The rise of biometrics and passwordless security

Whether you realize it or not, our current era of mobile and cloud computing can be defined, both positively and negatively, by shared secrets.

Shared secrets — passwords, authentication, and legacy multi-factor authentication — is the synchronous relationship between users and centralized authorities — online banks, social media sites, third-party applications — who hold the same secret.

Both the credential authentication process and the centralized database of passwords and other shared secrets creates a potential attack surface for malicious hackers to intercept the information. With stolen credentials, cybercriminals can impersonate users or undertake phishing or credential stuffing attacks via Account Take Over (ATO).

When it comes down to it, passwords and credential theft are wreaking havoc on cybersecurity – identity theft and fraud is an issue for both consumers and employers alike. However, forward-thinking companies are replacing passwords and other shared secret authentication protocols with an approach that leverages one of the more under-appreciated technological advances many of us use every day – biometrics.

By leveraging biometric technologies built right into consumers and employees mobile devices — for example, fingerprint or facial scans — a passwordless Web becomes an increasing reality.

A cyberattack epidemic fueled by password theft

Since 2016, more than 5 billion passwords have been stolen. What’s more, consumer banking logins that come from malicious sources account for a mind-boggling 56 percent of all logins. That’s just the tip of the iceberg when it comes to authentication fraud.

However, there is a solution and it involves moving beyond the current shared secret reliant password norms. Even some of the more advanced login security measures, such as 2FA, phone-as-a-token MFA, and SMS 2FA have their weaknesses because they are all still tied to the legacy of shared secrets.

More and more, savvy teams are embracing passwordless solutions to make sure their client’s data and their own infrastructures remain secure. By far, the best means to operate in a passwordless environment is through biometric login solutions.

Getting comfortable with giving up passwords

Any alternative to passwords is going to be met with suspicion and face the typical slow adoption of any new technology. But integrating a passwordless solution should be simpler and faster. Even though most mobile users are comfortable with biometric authentication, getting them to adopt passwordless security across the web still might be a stretch.

Cybersecurity teams should ensure that all mobile devices across their enterprise can be leveraged seamlessly to authenticate to workstations, applications, and physical access systems. Organizations can then remove the password from the login process by creating biometric authentication processes that mimic what users are used to with mobile devices.

The only way IT operations and cybersecurity teams can make the deployment of a passwordless system a success if it is done in a gradual and iterative manner.

Moving to a decentralized model can be challenging beyond getting users comfortable in the new system. As opposed to passwords, biometric identifiers cannot be changed, making them decentralized by nature. Being transparent about why the decentralized environment is preferable and the benefits for moving to biometric authentication can make adoption far smoother.

Why fingerprints and facial recognition are safer than most people think

Unlike previous authentication iterations that were incremental changes to the shared secrets relationship, the biometric approach relies on keys stored on a user’s trusted device are used to access online services, sign transactions, and more.

In a true passwordless world, passwords, PINs, SMS codes, and other authentication technologies are replaced with public-key cryptography. Private keys are generated by the user on their device and remain on-device at all times. Biometric sensors such as those currently available in the most recent versions of Apple, Android, and Windows mobile devices counterparts can unlock these credentials that are verified against an authentication server using public key cryptography.

Rather than storing passwords and shared secrets in a database, credentials are stored securely in the most trusted areas of user’s smartphones and devices.

The paradigm shift away from shared secrets is happening and organizations should embrace it. It is either live in a passwordless world or continue to deal with phishing, account takeover, fraud or worse.

Biometric authentication is the only secure future.