Biometrics are proving to be better than passwords because they’re easier to use, provide greater privacy and security, and are gaining standardisation across a broad base of mobile, desktop, and server devices that users rely on to access online services.
The security industry has been trying to kill the password for decades. It has long been viewed as a weakness, primarily because of the human element: people continue to use weak passwords, on multiple accounts, at work, and in their personal lives. 81% of data breaches involve weak, stolen, default, or otherwise compromised credentials, according to a Verizon Data Breach Investigations Report.
Lessons can be learned from the vendor Centrify who supported passwordless authentication and prioritised enforcing FIDO2[1]-based privileged administrator logins.
Centrify also supported Apple’s Touch ID and Face ID, as well as Windows Hello. Both Windows Hello and Windows Hello for Business are based on passwordless authentication.
Despite this, combining multiple forms of biometrics is proving problematic for the majority of vendors offering these technologies.
Product management teams have been studying the NIST 800-53[2] high-assurance authentication controls standard and integrating it into their roadmaps. The 170 controls that comprise the NIST 800-53 standard are being adopted quickly across the vendors who claim passwordless authentication as a core strength in their product strategies.
Using biometrics eliminates the risk of credential theft and provides better alignment with the NIST 800-53 high-assurance authentication controls standard.
Vendors of biometric tools are at varying levels of maturity when it comes to being able to capitalise on the metadata biometrics provides, with a few claiming to have real-time analytics. Every technology vendor had a different response to how they manage the massive amount of metadata being generated by their biometrics, which all claim also to support analytics.
Passwordless authentication ensures that login credentials are unique across every website, never stored on a server, and never leave the user’s device. This security model helps eliminate the risks of phishing, as well as all forms of password theft and replay attacks. We’re closer than ever before to the inevitable goal of a passwordless future.
[1]FIDO2: The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication standard and the FIDO Client to Authenticator Protocol.
[2] NIST 800-53: The NIST Special Publication 800-53 provides a catalogue of security and privacy controls for all US federal information systems except those related to national security.
_____
Aquest apunt en català / Esta entrada en español / Post en français