Another huge benefit of using biometrics is that it’s extremely hard to fake, Chaney says. “When measuring both [physiological and dynamic data], the information collected is unique for each individual and rarely changes over time,” she says. “Once done correctly there is nothing more to do or even remember in some cases. Lost IDs or forgotten passwords may be rendered nonexistent.”
Because personal data is extremely difficult to counterfeit, “biometric identifiers could be used to facilitate both physical access, for example, to certain parts of an enterprise complex, or virtual access [to] selected sites on a corporate intranet,” says Windsor Holden, research director at Juniper Research.
“These log-ins can be linked directly to a specific action, meaning that if there is a security breach from within the organization, the person who is responsible can rapidly be identified,” Holden says.
And biometrics can be used to incorporate bring-your-own-device (BYOD) into corporate security strategies, “as they link an individual to access via their personal mobile device,” Most says.
On the negative side, two of the biggest drawbacks of biometrics over the years—high costs and privacy concerns—are still issues, according to experts.
“There are typically very large startup costs to getting the infrastructure in place to make use of biometrics,” Taule says. “This is also true of second-factor physical tokens as well.”
As for privacy, it remains a major concern “because you are collecting data not only about a person, but information that makes that person unique,” Chaney says. “Many people inherently find this intrusive and a violation of their rights.”
User acceptance “can be a significant challenge, especially if individuals are uncomfortable with the idea of biometrics and see the technology as privacy invasive,” Most says. “This can create user resistance and intentional failure to acquire or authenticate via biometric readers/sensors.”
It’s important not to forget that all of the biometric data has to be digitally recorded and stored, and the security around this data must be planned out and access limited appropriately, Chaney says. ”In addition, these ‘super’ highly privileged access users must also be monitored and subjected to even higher level of security,” she says.
A major concern is if the servers storing biometric information is hacked, Holden says. “if a person’s biometric information is stolen, that could have extremely serious consequences for that individual,” he says.
Another big challenge is determining who should use biometrics technology, as well as when and where, Chaney says. “Every end user will have to submit to an examination to collect their individual data,” she says.
That process can be a daunting task for any corporate security program, Chaney says. “Hopefully, as you build out a layered security defense you will find that it is not necessary for all assets to be protected with biometrics technology,” she says. “As with any security program you must first assess what needs to be protected and then decide the level of protection.”
Integration into the security program is another issue. “Obviously there are greater barriers to entry and startup costs to get these systems up and running, compared to the relatively simple and easy deployment of password-based solutions,” Taule says.
Lack of accuracy is another potential problem. “There are solutions that can overcome these concerns, but there are factors to be considered that can hinder system effectiveness,” Taule says. “For example, if using a voice print or thumb print, what happens if someone becomes hoarse or cuts their finger?” he says.
One of the biggest challenges is the process by which the biometric is originally captured and bound to an identity, Taule says. “Often this is accomplished in person, but this has high overhead costs and is highly inconvenient for distributed organizations."