Biometrics for Authentication & Seamless Single Sign-On

Authentication is an important activity performed several times a day, yet it mostly goes unnoticed. We authenticate people in day-to-day routine and allow them different level of access to different resources. You may let a co-worker use your phone to make a call. You let your friends and relatives get in to your house but do ask for an ID card when a service provider knocks. Ability to authenticate identity develops naturally in human brains. When we want a computing device to learn to recognize users, different approaches are taken to develop this ability. Computers and other online or offline IT systems are required to recognize users for the sake of account and information security. These systems are mostly made to recognize its users on the basis of secret information they provide while seeking access. This secret information can be a password, a code, a PIN or a security question.

Verification of user identity on the basis of something a user knows has been in use for accessing information on IT systems for quite a while. However, this is not the only way that users can authenticate their identity with. Passwords, PINs and other information based elements of authentication are categorized in the same Factor of Authentication. Let’s find out what other factors of authentication are there and what level of security they offer.

Before understanding the factors of authentication we should understand what authentication is and how it differs from identification. While both the terms are sometimes used interchangeably, identification and authentication are two different processes. Identification is a process of mapping a known peace of information to an unknown entity to make it known. For example, when biologists find a new plant or animal, they try to categorize it in their respective classification system. If their characteristics do not match with any existing species, they create a new one and give their finding a name to recognize it later on. Authentication, on the other hand, is the process of establishing confidence in a claimed identity. It is the process of confirming the claim that an entity is what it says it is. For example, passwords are authenticated against user names to confirm user identity in many online services.

Factors of authentication are simply categories created to put similar elements of identity authentication.

This category consists of identity authentication elements based on knowledge. Users can authenticate with something they know, for example: passwords, PINs, security questions, etc.

This category consists of identity authentication elements based on ownership or possession. Users can authenticate with something they own, for example: keys, ID cards, access cards, identity documents, tokens, etc.

This category consists of identity authentication elements based on inheritance. Users can authenticate with their inherent characteristics, for example: iris pattern, fingerprints, retinal pattern, voice, signature, DNA profile and other biometric characteristics.

Information systems have been using knowledge based authentication factors traditionally, for authenticating identities for both online and offline access. Passwords have been extensively used and are still in use for account and information security. Even for high security online access like financial and banking services, military information systems, space station systems, passwords are still used for data security. This way of authenticating user identity worked great. It required no additional hardware or software, just a few lines of code and user accounts safety is in place. But now things seem to be changing as more and more incidents of password based data security breaches emerge.

According to Varizon’s Data Breach Investigation Report 2016, 63% of confirmed data breaches took place due to weak, default or stolen passwords. Since weak, default or stolen passwords claim a significant portion of information security incidents, they needs to be strengthened. To discourage users from using weak or default passwords, password policies are implemented, in which a criteria is defined to include a minimum complexity in user passwords. Inclusion of minimum number of characters along with a number and a special character, are some of the common criteria found in most password policies. It solves one problem but presents another: They are hard to remember and easy to forget. Users set default of weak passwords because it is easy to remember them. But weak passwords, again solves problem of remembering them but can compromise account security.

A user may have different IDs and passwords across a variety of devices, website, applications, networks and online services. These different entities may impose different rules for minimum password complexity, which further complicate the situation. Some service providers may enforce mandatory password change after a certain period, bringing insult to injury. All this leads to a feeling called password fatigue, a feeling of stress experience by many users. This situation is also called identity chaos or password chaos. It can not only cause stress among users but also lead them to use weak passwords or same password across different accounts to avoid this stress caused by identity chaos.

Shortcomings put up by passwords can cause extensive damage to data and sensitive business information. Incidents of data breaches not only affect business operations, but also have long term effects on business growth and brand reputation. Information security incidents expose organizational inability to address risks and implement measures for information security. It adversely affects trust of business clients as well as end-users. Implementing a complex password policy in corporate environment is not an easy job. Helpdesk calls to reset passwords consumes significant amount of time and hampers productivity. It also requires additional manpower at IT helpdesk to do the job. Increasing numbers of data security incidents have proved that traditional means for data security are no more relevant now. Fortunately, there is an authentication method able to save the day: Authentication with User Biometrics.

Certain anatomical and behavioral characteristics of a person can be measured with statistical, mathematical and computing methods, are called biometric characteristics or biometric identifiers, for example, fingerprints, iris patterns, vascular pattern, voice pattern, etc. Since biometric authentication recognizes a user on the basis of his/her inherent characteristics, they are near impossible to counterfeit, steal or share with someone else. Biometric traits of a person are considered unique and do not repeat in anyone else. These patterns are not even repeated in identical twins, nor are they repeat in the same person, e.g. each finger of a person’s hand has a unique pattern of fingerprints. Implementing biometrics over password based authentication can overcome inadequacies of passwords. Biometric traits of a person cannot be stolen or forged, making them an invincible method of data security.

These days, many corporations offer several related but independent services. These services can be configured to leverage single sign-on (SSO) to enhance user experience and security at the same time. SSO is an access control approach in which a user has to present his/her credential only once to log in to the services, and he/she can seamlessly switch to other related services without having to provide identity credentials until the session lasts. This approach dramatically improves user experience and saves considerable time and efforts of providing credentials every time a user switches to another service. When single sign-on is implemented using biometrics, it becomes the most user friendly and secure method of authentication. Biometrics with single sign-on not only mitigates risks of password related data security incidents, it also eliminates the need to remember even a single password.

Seamless log-in experience results in user delight and password fatigue becomes out of the equation. Time wasted in repetitive password attempts and password reset requests can be claimed back with biometric single sign-on implementation. Biometric single sign-on also results in reduced cost due to elimination of password policy and password reset calls.

As Verizon’s Data Security Investigation Report 2016 suggests that weak and stolen passwords are reasons of a large portion of data security incidents, there is a need to overhaul data security based on knowledge based factor. A lot of complex passwords are hard to remember and using same password everywhere is again a potentially insecure practice. Implementation of biometrics with single sign-on is not only able to overcome inadequacies of passwords; it also improves user experience. Initial investment claimed by implementation of biometric single sign-on is claimed back in the form of reduced helpdesk cost due to elimination of password reset calls and saved money by avoiding data security incidents.