March 30, 2021
March 30, 2021
Contributor: Meghan Rimol
Biometric authentication offers significant benefits over traditional authentication methods like passwords, improving trust and accountability across the enterprise.
Most enterprise workers are all too familiar with the challenges of digital authentication. Whether it’s returning from a week off from work only to be locked out of a computer due to a password change policy or a lost security token, forcing a call to the IT department, authentication methods are often at odds with ease of access.
Enterprise security leaders continue to seek approaches to identity and access management (IAM) that balance trust and accountability against cost and user experience (UX). Biometric authentication has the potential to achieve that balance better than traditional methods like passwords or tokens.
“Biometric traits provide a uniquely human basis for user authentication, without people having to remember random character strings or carry specific devices,” says Ant Allan, VP Analyst, Gartner. “Biometric authentication offers better UX, along with increased accountability as biometric traits cannot easily be shared.”
Security leaders responsible for IAM and fraud prevention can adopt biometric authentication across a wide variety of use cases. Use these questions to determine if and how biometrics can meet current and future authentication needs.
Biometric authentication methods use unique personal traits to corroborate a person’s claim to an identity to enable access to a digital asset. This is usually done through one-to-one comparison, attempting to match, say, a face or fingerprint image against the person’s record, rather than having the system determining identity by searching among a range of candidates. Biometric authentication can be used as an alternative or adjunct to other authentication methods, and it is typically adopted to achieve passwordless authentication.
To be useful for authentication, a biometric trait must be unique, persistent and measurable. Furthermore, it must be possible to capture a sample (an image or recording) of that trait and to extract identifying data in a way that preserves its uniqueness.
Morphological traits (e.g., face, fingerprint, iris, vein) change very slowly and are generally unalterable. However, capturing them may seem intrusive for some, and some people may find specialized sensors difficult to use.
Behavioral traits (e.g., gesture, keystroke, voice) are less stable, changing over time and typically requiring multiple interactions to determine a reliable baseline. They also change with age, stress, injury and illness.
Methods that incorporate two or more distinct traits, such as both face and voice, are known as multimodal methods. An “either/or” method provides users with a choice of modes, which can enhance UX by providing people with an alternative to a mode that they might not be able to use reliably or not wish to use, improving trust and accountability. Alternatively, two modes can be used together, improving security, but this approach will not generally meet regulatory requirements that demand two-factor authentication.
Learn more: 2021 Top Priorities for Security and Risk Management Leaders
Biometric authentication methods differ technically from nonbiometric methods, such as passwords or cryptographic keys, in two important ways:
Biometric methods can potentially provide better UX and higher trust than other credential-based methods. In particular, biometrics improve individual accountability, as personal traits cannot easily be shared as passwords and tokens can. However, the actual benefits of biometrics depend on the trait used, as well as the configuration, performance and accuracy. No biometric authentication solution can provide a 100% success rate, so there will always be a trade-off between security and UX.
For example, with face recognition, if the matching threshold is low, a person is less likely to be locked out of their device, but there’s a higher chance that someone else would be able to unlock the device. UX can also vary from person to person; for example, fingerprint was long the biometric mode of choice, but many users have had problems with fingerprint modes some of the time, and some users are unable to reliably use these at all.
The trade-off between security and UX is broadly true of any authentication technology. IAM leaders must determine if biometric authentication methods strike a balance between security and UX that is in line with the enterprise’s risk tolerance and business expectations.
Like any other authentication technology, the integrity and availability of data and technology components, and the confidentiality of system data, are crucial.
Particular biometric authentication risks that IAM leaders must pay attention to include:
Read more: 4 Pillars of Privileged Access Management
Biometric authentication can be used in a variety of ways across industry verticals globally. Current enterprise use cases include:
Biometric methods can enable passwordless authentication alone or combined with other methods. Integration with phone-as-a-token authentication for passwordless multifactor authentication — “mobile MFA” — will likely dominate in workforce use cases.
IAM and fraud leaders considering biometric authentication must assess each of the above questions when determining the value proposition. Identify use cases where biometric authentication can satisfy a need to improve UX, trust or accountability, and thus facilitate changes to business processes or enable regulatory compliance better than orthodox methods.
Connect with the world’s leading security and risk management leaders with Gartner experts to establish an agile security program and deliver business value.
Recommended resources for Gartner clients*:
*Note that some documents may not be available to all Gartner clients.