Biometric security and the future of passwords
The problem with passwords
Passwords aren’t famous for providing positive user experiences. With requirements around character count, upper case letters, numbers and special characters, they can be annoying to create. On top of that, passwords have to be remembered. This is even more of a hassle since so much of what we use in our personal and professional lives is protected with a password. We have to remember the passwords for our bank and email accounts, social media profiles as well as work applications like Salesforce, Microsoft Office and many others.
Passwords also have a security problem. Attackers use them to infiltrate targets. Common ways of obtaining passwords include stealing them in phishing attacks and purchasing ones exposed in data breaches. Of the 41,686 security incidents covered in the 2019 Verizon Data Breach Incident report, 32% involved phishing and 29% involved stolen credentials.
Additionally, people tend to use the same password for different accounts, which can be a problem if credentials are exposed in a data breach. Using common phrases for passwords is also a common issue, making them easy for attackers to guess.
Organizations are starting to look beyond the password for authentication. Passwordless authentication, which lets people authenticate using biometrics and a smartphone, is now possible. Biometrics are commonly defined as the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) commonly used as a means to verify personal identity.
After being the main way to unlock smartphones and access mobile apps, businesses are using this method for consumer, employee and transaction authentication. The main benefits of passwordless authentication are convenience and security.
A common concern for biometrics is around what happens if this information is exposed in a data breach. But using a biometric for authentication is very different from using a password. Here’s how your biometrics aren’t like your passwords and why that makes them a better choice for authentication.
Stealing a biometric is hard work
To use a stolen password, an attacker just has to type it in. Using a stolen biometric isn’t as easy. First, the biometric has to be ‘spoofed’. For example, molded, high-quality replicas of a fingerprint.
However, creating a high-quality reproduction isn’t enough to trick biometric sensors. Passwordless authentication technologies have detection measures that ensure a person and not a fingerprint mold, 3D mask or other spoofed biometric is being used.
Some passwordless authentication platforms also incorporate behavioral biometrics into authenticating.
Behavioral biometrics, a new form of security, covers how people interact with their smartphones. This includes factors like the pressure that people use to press on the screen and how they hold their phones. Everyone interacts with their phone differently, making behavioral biometrics hard to copy. These behavioral differences are taken into account to ensure the person authenticating is the actual owner.
At bunq, we have applied several types of biometric authentication to our onboarding and login processes. Perhaps the one that is best known is our hand scan feature, which we implemented with our partners Veridium ID. Using a smartphone the user simply scans their hand with the camera and it authenticates them instantly. This makes life easy for our users while providing an extra layer of security.
Is the future of authentication passwordless?
Using passwordless authentication with biometrics puts bunq in good company. Microsoft is phasing out passwords for employees and letting them use biometrics instead. The technology giant expect many other companies to follow suit in the next six years. To help with the transition in a similar way that Apple did with their thumb scan, Windows 10 will let people authenticate with a biometric rather than a password.
Meanwhile, research firm Gartner predicts that by 2022, “60 percent of large and global enterprises, and 90 percent of midsize enterprises, will implement passwordless methods in more than 50 percent of use cases — up from 5% in 2018.”
Law enforcement agencies are also encouraging the use of biometrics over passwords. In September, the FBI warned organizations that attackers have grown more skilled at intercepting one-time passwords used in two-factor authentication. Instead of one-time passwords, the FBI recommended using either biometrics or behavioral information in two-factor authentication.
Moving away from passwords requires people to rethink the way we login. Given the benefits biometrics offer like security and convenience, passwordless authentication use is poised to grow. For bunq, our pledge is to provide the most secure banking experience we possibly can for our users and biometrics will play a key role in delivering that security.