainly due to passwords and accounts not having an auto-expire date, can also be an issue. 

A former staff member having access to their old account could even cause significant disruption and downtime if they decide to access the network once again, perhaps even with malicious intent. 

MFA: Limitations 

Although MFA is considered an advanced form of security, it does have limitations that need to be mitigated.

MFA is typically dependent on a connection to Wi-Fi or a mobile network, allowing users to receive one-time passwords. If there is an issue such as the network being down or another technical problem, then users will not be able to gain access. 

Many users also find MFA tedious, making them reluctant to follow the necessary steps and install the appropriate software on their smartphones, which makes them and your business vulnerable to MFA fatigue attacks and reduces the overall security of your systems.

ID cards: Drawbacks

For some organisations, physical ID cards can work just fine, but they do have drawbacks that make them inferior to biometrics. 

Individuals sharing cards or borrowing them from colleagues can be commonplace in some organisations, resulting in unauthorised access to certain areas. Physical ID cards can also be counterfeited and forged by cyber criminals who have access to modern technology, presenting significant risk. 

Contactless cards: Risks

Though more advanced than ID cards, contactless smart cards can also pose several risks. Like ID cards, smart cards can be cloned using advanced technology. They can also be stolen or misplaced, allowing criminals to commit fraudulent activity –  a key consideration, as recent data shows fraud cases are up by 70% since 2020, proving how the increasing reliance on contactless smart cards has created new opportunities for cyber criminals. 

Another issue is the high cost of implementation, as a successful contactless system requires third-party software, card readers, and continuous maintenance and management. 

In this section, we will outline how biometrics can provide a modern solution to these challenges, including preventing criminal activity and improving the user experience. 

How biometrics improve on passwords and cards

The beauty of biometric data is that it is unique and impossible to share, unlike passwords, physical IDs or contactless smart cards. For example, fingerprint authentication guarantees only an authorised person can gain access. No two people share a fingerprint and extremely advanced technology is required to replicate biometric data. This offers organisations an unrivalled level of security.

A key benefit is that there’s no need to remember long, complex passwords. Users who need to remember a series of complicated passwords can often write them down or store them in an unsecured document – this increases the chances of passwords being stolen. 

Furthermore, if a person struggles to remember passwords, they could opt to use weak passwords, making them vulnerable to being guessed or cracked. Biometric authentication can create a truly passwordless environment

The issue of contactless smartcards or ID cards being stolen, cloned or counterfeited can also be overcome if these cards are replaced or combined with biometric authentication. If an ID card is required to access a high-security area, this could be combined with a retina scan. Meanwhile, contactless smartcards can be replaced by fingerprint authentication that is far more secure and cost-effective.

How biometrics make MFA more efficient

Although MFA is generally an effective form of IAM, it can be hindered by issues such as a loss of internet connectivity and a reluctance by users to commit to this more time-consuming method. A fingerprint or facial scan can replace one-time passwords, creating a more efficient process and making it even more secure.

This is more convenient when MFA is required to use individual apps, requiring multiple OTPs a day. This can also be useful when setting up permissions, as privacy and security frameworks can be established. 

For example, when using document generation tools or database software, one could ensure the files are accessible only to select members of the organisation, and they’ll only be able to access them through voice recognition, facial scans, or even fingerprints. 

This also means users are no longer reliant on their smartphones to gain access or worrying about maintaining a connection to a mobile network. Biometrics improve both the overall user experience and accessibility of MFA, ensuring user resistance is significantly reduced.

Some further food for thought is how biometrics can be combined with artificial intelligence, providing constant monitoring and instant alerts should be an attempt to gain unauthorised access be detected. Around 99% of businesses have adopted AI into their operations, with cyber security one of the key use cases. 

Biometrics in IAM systems: Ethical concerns

Biometrics offer significant advantages in terms of improving IAM and boosting security in organisations, but the use of biometric data has also raised some concerns regarding privacy and other ethical issues. Some users may be worried about their biometric data being misused, such as for biometric-based surveillance, tracking their every move.

To ease these fears, organisations must ensure that only a select number of high-level employees have access to such data and it’s used appropriately. This includes removing access to data should a person leave the company, and regular maintenance of the biometric data of former employees. 

Finally, the use of biometric authentication needs to be transparent, ensuring all individuals are aware of how this data is stored and protected.

Conclusion

Biometric authentication is expected to play a key role in the future of IAM, revolutionising and replacing traditional methods. 

Older methods, such as password verification and physical ID cards, can be replaced by fingerprint, facial, retina, or voice recognition, avoiding the issue of the access tool being stolen or cloned. This will result in a drastically enhanced level of security, while also improving the user experience. 

Industry execs discuss IAM

  • Microsoft’s president of identity and network access, Joy Chik, joins Computer Weekly to discuss the evolving threat landscape in identity security, using innovations in artificial intelligence to stay ahead, and advocating for the coming passwordless future.
  • SailPoint founder and CEO Mark McClain reflects on how the concept of identity has evolved over the past 20 years, and points to rapid evolution still to come.

Read more on Identity and access management products