Virtualization Technology News and Information
With the Advent of Biometrics, Are Passwords Going Away?

biometric passwords 

Article Written by Jackson Shaw, Senior Director of Product Management at One Identity

Facial recognition and fingerprint scanning for device authentication are no longer futuristic concepts reserved for James Bond movies. In fact, biometrics seem to be gaining ground over their inferior cousin, the password, by the day. So why do we all still have more passwords than we would care to remember? And where is the much-hyped "death of the password"?

Three burning questions dog the authentication discussion:

  1. Why are we still using passwords when there are so many more secure options out there?
  2. Will biometrics ever become the standard for authentication?
  3. Assuming passwords are here, for at least a little while longer, how can I make them work for me?

Why are we still using passwords?

To understand why we are still using passwords, we need look no further than human nature. We like what we are comfortable with and resist change.

Since the very inception of networked computing, there has been a need for user authentication in order to access systems and data, and the easiest authentication to build into a system is the password. All you need is a directory and a few simple technologies to enforce the security. Consequently, the vast majority of systems use password authentication as the default -- and in many cases, password authentication is the only option.

For those of us purchasing and implementing these applications, passwords have always been good enough... until they weren't. The people that rely on these systems are used to passwords. They have all kinds of tricks to help them remember their passwords (which, by the way, is often the reason passwords are the weak link in the security chain). And passwords are cheap - often password-based authentication is built into the systems that we rely on. Implementing a more secure or convenient authentication method will only add expense, management overhead, and possibly user dissatisfaction.

In addition, consider the fact that most organizations rely on older systems that default to password-based authentication. Switching to biometric enabled systems can be expensive, or require long deployment and integration cycles, and often comes across as an effort to fix something that isn't broken. Not to mention that when multiple legacy systems are in play, those challenges are magnified many times over.

So why are we still using passwords? My opinion is, quite simply, because it's good enough. Until there is a compelling event, technological breakthrough, or regulatory mandate forcing the issue, passwords will remain king..

Will biometrics become the new standard?

I believe  that, yes, biometrics will eventually becoming the new standard. But only after enough password-based breaches hit enough organizations with enough negative effect that they are forced to implement stronger forms of authentication.

But I would also argue that multi-factor authentication (an approach in which biometrics is becoming a key player in) is quickly becoming "a" standard, if not "the" standard. More more organizations today are implementing the need to supplement the single factor of something you know (the password) with a second factor of either something you have (such as a smart card or OTP token), and more recently another factor could be something you are -- otherwise known as biometrics.

Since second factors of the "something you have" variety are easier to implement and more easily integrated with legacy systems, I would expect continued growth in one-time passwords (OTP) and smart card authentication, while biometrics slowly gains ground.

So maybe the correct answer to this question is, multi-factor authentication will become the standard quickly, with biometrics being incorporated into a fraction of those use least for the foreseeable future.

How can I make passwords work for me?

Authentication technologies, whether they be password or biometrics, exist for one purpose - to secure access to systems and data. With the death of the password being greatly exaggerated, there is a compelling need to find ways to use them better. In other words, we need to find ways to ensure that passwords fulfill their purpose and work for your company's security processes. Recent NIST guidelines provide cool alternatives to the strict rules we've been told to abide by when setting a strong password. For example, use a long phrase rather than a distorted version of your pet's name. However many legacy systems simply don't provide the flexibility to implement these dramatically different password policies.  But there is hope. Here's some ideas:

  • Add multi-factor authentication. There are many options available for a two- or three- factor in authentication, and making sure that it fits with the culture of your organization is the best way to ensure that users will be able to seamlessly gain access to their work without having it disrupt their workflow.
  • Reduce the amount of passwords you use -- but change them frequently. Much of the trouble with hacked passwords is that are were easy to discover. This can be the result of poor practices such as never changing a password or the result of social engineering to guess them. However, a single hard-to-guess password that is changed often, and applies everywhere is an ideal remedy to their traditional weaknesses. Single sign-on and directory consolidation are fairly easy and common technologies that achieve this end.
  • Take advantage of all your options. When implementing new systems, be sure that they support the standards necessary for adding multi-factor authentication to the mix and ensure that the policy you enforce for accessing those systems uses all the options available to you.

So while the death of the password may be highly exaggerated for now, authentication is evolving, and biometrics will slowly become  the new standard of the future. Set yourself up today to seamlessly and securely move into the passwordless world, when it finally gets here.


About the Author

Jackson Shaw 

Jackson Shaw is Senior Director of Product Management for One Identity's Identity and Access Management product line. Prior to One Identity, Jackson was an integral member of Microsoft's Identity & Access Management product management team within the Windows Server Marketing group at Microsoft. While at Microsoft he was responsible for product planning and marketing around Microsoft's identity & access management products including Active Directory and Microsoft Identity Manager. Jackson began his identity management career as an early employee at Toronto-based Zoomit Corp., the pioneer in the development of meta-directory products who Microsoft acquired in 1999. Jackson has been involved in directory, meta-directory and security initiatives and products since 1988. He studied computer science and management information systems at the University of Ottawa. He is a long time member of the Association for Computing Machinery.  

Published Wednesday, November 29, 2017 8:03 AM by David Marshall
Filed under: ,
Vmblog: With the Advent of Biometrics, Are Passwords Going Away? - One Identity In the News - News - Quest Community - (Author's Link) - December 14, 2017 3:18 PM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2017>