Security is an obstacle many enterprises, especially those in the financial services industry, face every day. A common response to recent headlines about cyber data breaches is to complicate or double down on passwords. Many security administrators have already been requiring more complex and longer passwords (usually a combination of both upper- and lowercase letters, numbers, and special characters) from users and demanding them to frequently change passwords.
Although these new rules seem excessive and unnecessary, there’s a reason why security administrators are wary about password security. In 2016, the Verizon Data Breach Incident Report (DBIR) pointed out that “63% of confirmed data breaches involve using weak, default or stolen passwords.”
Despite how important it is to reduce data breaches, users aren’t able to memorize multiple, complicated passwords. In fact, a recent Intel survey reported that the average user has around 27 passwords for all of the digital channels they take part in. This forces users to use password managers, record passwords on paper or devices, and repeatedly use the same password for multiple systems. This makes the user’s security vulnerable and allows hackers to find the right opportunity to infringe on the user’s data. Users can practice good password hygiene, but they can still get hacked or tricked into giving away passwords through phishing attacks.
Another attempt made by security administrators to upgrade users’ security was the second authentication factor. This method had users log in with an RSA hard token or made apps send a code or one-time password (OTP) to the user’s cellular device. Yet, the user’s cellular device could be stolen or hacked, giving email or messenger access to a total stranger. The thief can then go log on to the user’s application without the software noticing. As a matter of fact, the National Standards Institute of Technology (NIST) no longer recommends the second authentication factor that uses SMS because of its many risks.
Nonetheless, more customers are demanding greater accessibility to digital channels like online banking. And in response to such demands, it is our responsibility to enforce stronger security solutions. This leads us to an extraordinary solution: FIDO-based biometric authentication that offers stronger security while promising a frictionless user experience. This solution is beneficial for both customers and companies. For customers, it will be significantly easier and convenient to use and companies will find it less expensive to manage and maintain. It’s a win-win situation.
How Consumer-Grade Biometric Authentication Works
When using consumer-grade biometric authentication, a mobile device is used to capture all kinds of biometric data, like a user’s fingerprint. A previously established protocol determines which mode of biometric authentication the software will request. A simple touch on the fingerprint template can authenticate the user whenever he or she wishes to access the application.
This method of authentication is more convenient and efficient because users won’t need to memorize long, complex passwords. Instead, non-duplicative biometrics does the job for them, improving the user experience. Yet, this method isn’t that much more secure than a strong password.
The Distinction between Consumer- and Enterprise-Grade Biometric Authentication Solutions
Let’s say you’re a security administrator for an enterprise in the healthcare or financial services industry that requires significantly stronger security. You’re going to need much more than a consumer-grade biometric authentication solution to protect confidential information.
Now you will have options to upgrade your security just within biometric-based authentication. First of all, you can utilize more precise biometric modalities. For example, face scans are more accurate than other modalities as they require the use to move to ensure liveliness (a photo-shopped image won’t do). Eventually, biometric authentication will be also based on behavior. In fact, some companies are already a step ahead of the game. Samsung’s SDS Nexsign™ with BioCatch behavior biometrics ensures stronger security of digital channels many financial institutions are using without hindering the user experience.
On the other hand, you can achieve heavy-duty security by implementing enterprise-grade FIDO-based biometric authentication. This utilizes both local- and server-based authentication. The server-based authentication enforces authentication policies such as risk-based authentication and continuous authentication. When enforcing risk-based authentication, security administrators will demand a more secure mode of authentication like a live facial scan when transactions present greater risks. While less risky transactions, such as reading a document, might require a fingerprint scan. The administrators can even set guidelines to specify which application can access the server.
A public key infrastructure based framework is employed by enterprise-grade FIDO-based biometric solutions. The framework involves both public and private key cryptography. To ensure stronger security, the private key and biometric template are encoded and stowed in the operating system of the user’s device. This prevents hackers from intercepting the template or the private key.
The encrypted public key is sent to the FIDO server stationed behind the corporate firewall. If the user’s device is lost, the biometric template stored on it won’t be accessible because the public key on the server can be removed. Previously, companies tried applying server-side authentication that stored credentials on servers behind the financial institution firewalls, providing hackers with an attractive archive.
Realistically, security will be a pervasive issue this industry. However, FIDO-based enterprise-level biometric authentication, like Samsung SDS’ Nexsign, will enhance the user experience and make it easier for financial institutions as well. It also gives security administrators significantly more control over the security process, allowing them to better ease and manage security risks.
