The Identity Problem: Beyond PINs and PasswordsVeridium Author | June 21, 2016
Fundamental changes are needed to evolve identity authentication beyond the current PIN and password model in order to strengthen the security of transactions, reduce fraud and associated costs, and improve the user experience by eliminating the need to manage multiple passwords.
PIN and Password Model is Antiquated and Flawed
It seems as if every time you turn around these days, there is news of yet-another cyberattack involving a well-known brand or government entity.
Consider that 86 percent of identity theft victims experienced the fraudulent use of existing account information, such as from credit cards or bank accounts, according to the U.S. Department of Justice’s 2014 Victims of Identity Theft report. Over the last few years, companies like Home Depot, Sony, Staples, Anthem, Premera Blue Cross, and Ashley Madison have had sensitive customer or employee data stolen to the tune of more than 230 million records. The stolen information included bank account and credit card numbers, email and physical addresses, Social Security numbers, and employment and salary information. The U.S. Office of Personnel Management reported two separate breaches, during which 21.5 million people had their Social Security numbers and other sensitive information taken, and 5.6 million federal employees—many with security clearances—had their fingerprints stolen.
Cyber-espionage attacks are expected to increase in frequency as long-term players become stealthier information gatherers and newcomers look for ways to steal money and disrupt adversaries.
These incidents point to fundamental challenges with the identity-authentication solutions that exist today, which are largely based on PINs and passwords. The explosion of websites and devices in recent years means consumers must now manage numerous usernames and passwords. This leads people to reuse passwords across different sites, which in turn increases the risk of a breach. Adding to these challenges is the exponential growth in the number and increasing variety of Internet-of-Things (IoT) connected devices, which also require security.
At the same time, cybercrime is becoming more sophisticated with criminals exploiting vulnerabilities in password-based authentication models, aging technology and infrastructures, and new IoT devices for which strong security isn’t top-of-mind.
This means that yesterday’s world of desktop authentication, where the user consumed locally installed applications on a single device, has moved well beyond that to an ecosystem where people own several devices and are externally authenticating their identities significantly more often. This new ecosystem requires authentication models to evolve beyond the PIN and password to link people to transactions and secure the growing number of connected devices.
Replacing the Password
One such authentication model leverages biometrics and biometric technologies, which have taken center stage for enterprises looking to explore new and better ways to secure their customers’ identities and data. Yet, even as the use of biometrics has rapidly expanded and become more mainstream—thanks to companies like Apple and the development of Touch ID—there is still much to understand about the technology.
While it has the potential to offer significant value, the industry as a whole is not yet mature, as is evidenced by the glut of misinformation and hype, as well as the lack of certification, seen in the market today.
Much of this stems from the proliferation of vendors who purport to be biometrics experts, touting their products in order to grab a share of the global biometrics market. According to Goode Intelligence, that market is expected to generate more than $30 billion in annual revenue by 2020.
Each vendor claims to solve the identity-management problem by using biometrics to replace or reduce reliance on passwords, which are universally acknowledged as difficult and costly to manage, and prone to hacks and data breaches. Each has also created an excess of marketing materials to support these claims.
For enterprises, wading through the sheer volume of marketing information to understand the technology can be a daunting prospect. So how does one cut through the vendor bias to understand the science of the biometrics, and select a secure and robust identity-authentication solution capable of supporting business requirements?
Biometric Identity Authentication
Today, vendors have employed vastly different approaches when building biometric-technology solutions to address identity and access problems. However, cobbling together a variety of solutions to create an authentication platform can bring about its own challenges. An alternative approach is to eliminate reliance on any one vendor or group of vendors by creating technology that can be openly and freely shared and developed upon by anyone who wishes to use it.
This approach addresses the needs of individuals who have difficulty managing multiple passwords and enterprises that not only must offer their customers great user experiences, but must also protect against hacks and data breaches, as well as deal with the high cost of password management.
It also seeks to solve the lack of interoperability between existing PIN and password-based authentication solutions, which has long been regarded as an industry-wide problem that stretches beyond the biometrics space and which directly relates to increasing instances of fraud across many sectors.
The threat of cyberattacks and the explosive growth of mobile and connected devices have precipitated the need for strong, highly secure authentication solutions. There is tremendous opportunity to use biometric technologies to protect and authenticate digital identities. It is critical for people who are using and evaluating biometric technologies to educate themselves on the fundamentals—and ask questions—to knowledgeably select the biometrics solution that best meets business requirements.