With the ubiquitous access to smart phones, stronger security options such as biometric authentication are now in everyone's hands. Given that: Why not use solutions able to recognize unique facets of the human condition — such as fingerprints, eye scans or facial details — rather than run-of-the-mill passwords that are subject to compromise and could give attackers access to multiple network services? Many mobile phones are equipped with fingerprint scanners and some have facial scanners. As noted by Forbes, the biometric market will likely enjoy double-digit growth over the next five years as industries such as health care, financial services and travel look to increase security without inconveniencing employees and consumers.
The challenge? Implementation. What's a realistic timetable for rolling out new solutions? What do businesses need to know about making the transition, and what are some common pitfalls that can impact biometric uptake?
Finding the Balance
We recently had the chance to speak with CPO of Security Services at ADP, Frank Villavicencio, about the new face of security technology. He notes that the biggest struggle for digital defense solutions has historically been finding the balance between security and convenience; improve one and the other naturally suffers.
According to Villavicencio, technology has now advanced to a point where "the two can be balanced in a more optimal way — you can increase security and convenience." This is the holy grail of security for HR leaders — the ability to have employees log into corporate accounts using unique physical features that can't be replicated, both allowing ease-of-access while simultaneously shoring up IT security. Adoption has already started at the consumer level, but organizations now face the more complex task of integrating these tools into day-to-day operations.
As noted by Villavicencio, users are an excellent benchmark for the state of current security technology adoption. Ask a room of enterprise staff if they can log into corporate email accounts using their mobile devices and most hands will go up. Ask if they're using fingerprint ID to gain access, and only a few hands go down. Ask if that's the only barrier to complete access and most hands stay up. Villavicencio puts it simply: "other than your fingerprint or maybe your passcode when you unlock your phone, there's very little else in the way of passwords or other credentials that your phone asks for, and yet you're able to do all the things you need to do."
It makes sense. With biometric scanners built-in to most devices, the cost of maintenance is virtually negligible and the level of security offered is enterprise-grade. But as noted by Asmag, there are situational drawbacks that businesses must also recognize: Installing new biometric systems isn't cheap, and oversight can be time-consuming if your firm experiences significant employee turnover. There are also odd outliers. For example, one percent of the population can't be identified using fingerprints, meaning you always need a backup access solution that offers an equivalent security strength.
No matter the biometric method chosen, there's little doubt that personal mobile devices will feature prominently in the adoption of new security technology. The challenge? This presents a unique security concern: What happens if devices are lost, stolen or compromised? As noted by Villavicencio, "in many countries the mobile phone and the person are legally bound," in effect making mobile devices a critical part of identity and access. Given this link, it's tempting to see the loss of devices as low-risk, since they can't be accessed without the user.
But as Mobile ID World points out, hackers have already been able to "spoof" unique user characteristics such as fingerprints and facial images, granting them access to mobile devices. And unlike passwords, users can't simply "reset" their fingerprints or purchase a new face.
Despite potential pitfalls, single-sign on (SSO) adoption is quickly becoming the de facto way to access corporate accounts, and as biometrics advance they're replacing passwords with unique personal characteristics. So what's a reasonable timeline for adoption? Villavicencio notes that while he's already encountered at least one employee with an embedded RFID microchip, this isn't the most likely version of biometric adoption, even over the next five or ten years.
Consider the benchmark of government agencies: According to Biometric Update, the U.S. Navy is currently transitioning to a fingerprint-scanning system for all contractors and employees. For enterprise HR departments, this suggests that technologies such as fingerprint scanning are both safe and ubiquitous enough that adoption — likely linking to existing scanners on smartphones — could start immediately. Longer-term solutions are best handled using a wait-and-see approach. Once facial recognition, gait analysis and other solutions are more widely available, businesses can effectively evaluate their usefulness in the wild.
Technology is evolving to leverage the human condition, making it possible to improve security and convenience in tandem. Businesses can't afford to ignore these advancements but must recognize that they bring unique challenges and work to find reasonable solutions before considering implementation.
Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.