When searching for the most secure method of two-factor authentication (2FA) –– also known as multi-factor authentication (MFA) –– biometrics are often the first to come to mind.
The data is extremely difficult to replicate, and because it’s a newer technology, methods of bypassing biometrics are still in their infancy. Does this mean biometrics are the next generation of identity security?
This article seeks to answer that question by exploring biometric authentication pros and cons.
Biometric 2FA, or biometric authentication, is a method of verifying a user’s identity using a piece of “who they are” such as their fingerprint, facial features, hand shape, iris structure, voice, or typing behavior (e.g., how strongly a user depresses keys on their keyboard).
These factors contain a large number of unique data points that require sophisticated technology to replicate, which most bad actors don’t have access to. Because of this, many organizations regard biometric authentication as one of the strongest, if not the strongest, method for verifying user identities.
The main barrier to widespread adoption of biometric methods is the cost, as any cutting-edge security technology comes with a steep price tag. If your organization is considering biometric implementation, there are a few factors to consider before setting aside funds to become early adopters.
What Are the Pros of Biometric 2FA?
Unique and impossible to share
The uniqueness of each individual’s biometric traits inherently provides a secure foundation for authenticating the right user to the right resource. Biometrics are also non-transferable, and cannot be shared digitally or passed from one person to another like a password or hardware MFA key. This provides a high level of assurance that the user logging in with biometric 2FA is, in fact, the person authorized to access those resources.
Challenging to hack or steal
The data biometric authentication uses has such subtle variations from one person to the next that it’s challenging to hack without sophisticated techniques. People with malintent would need to get their hands on both a distinctive set of biometric data to work from and an advanced replication tool.
Unlike common password hacking techniques that can be applied indiscriminately to a large group of people via the internet, biometric hacking requires a targeted approach and physical access to the victim for either a) the biometric factor itself or b) the device the hacker is trying to spoof. This high barrier to entry for hackers is a deterrent in and of itself.
Fast, convenient authentication
Biometric authentication lets users access their resources instantaneously. All they need to do is present their biometric factor (face, fingerprint, voice, etc.), and assuming it matches the data stored in their authenticator, they will be granted access. Most of us already unlock our phones with a biometric factor, and are accustomed to this frictionless authentication process.
Scalable and highly secure
As an organization grows, their security systems need to grow with them. Most biometric 2FA solutions easily accept new user data and are very flexible, so growing organizations can onboard new employees as needed while maintaining a high level of identity security. Many new devices already have built-in biometric technology to make this process even easier.
What Are the Cons of Biometric 2FA?
Unrecoverable if compromised
Although biometric data is challenging to fabricate, it can still be done. For example, both Kraken Security Labs and Cisco Talus have demonstrated how to use a picture of someone’s fingerprint and glue to bypass common fingerprint scanners. However, hackers not only need to obtain a detailed enough image of their target’s fingerprint, they also need to gain access to the right fingerprint scanner to make this method usable.
The real downside to biometric theft is that a user can’t reset their fingerprint like they can their password. The user can replace their existing data with the print on another finger, but then there are a finite number of chances after that to reset their data. There are even fewer chances with other factors, like facial recognition. Once biometric data is stolen, that specific factor can never be used again.
New and expensive
Biometric authentication is still relatively new in the grand scheme of enterprise technology and has not yet been widely adopted for commercial use. Effective implementation usually requires additional software and/or hardware, depending on the devices users need to authenticate to. This presents a cost barrier that makes widespread biometric adoption inaccessible, particularly for small-to-medium sized organizations.
As the use of biometric authentication grows, so does the concern over how corporations and/or governments may use that data. For example, China uses biometric data to keep tabs on people through public security cameras, and many fear their biometric information may secretly be bought and sold by big tech companies. There are a number of unknown effects biometric authentication can have on individual privacy.
In addition to concerns about personal privacy, there are also concerns centered around bias and power. For example, in a study of 189 facial recognition systems, researchers found that the faces of women and people of color were more likely to be falsely identified than white male faces. This limits the effectiveness of large-scale use of this technology.
Worries about discrimination aside, large-scale implementations of biometric authentication such as India’s Aadhaar Project also raise questions about how much power a single entity, whether private or public, should be able to have over an entire population’s biometric profile. As biometric technology continues to evolve, these questions and concerns remain to be addressed.
Is Biometric 2FA the Next Generation of Identity Security?
Overall, despite some of the growing pains the technology has experienced, biometric authentication is more reliable and harder to compromise than other types of 2FA, and there are ways to mitigate any potential security risks. The future of biometrics is bright.
Biometric data is unique to each individual, difficult to fabricate, and holds users accountable for their activities within the organization’s infrastructure. It’s also more convenient than other 2FA factors, as users don’t need to remember additional passcodes to access their IT resources, nor are they required to have their mobile device on them at all times.
There is, of course, a trade-off between end-user convenience and security to keep in mind. Yes, it would be awesome if the only thing a user had to do to verify their identity was present a fingerprint. In reality, the most practical use of biometrics in the IT environments of today is to layer them onto existing security approaches.
Everybody in the organization wins when biometrics are enabled as an authentication factor option — employees enjoy a frictionless 2FA log-in process while IT admins benefit from the improved security, and assurance that users accessing company resources are who they say they are.
How to Require 2FA and Secure IT Infrastructure
If you’re an IT admin considering how to approach the implementation of biometric authentication, there are some important questions to consider about the current state of your infrastructure:
- Have you already hardened your overall security architecture with a Zero Trust security model?
- Are you able to leverage the existing devices in your fleet or will you need to invest in new hardware with biometric capabilities?
- How will you decentralize and, ideally, encrypt any stored user biometric data?
- Does your current 2FA implementation have the flexibility to add biometrics as an authentication factor across devices, applications, and networks?
Regardless of where your organization is at in its security journey, biometric 2FA implementation can be made easy with the 2FA capabilities of JumpCloud’s cloud directory platform and integrated authenticator app JumpCloud Protect™.
Provide your employees with the convenient option of biometric authentication and save yourself the cost of buying new hardware — JumpCloud’s solution enables the use of existing employee devices for 2FA. Learn more about JumpCloud Protect today.