Despite reports of data breaches that have compromised billions of records so far this year, many people are still reusing passwords that are old or easily guessed using “brute force” techniques. Recognizing that password maintenance can be daunting and potentially compromised, security experts are focusing on employing other methods of authentication, besides passwords, to prove identity and authorization.
Requiring more than one verification method, or “multi-factor authentication” (MFA), aids in security by utilizing more than one type of validation:
- something you know, like a password or the answer to a question
- something you have, like a physical key
- and/or something you are, which refers to biometric identifiers like face, fingerprint, or iris scans
Similar to securing a home or a safe deposit box, the more locks that require different keys, the less likely a burglar can or will continue to try to break in.
Many are familiar with biometric authentication from mobile devices that read the face or fingerprint instead of entering a PIN or password. Biometric authentication can make it easier to log in when it works. Issues develop when the system doesn’t work as planned.
1. The device needed for application usage can malfunction and misread results
In order to use biometric authentication, a device is necessary. Whether the authenticating device is part of the application, part of one’s computer, or an attachment, the biometric authentication is another level of technology that can malfunction.
For example, a face-covering effectively prevents the ability to use a face scan to open phone apps. A cut to a finger can prevent fingerprint scan access. Changes to one’s retina, due to diabetes or other diseases, can thwart a retinal scan. For that reason, having a back-up means of authentication, such as a physical key and/or a password, is usually required.
2. Privacy concerns and the difficulty to change a compromised biometric scan
A compromised password can be easily changed but a compromised face, fingerprint, or retinal scan is harder to correct. For that reason, a number of states have passed biometric privacy laws that prohibit scans without informing the subject, obtaining their explicit consent, and ensuring the security of the data stored.
One of those laws, the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. has spawned a number of class-action lawsuits against companies for failing to obtain consent or putting subjects in the position where they cannot realistically refuse consent.
For example, a company that installs and requires its clients to scan a fingerprint to enter can be accused of violating the law if there are no other means for employees to clock in. Storing and transferring biometric identifiers can also be problematic if the information is not properly secured. Selling the data is also often regulated or prohibited by law.
That leaves a couple of takeaways for biometric authentication:
1) Don’t rely on biometric authentication alone, because it isn’t foolproof
2) Ensure that if you require biometric authentication it complies with all applicable privacy laws
Physical “keys” can also be used for authentication
Usually, a device that is inserted into the USB drive port, the key contains private codes that allow the user to securely access apps, devices, and software that have public codes (also called cryptographic keys).
Physical keys can negate the need for a password or can be combined with a password for extra security. They are fairly inexpensive and the number of applications that accommodate them is increasing. As with biometric authentication though, physical key authentication is not perfect.
The major drawback of physical keys is the need to keep track of the device. If the key is lost and there isn’t a back-up method to authenticate, like a phone number, email, or password reset, access can’t be granted to the protected data, app, or device. However, the advantage of physical keys is that they are quite secure and relatively budget-friendly.
Will the demise of passwords come anytime soon? Probably not. However, more applications and services will adopt multi-factor authentication methods that may not require a password, or, will require a password along with at least one other form of validation such as a biometric identifier or physical key.
Want more information like this delivered straight to your inbox? Click the “Follow” button on the bottom of the screen and enter your email address.
© 2020 The Hartford Steam Boiler Inspection and Insurance Company. All rights reserved. This article is for informational purposes only and is not intended to convey or constitute legal advice. HSB makes no warranties or representations as to the accuracy or completeness of the content herein. Under no circumstances shall HSB or any party involved in creating or delivering this article be liable to you for any loss or damage that results from the use of the information contained herein. Except as otherwise expressly permitted by HSB in writing, no portion of this article may be reproduced, copied, or distributed in any way. This article does not modify or invalidate any of the provisions, exclusions, terms, or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable endorsement form.