Today's top stories

What is biometrics? 10 physical and behavioral identifiers that can be used for authentication

Biometrics has the potential to make authentication dramatically faster, easier and more secure than traditional passwords, but companies need to be careful about the biometric data they collect.

1 2 Page 2
Page 2 of 2

Smartphone-based authentication offers significant usability benefits. First, users tend to be immediately aware if they have misplaced or lost their smartphone and will take immediate steps to find or replace it. If, however, they misplace a badge that they only use to access a building during the off-hours, they might not notice for a while that it is missing.

Smartphone manufacturers are also in the middle of an arms race to make their technology better and easier to use. No other industry — or individual company — can match the scale of mobile investment or the usability and security testing that phones receive.

Finally, phone authentication offers users maximum flexibility. They can opt for phones with face ID, fingerprint scanners or voice recognition, or some other new technology that hasn't been invented yet but will dominate the market tomorrow. However, using a third-party mechanism like consumer smartphones puts the authentication process outside enterprise control.

Another downside to device-based authentication, in general, is that the identity information is limited to that one device. If people use a fingerprint to unlock their smartphone, they can't then also use that same fingerprint to unlock their office door without separately authorizing the door lock, or to unlock their computer without separately authorizing their PC's fingerprint scanner.

Companies that need to authenticate users or customers on multiple devices in multiple locations need to either have some kind of centralized mechanism to store the authentication credentials or leverage a device that the user carries with them at all times. For example, companies can put the authentication mechanism inside a smart badge that employees wear around the office. They can also use a smartphone to authenticate the employee, then communicate the identity confirmation to other devices and systems via Bluetooth, NFC, WiFi or the internet.

Tokenization or encryption

Another approach to allowing new devices to recognize existing authorized users is tokenization, one-way encryption, or hashing functions. Say, for example, retinal, voice or fingerprint identification is used to recognize and authenticate employees wherever they might go within a company, but the company doesn't want to have the image or audio files stored on servers where hackers or malicious employees might misuse them.

Instead, the company would use a device that, say, scans a person's face or fingerprint, converts that image into a unique code, then sends that code to the central server for authentication. Any device that uses the same conversion method would then be able to recognize the employee, and the raw identification data is never available on any system. The downside to this approach is that the company is then locked into a single proprietary authentication mechanism.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!