When searching for the most secure method of two-factor authentication (2FA) –– also known as multi-factor authentication (MFA) –– biometrics are often the first to come to mind. The data is extremely difficult to replicate, and because it’s a relatively new technology, methods of bypassing it are still in their infancy. This has led some to wonder whether it’s the next generation of identity security. We seek to explore that idea in our list of biometric authentication pros and cons.
Biometric 2FA Overview
Biometric 2FA, or biometric authentication, is a method of verifying a user’s identity using a piece of “who they are” such as their fingerprint, facial features, hand shape, iris structure, voice, or typing behavior (such as how strongly a user depresses keys on their keyboard).
These factors contain a large number of unique data points that require sophisticated technology to replicate, which most bad actors don’t have access to. Because of this, many organizations regard biometric authentication as one of the strongest, if not the strongest, method for authenticating users.
The main barrier to widespread adoption of biometric methods is the cost, as any cutting-edge technology comes with a steep price tag. Having said that, there are a few factors to consider before setting aside funds to become early adopters.
- Unique data is harder to crack: The data biometric authentication uses has such fine variations from one person to the next that they’re nearly impossible to replicate without advanced tools.
- Fast, convenient authentication: Biometric authentication lets users access their resources instantaneously. All they need to do is present their biometric factor (face, fingerprint, voice, etc.), and assuming it matches the data stored in their authenticator, they will be granted access. This eliminates the need for passkeys, cards, and other traditional forms of 2FA.
- Scalable: As an organization grows, their security needs to grow with them. Most biometric 2FA solutions easily accept new user data and are very flexible, so growing organizations don’t need to worry as much about scaling their security when people join the company.
- Unrecoverable if compromised: Although biometric data is nearly impossible to fabricate, it can still be done. For example, cryptographers at the GeekPwn 2019 conference in Shanghai demonstrated how to create and use a photograph of a user’s fingerprint to unlock their smartphone in no more than 20 minutes. A user can’t reset their fingerprint like they can their password. The user can replace their existing data with the print on another finger, but then there are only eight chances after that to reset their data. Once their biometric data is stolen, that specific factor can never be used again.
- New and expensive: Biometric authentication didn’t become available for commercial use until recently. Plus, it requires additional software and/or hardware, depending on the devices users need to authenticate to. As a result, its use isn’t widespread or accessible to small-to-medium sized organizations yet.
- Privacy concerns: As the use of biometric authentication grows, so does the concern over how corporations and/or governments may use that data. China already uses biometric data to keep tabs on people through public security cameras, and many fear their biometric information may secretly be bought and sold by big tech companies. There are a number of unknown effects biometric authentication can have on individual privacy, so the “security” it provides is still to be determined.
Is Biometric 2FA the Next Generation of Identity Security?
From a purely technical standpoint, biometric authentication is more reliable and harder to compromise than other forms of 2FA. The data it uses is unique to each individual, difficult to fabricate, and holds users accountable for their activities within the organization’s infrastructure. It’s also more convenient, as users don’t need to enter their credentials to access their IT resources, nor are they required to have their mobile device on them at all times.
However, biometric authentication presents a great deal of weighted implications. The effects of this method are still unknown, so it can’t be considered the most secure mode for 2FA just quite yet. Fortunately, there are other ways to secure the identities of an organization’s users.
How to Require 2FA and Secure IT Infrastructure
Organizations can keep their user identities secure by leveraging JumpCloud® Directory-as-a-Service®, which offers time-based, one-time password (TOTP) 2FA across systems, applications, VPNs, RADIUS, and servers. This comes at no additional cost to many IAM features, such as group and user attributes, cloud-hosted LDAP, and True Single Sign-On®, so organizations can get the most out of their investment.
For organizations that would like to adopt biometric 2FA in addition to the many management features JumpCloud offers, they can take advantage of JumpCloud’s partnership with Duo® to require it –– or any other method –– on the JumpCloud portal.