These days, it’s uncommon to find mobile devices that aren’t equipped with biometric features. With Apple’s Touch ID fingerprint scanners and Samsung’s Samsung Pass, which uses fingerprint and iris scanning, on the market, more and more tech companies are looking to ditch passwords altogether. And now, it seems that this trend has spread to workplace security. Experts say that enterprises are moving towards incorporating biometrics into their security systems to not only thwart hackings but to also help save money.
“We’re seeing a very rapid evolution from what used to be passwords, then smart cards, and now to biometrics,” Alex Simons, director of program management in Microsoft’s identity division told CNN Tech.
But what is biometrics exactly? Essentially, it is a unique way of identifying a person using biological traits such as fingerprints, hand geometry, DNA, iris scan, voice waves, and facial recognition. With its unique ability to reduce rejection rates of authentication, combat cybersecurity threats, overcome user disdain for stronger passwords and provide smoother user experience, more and more companies are embracing the use of biometrics to add an extra layer of safety to their operations.
In the workplace, employees are increasingly using biometrics to login to phones and computers, and to access data stored on those devices and in the cloud. Some of the biggest names in tech like Microsoft and Facebook are trying to get rid of passwords completely and have implemented biometric security standards.
Back in 2015, Microsoft launched Windows Hello, a feature within Windows 10 that provided new software that would allow the use of facial and fingerprint scans to login to Windows devices. Fast forward to today, there are now 50 million people using Windows Hello to login to their PCs both at home and in the office.
In fact, Microsoft will soon be releasing an updated, the Windows 10 Sprint Creators Update, which will include a new authentication standard developed in collaboration with other tech companies, including Google. Called FIDO 2.0, the standard will enable Windows consumers to use multiple devices — including third-party security keys or a security monitors that track your heart rate — to automatically log in to their computers without a password.
Spiceworks, a professional network for people in the IT industry, says nearly 90 percent of businesses will use biometric authentication by 2020, which is up from 62 percent today. Fingerprint scanning is currently the most common type of biometric authentication, with 57 percent of organizations utilizing it. Whereas only 14 percent of organization use facial recognition.
“Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of,” Simons said. “Passwords are also super expensive for companies.”
He reveals that Microsoft spends over $2 million in help desk calls a month to simply help people change their passwords. Switching over to biometrics would help eliminate the time, effort, and money spent by the company to help mitigate these issues.
However, there are some benefits of using passwords. For one, they’re easy to change if they’re stolen and with biometrics, which can also be stolen, you can’t change your face or fingerprints. In 2015, a breach at the federal Office of Personnel Management leaked 5.6 million people’s fingerprints – making it easy work for hackers to quick scoop up the information and steal the biometric identify of millions.
At the moment, it’s unclear what type of damage hackers can do with stolen fingerprints. Many experts worry that if they’re adopted widely for authentication, it could lead to widespread identity theft. Researchers have already show it’s possible to use replicated fingerprints to login to smartphones. They were also able to trick facial recognition by using a photo on older Windows devices and a Samsung smartphone model.
Another worry is that third parties could be getting access to people’s facial scans through products like the iPhone X. Last year, Apple introduced facial recognition unlocking technology on their latest flagship device, the iPhone X, and privacy advocates cited concerns about third-party companies having access to people’s face scans. But Apple claims the data shared with iOS developers reportedly can’t unlock phones.
Meanwhile, Simons shares that within Windows, biometrics are collected and stored on the device directly and therefore are never shared with the cloud or any time of third party company. Furthermore, Microsoft also provides the option for users to use a pin number instead of the biometric scan for those who are wary of sharing or using physical attributes with their technology.
There are even state laws that restrict biometric collection, which have hindered face and fingerprint scanning tools or apps in those states. For example, in 2008, Illinois passed a law that requires companies to let users know when biometric identifiers are collected and how they will be used. Here, it is also necessary to obtain consent from users before collecting and storing that data. The following year, Texas also passed a similar law. Abroad, data protection regulations are set to go into effect in the EU, via the GDPR, which will also require consent before processing biometric data.
It’s no question that biometrics will probably become just one part of a broader security strategy, perhaps as a second-factor login in addition to a manual password. Another factor that may be included in this strategy is using employee behavior to detect hacks. Security firm BioCatch, provides tools for companies to learn employees’ digital behavior and identify when an unauthorized person is trying to access information. Their software is then used by companies in apps and websites, where it runs in the background to build a “behavior profile” of a user, and learns activities like how someone holds the phone, whether they type with one or two hands, and how they scroll and toggle between screens.
“The connected economy is forcing a need to redefine digital identity and to rely on new ways to make sure people are who they claim to be,” said Frances Zelazny, vice president at BioCatch. “Your name and your pet’s name, knowing that does not guarantee you really are a legitimate person.”
However, like all other things on the world wide web, this type of user information can also be hacked and/or replicated by malicious users. Just as well, companies should be wary of tracking behavior profiles, as many users will no doubt be skeptical of allowing software to record and ‘spy’ on their mobile technology habits.
“As we get better at explaining to the world how it works and as refine the software to make it easier to setup and use, more people are using it,” Simons said. “Rather than trying to convince people that we’re right, we’re trying to give people options. We are trying to do everything in an upstanding manner to protect your privacy.”