Biometrics vs Passwords? No Clear Winner Yet

Recent advancements in the biometrics market have some enterprise IT leaders thinking of a different world—a world without passwords.

From Microsoft to Cisco Systems, a growing number of vendors are adding their names to the list of providers pushing enterprises toward a reality where passwords no longer exist. But just how feasible is that really?

Driving Demand
The market for biometric solutions is bullish, with some expecting it to grow as high as $68.6 billion by 2025. Multiple factors are driving this expansion. The first is the benefit to security. The use of stolen and compromised credentials is a significant element of many of the attacks occurring today, as highlighted in the Identity Defined Security Alliance research, Identity Security: A Work in Progress. Despite the IT security industry’s best efforts, many enterprise users still utilize weak, guessable passwords or share passwords across multiple applications and accounts.  These credentials are a soft spot for threat actors, who gladly continue to exploit them.

While effective password management mitigates risk, judging by the level of abuse of passwords in many data breaches, what many enterprises are doing today is not enough. Enterprises often fail to enforce effective policies across all the systems, users, and applications in their environment. Beyond its role in security, having to manage passwords for thousands of users is also a productivity issue. Consider the amount of time spent by a Help Desk handling activity such as users’ reset requests. Given the scope of what needs to be done, it is not surprising that enterprise IT leaders would see the appeal in reducing the workload.

Another factor is the growth of the mobile biometric market, which has expanded across several industries. Some mobile banking applications, for example, have successfully employed fingerprint sign-in capabilities. This approach is meant to be user-friendly and has provided a clear use case as to how companies can leverage biometrics as part of their business initiatives.

User convenience matters as well. Fewer passwords mean less to remember. A biometric sign-in feature also can make the process of logging in more seamless and secure. Rather than a password, a fingerprint and a one-time PIN could be all the employee needs. However, even with these drivers, biometric adoption faces some crucial challenges.

Barriers to Enterprise Adoption
For all its benefits, biometric adoption has hurdles in front of it—principally around implementation, privacy, and cost. While biometric technology has become more widespread, implementing it successfully is complicated. The native biometric capabilities of devices may not be easily manageable across an environment the size of an enterprise and could be complicated further by the diversity of systems being used. For biometrics to replace passwords, it would have to be fully integrated into the organization’s identity infrastructure. This requirement could mean a large amount of hodgepodge code suddenly has to be integrated via APIs. Getting enterprises to shift to a fully biometrics-based approach from a password-based approach could simply be viewed as more work than it is worth, especially considering the upfront costs of purchasing the necessary solutions.

User trust is another drawback. In certain countries, employees may be less inclined to allow their company to collect private information. Compliance regulations and union opposition can pose an additional challenge. In the US, several states have already moved to enact laws governing the collection of biometric data. How this growing patchwork of laws will affect employee rights remains to be seen, as different states may take different approaches. For biometrics to be the sole source of authentication, enterprises will have to overcome privacy concerns about collecting and storing personal data.

These concerns are not without merit. Like any other data stored by organizations, biometric data can be leaked or stolen. Take the 2019 case of Suprema’s BioStar 2 data leak, in which researchers from vpnMentor reported the exposure of some 23 gigabytes of data that included fingerprint information, facial recognition images, and user logins. A similar situation was uncovered last year when Brazilian company Antheus Tecnologia left a web server exposed that leaked roughly 76,000 unique fingerprints. The prospect of having customer or employee biometric data sold on the black market to a nation-state or used to facilitate fraud is more than enough to give some organizations pause.

A Passwordless Future?
Considering all the factors at play, it seems unlikely enterprises will abandon passwords any time soon. Biometrics is best thought of as part of a multifactor authentication (MFA) approach – and one that is recommended by the Identity Defined Security Alliance. Though there are two-factor authentication offerings that are passwordless, most MFA implementations among businesses still utilize passwords as an element of the authentication strategy. Changing to a new authentication model will break the identity architecture for many enterprise IT environments and would likely become a painful process. While the case for using biometric solutions is growing, migrating entirely away from passwords is not likely on the horizon.

About the AuthorJason Berland is the Managing Director of IAM – Cybersecurity at MorganFranklin, where he supports new and existing client relationships and is rapidly advancing the practice’s IAM service line offering. Jason previously served as Practice Director for Fishtech Group, a data-driven cybersecurity solutions provider, where he focused on delivery and leadership of technology services, program and project management, strategic solutions and development, and business support in the Identity and Access Management Security space. Jason also served as the Senior Manager of Identity and Access Management for United Airlines where he managed strategy, resource allocation, work stream, program budget, and program deliverables for the airline’s IAM program. While at United, he played a key role in merging and integrating two major carriers’ HR technology, and he led the consolidation strategy of user identities of both organizations into one single source of truth (SSOT). 



Let's work together to help everyone become more secure.