How companies are deploying biometrics in 2024
Biometric-authentication options come in different sizes, irises, fingerprints, and voices. �
Perhaps a laptop’s built-in fingerprint reader works fine for some companies. A hospital, however, may want external scanners to protect an electronic-health-records (EHR) system.
Treefort Technologies uses facial-verification services from identity-fraud detector iProov to confirm that a client’s likeness matches the image of a presented ID. Such verification can protect major real-estate transactions.
Some Treefort employees, however, not at the center of high-stakes transactions, log into their laptops via fingerprint and two-factor authentication.
Authentication pros who spoke with IT Brew laid out biometric-deployment options—some familiar, some requiring privacy assurances, and some left in doubt as deepfakes improve.
�
By Billy Hurley
JULY 19, 2024
Some biometric options are an easier sell to employees than others.
�
��
Local biometrics
Passwordless setups use technologies like tokens, proximity badges, and biometrics. Biometrics use a measurable biological characteristic—say, a fingerprint—or behavioral one—like typing speed—to authenticate.�
A Workforce Authentication Report, published by the FIDO Alliance and LastPass in October 2023, found that 92% of surveyed businesses “have or plan to move to passwordless technology.” The study, conducted by Sapio Research’s online surveying of 1,005 IT decision-makers in the United States, Germany, Australia, United Kingdom, and France, also found that 89% of IT leaders “expect passwords will represent less than a quarter of their organization’s logins in 5 years or less,” and that education remains the main barrier to passwordless adoption.
James Hoover, Gartner senior principal analyst, sees device-native authentication as today’s most popular workplace biometric option. Think Windows Hello for Business—a facial scan or fingerprint authenticates the employee.
Amelia Kinsinger
“It is true that you need more than just facial biometrics; you need a whole bunch of technologies in one system in order to catch the bad guys.”
—Kim Krushell, co-founder and executive VP of Treefort Technologies
Google, Microsoft, and Apple recently announced support for passkeys, which couple with a device’s local biometric. Passkey access uses two unique cryptographic keys: One is stored on the device, guarded by a PIN or biometric factor; the other key stays with the passkey-providing service. �
“I think that’s likely to be the most prevalent way that people encounter biometrics, which is really just an extension of what they’re doing already with the local biometric on their phone,” Hoover said, referring to passkeys’ frequent pairing with biometrics.
Kim Krushell, co-founder and executive VP of Treefort Technologies, understands facial verification is one of many layered tools required to catch cybercriminals like real-estate fraudsters.
“It is true that you need more than just facial biometrics; you need a whole bunch of technologies in one system in order to catch the bad guys,” Krushell said.
�
�
Familiarity
Fingerprint- and facial-scanning features exist on today’s phones, potentially minimizing training for the IT pro. “The user experience associated with using a local biometric is functionally identical to what you might use on your Android or iPhone,” Hoover said.
�
�
Some benefits of local biometrics include:
The scan avoids entering (and remembering) a username and password, or waiting for a second-factor device prompt.
�
�
Speed
And unlike frequently used passwords, a local biometric is unique to a device. “It’s used to unlock a private key that is not shared. There’s nothing central for me to attack,” Hoover said.
�
�
Security
Third-party biometrics
Third-party biometrics also suit companies, perhaps those who have employees not tied to one local machine, according to Hoover. Third-party biometrics, a technology Gartner said has a market penetration of 5% to 20% of vendors’ target audience, are typically offered as proprietary software “enabling creation, storage and matching of a biometric template local to the user’s device or in infrastructure.”�
Third-party vendors have varying approaches on protecting and storing biometric data—some vendors, like One Identity, don’t want it, claiming to only use on-device biometric credentials and those available from connected government systems.
“Devices are built today that when you register your fingerprint, or your face ID, there’s a special hardware module that’s tamperproof… It’s very hard to steal that biometric data off your device. We want to leverage that, rather than become a central repository of biometric data.” Stuart Sharp, VP of product strategy at One Identity, told IT Brew.
Reasonable doubt
A 2024 survey from GetApp of 1,000 US consumers found declining faith in tech companies’ ability to safeguard biometric data-–the percentage of those who simply “do not trust” nearly doubled from 22% in 2022 to 42% in 2023.�
State laws in Illinois, Texas, and Washington aim to protect biometric data and inform consumers of privacy practices. The Supreme Court of Illinois, for example, recently held that White Castle violated the Illinois Biometric Information Privacy Act (BIPA) by using a fingerprint system to authenticate employees, without employee consent; an Illinois federal judge has initially approved a settlement.�
And increasingly convincing AI-powered replicas, aka deepfakes, have challenged biometrics-devices’ effectiveness. An iProov threat-intel report noted a growing interest in “face swap” tools that fool some biometric authenticators.
Forrester Research expects generative-AI based “large transaction models” (LTMs) to recognize attributes of legitimate biometric samples. Other IT pros have similar hope that AI defenders can capably fight AI attackers.
“As AI advancements work through the system, they’ll have very intelligent and automated ways to do this liveness test and verification that’s even less cumbersome for the end-user,” Sharp said.
Biometrics plus more
IT pros who spoke with IT Brew expressed a need to combine multiple factors with the biometric option.