In this month’s Ask the Expert segment, Serkan Cetin, technical director at One Identity in Asia-Pacific and Japan, offers advice on the technical and ethical considerations of biometric security as part of an identity and access management (IAM) strategy.
Q: We are looking to implement biometrics as part of our IAM strategy. What are the technical and ethical considerations that we should be aware of?
Cetin: Using biometrics as part of your authentication process is a great way to increase the security of your identity solution. Organisations would typically look to implement biometric authentication options, such as fingerprint, retina or even palm vein technologies commonly as part of a multi-factor authentication (MFA) strategy. Another area that organisations should consider is also behavioural biometrics, especially as part of privileged activities on systems and applications.
One of the challenges and common perceptions with biometrics is that it can be perceived as just adding another step or requiring a few more clicks. Behavioural biometrics utilises machine learning capabilities to constantly learn how the user interacts with the system, detect suspicious behaviour or abnormalities, and require the user to re-authenticate using an OTP (one-time password) or other forms of second-factor authentication. This allows organisations to improve their security posture when it comes to privileged activities, without just being seen as another click or an extra step in the process. There are, of course, a few challenges that any organisation will need to overcome when it comes to physical biometrics, such as fingerprint and retina. One of the most obvious is how you enrol the user, followed by the storage and security of that user’s data.
Physical biometrics are considered personally identifiable information, and organisations looking to implement this type of technology as part of IAM should also be putting a lot of consideration into the security and storage of the data. While some users may be willing to enrol their biometrics into corporate systems, there are users who very much prefer to keep their personal data private to them.
It’s important to consider the impact to people, and proper planning and consultation with stakeholders, influencers and even pilot groups should be considered. Not only will this help to address any potential challenges, this is just good practice as part of any security strategy as it helps to get buy-in from stakeholders and users.
Another challenge, and this really depends on how it is implemented, is the overall usability of the system. While biometrics makes it easier to log in instead of typing six digits in the case of traditional OTP, there’s still the issue about usability, user enrolment, and roll-out across the organisation. Although solutions that require specialised hardware might be considered more secure, there is still a usability side to this that needs to be addressed.
Organisations should be looking for security and identity solutions which provide a frictionless experience for the end user, where the security of the solution can still be increased while still providing a solution that is usable, easy to implement, and introduces little or very minor changes to the current established processes and ways of working.