Authenticating the identity of users presents an ever-evolving challenge. We at Auth0 tackle this for our customers in new ways every day.
On one side, there’s enormous demand for speed and convenience — users don’t want to have to juggle numerous different passwords or make their way through a complex login or verification process every time they access an app or site.
"Authenticating the identity of users presents an ever-evolving challenge. We at Auth0 tackle this for our customers in new ways every day."
But, on the other hand, security requirements are quickly evolving. There’s a greater need for more robust authentication systems that mitigate the potential for theft and fraud.
At first glance, it might seem like those two things are at odds with each other. How can you make the verification process streamlined and simple, but also as airtight as possible? This is where biometrics come into play.
To meet the growing needs for both security and convenience, many teams are rapidly incorporating biometrics — the use of a unique physical feature like a fingerprint for verification. Just think — even the average person with an iPhone can use biometrics (Touch ID or FaceID) on a daily basis. Soon they might be able to use both simultaneously.
In 2019, we’ll continue to see biometric authentication usage trend upward. In fact, one study conducted by Spiceworks shows that 62% of organizations currently use biometric technology for authentication. And, the same study also predicts that we’ll see nearly 90% of businesses using it by the year 2020.
That’s not the only trend in biometrics we’re seeing this year. This piece will cover three critical developments we see on the horizon in the world of biometrics — and will dig into how teams can use biometrics in ways to make their systems more secure.
1. Hackers are finding new ways to subvert biometrics — so teams must continually make improvements.
Much of the chatter about biometrics centers on what a secure method it is. And, there’s truth to that. At this point, passwords are fairly easy to steal. In contrast, it’s much harder to replicate somebody’s identifying features.
But, that presents an interesting challenge for hackers, who are now dead set on finding ways around these new security measures. For example, a team of researchers at NYU recently developed a fingerprint template using machine learning algorithms, which could trick an iPhone into unlocking. If universities are figuring out ways to subvert popular security systems, you can bet cyber thieves are working on them, too.
The evolution of Mastercard’s Identity Check Mobile (frequently referred to as “Selfie Pay”) is one example that teams can learn from. Using the app, users originally confirmed an online payment by snapping a selfie and allowing the app’s facial recognition software to verify their identity.
However, Mastercard determined that system alone would be fairly easy to bypass, as holding up a static photo of someone’s face would accomplish largely the same thing.
So, the company took things a step further by requiring users to blink to confirm it’s really their face in the frame — and not just a photo. That seemingly small change made it far more difficult to fraudulently replicate the authentication process.
Companies truly committed to protecting their users must make tweaks like these in order to keep pace with cyber criminals and proactively plug any holes.
2. Continuous authentication will continue to gain traction.
There’s a lot of talk about facial recognition, fingerprints, gait recognition for smartphone authentication — and, yes, we’re bound to see more of those used for identity verification.
But, as security concerns continue to mount, there’s also growing emphasis on catching problems before they even happen. Much of this relates to continuous authentication, which calculates an 'authentication score' on a rolling basis that reflects the likelihood that a user is who they say they are. Continuous authentication is increasingly popular in high stakes situations like online financial transactions. In these cases, the score takes into account how a user behaves in the app, their location, and any personal details they entered.
Continuous authentication takes traditional geolocation-based authentication to new levels by incorporating biometrics into the algorithm for a more comprehensive view of the user.
Obviously, it’s a highly proactive approach, but its potential in the world of digital security is still unrealized. Developments in this area will likely keep right on pace with those of physical biometrics.
3. Regulators are tightening rules around the collection of biometric data.
It’s no secret that emerging technologies always bring along fears about how they’ll be overseen and regulated. Especially when privacy has been a growing issue, it comes as little surprise that people are concerned about things like their fingerprints and photos being stored.
"It’s no secret that emerging technologies always bring along fears about how they’ll be overseen and regulated."
Considering that biometrics are relatively new, the regulations around them are very much a work in progress. However, regulators are taking steps toward firming up rules around how these biometrics can be used. Companies should stay up to speed on national, state, and industry regulations to ensure they’re in compliance with these new technologies.
Illinois, for example, enacted the Illinois Biometric Information Privacy Act in 2008. This state law grants users a “property interest” in the algorithms that are used to establish their digital identities. There have already been over 100 suits filed about alleged violations of this law. In 2019, Illinois took this a step further and ruled that private companies could no longer collect biometric data, including fingerprints, iris and facial scans, from individuals without their consent. Although Illinois has one of the strictest privacy laws surrounding biometrics, other states could quickly follow suit — and teams must keep pace.
As biometrics gain even more of a presence in our everyday lives, it’s evident that the regulation of this technology will continue to develop as well. Depending on how those rules shake out, it could significantly alter or even hinder new developments in the advancement of biometrics.
The Future of Biometric Authentication & Security
Although far more secure than relying on passwords alone, biometric authentication is far from impenetrable.
Vein authentication, another cutting edge method which scans the veins in a person’s hand in order to provide them access, recently showed its flaws. Researchers were able to create a wax hand that easily bypassed these scanners.
But, even so, developing a fake body part requires a lot more time and elbow grease than hacking a password. So, biometrics offer an added layer of security that consumers will start to expect. One survey conducted by Visa found that 86% of consumers actually want to use biometrics to verify their identity, as opposed to traditional passwords.
With all of that in mind, organizations will need to be quick to jump on the bandwagon. If you’re overwhelmed by introducing biometrics for your own authentication processes, working with a trusted platform can help. Auth0 offers the option to use biometrics for multifactor authentication (MFA). Outsourcing a portion — or all — of your identity management can give you peace of mind, knowing you have an expert team dedicated to authentication 24/7.
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.