Connectivity around the globe has made it possible to avail services offered anywhere in the world. This world-wide connectivity laid by the internet, empowers consumers and businesses alike. Millions of instantaneous transactions, performed every passing hour, were not possible without this connectivity. In this digitally supercharged world, the thing that keeps these transactions secure is: authentication. Let it be a food forum to discuss cooking and recipes or approval of a financial transaction, authentication makes sure that every tiny bit of information stays secure over the internet. Long ago, even before the invention of paper, transactions were authenticated mostly by physical presence. Later, with advancement of human civilization, it was realized that physical presence were not possible everywhere.
Time went on, man invented methods of authentication like documents, seals, tokens, possessions, secret questions, etc. Where an authenticator couldn’t reach, methods did, and played as good as physical presence of authenticator. Some of these practices like documents and secret questions are still in use; however, they quickly lose their significance when it comes to the digital world: the internet.
While the terms may sometimes be used interchangeably, identification and authentication are two different things. Identification is an act of stating a claim of identity made by a person or thing, while authentication is the process of confirming that identity. For example: When creating an online account, you enter certain data like name, date of birth, gender, etc. claiming it to be yours; this is part of the identification process. Once the identification is done, every time when you login to your account, you confirm or authenticate this identity. In another example, getting a driving licence made requires identification process by providing personal details. When the licence is made, these details might be verified by a traffic police officer on violation of traffic rules, which is called authentication.
Factors of authentication
Factors of authentication imply ways that can be used to perform authentication. Means of authentication can be categorized into the following factors: Knowledge Factor, Ownership Factor or Inherence Factor. Each of these categories consists of means that can be used to verify a person’s identity before he or she can have access to a resource or facility.
This category of authentication factors consists of elements based on knowledge. Users can authenticate with something they know, for example: PINs, passwords, security questions, etc.
This category of authentication factors consists of elements based on ownership or possession. Users can authenticate with something they possess, for example: ID cards, identity documents, keys, tokens, access cards, etc.
This category of authentication factors consists of elements based on inherence. Users can authenticate with their inherent characteristics, for example: fingerprints, iris pattern, retinal pattern, signature, voice, DNA profile and other biometric characteristics.
Application of authentication factors
Authentication is the process of confirming the user identity. This confirmation is done electronically when a facility or resources is located on an information system. For example: entering password to access an email account. Authentication with one or more than one authentication factors can be made necessary to access a resource.
Single factor authentication
When a single element form any authentication factor is used to confirm a user identity, is called single factor authentication. For example: using password to confirm ownership of a user ID. This is the weakest level of authentication. Sharing the password (intentionally or unintentionally) can compromise the user account, unauthorized user can also attempt an access by trying commonly used password. A minimum password complexity is often implemented when passwords are used as a single factor authentication.
When more than one method of authentication is employed from two or more factors, it becomes multi-factor authentication. Multi-factor authentication offers elevated level of security as user has to present evidences of his or her identity, which belong to two or more different factors. Multi-factor authentication is implemented when safety requirements are higher. Facility or services that involve hazardous substances, highly confidential information or financial transactions, may employ multi-factor authentication. An ATM card is a good example of multi-factor authentication. User has to provide something he possesses (Ownership factor) i.e. ATM card and something he knows (Knowledge factor) i.e. PIN, to be able to access his account and withdraw money.
Common examples of authentication that we come across often:
- Showing or asking for a photo ID to confirm identity (e.g. presenting driving licence to a traffic police officer).
- Logging into a computer, email and social media accounts.
- Unlocking phones or computers with PINs, passwords or biometrics (e.g. fingerprints).
- Withdrawing money from an ATM.
Despite the implementation of authentication methods, news of data breaches often claim headlines. For example: Weebly’s data breach in 2016 left 43 million credentials stolen and Verizon’s customer data breach in the same year. These data security threats are not limited to any industry, domain or organization; they affect everybody, from a layman to professional organization of all shapes and sizes. Being a step ahead can only save people and organization from the potential losses incurred by data breaches. Multi-factor authentication methods that compulsorily employ biometric methods, can be a shield against data predators.
Enterprise level multi-factor authentication with biometrics
Multi-factor authentication or MFA requires more than one means of authentication and dramatically improve level of security in comparison with single factor authentication. This elevated level of security indeed shields resources and facilities from security threats, but cyber criminals are always in search of new methods to challenge the security. Cloning of ATM cards is an example how MFA can also fall short to address security risks. The problem lies in the choice of authentication factors: what user possesses can be lost, duplicated or stolen; what user knows can be shared or assumed; but what user is or does is unique to him. Choosing biometrics as one of the factors in multi-factor authentication can address shortcomings posed by other means of authentication.
Layered defense against unauthorized access
When the inherent factor of authentication i.e. biometrics is mandatory adopted while implementing multi-factor authentication, it elevates the security multi-fold. Being unique to a user and eliminating shortcomings of other authentication factors, biometric becomes the chief of defence against unauthorized physical/logical access. Even if an unauthorized user is able to compromise security layers based on other factors, it will be near impossible for him to imitate biometrics like fingerprints or iris patterns.
With biometric MFA, PINs and passwords become insignificant. User biometrics like fingerprints and iris patterns can be used wherever there is a need of PINs or passwords for physical or logical access. Use of biometrics in access control also eliminates need of remembering different PINs or passwords or a need to carry any authentication device. Password elimination also brings peace of mind as it eliminates all the shortcomings incurred by a password based authentication system. There is no more wasted time in failed attempts of password entry, no instances of password reset or remembering security questions to reset passwords. Once a user is enrolled with his or her biometrics like fingerprints and iris patterns, level of access can be defined same way as in the password based authentication system.
When a user authenticates with his biometrics and a personal secret (PIN or Password), this information is compared against information in biometric certificate and if a match is found, a biometric digital key is generated. Biometric digital key can be used to perform automatic user identification, authentication, cryptography communication, etc. Biometric digital certificates can be used as digital signatures, which have legal value as good as hand signatures in many countries. It can also be used as electronic seals, making sure that the electronic document was issued by owner of the biometric certificate.
Biometric data can also be used as encryption keys, for example: a user’s biometrics can be used as a private key in a PKI (Public Key Infrastructure). In this process, biometric identifiers of the user are used to process and establish the private key. This enhances general encryption and secures data exchange. Biometric information of a user can be integrated with digital certificates for certification based authentication as well.
Most logical access control rely on credentials like user names, passwords or PINs, the same is also true for physical access control in some organizations. Credentials are keys to everything in an organization, a leak of sensitive information or attack on resources can bring a business to its knees. When an organization’s size grows large and to multiple locations, managing credentials can become a time intensive task. Time taken to re-issue credentials can hamper productivity as well. User biometrics when used as credentials can save from all the troubles associated with management of traditional credentials like user IDs, passwords, PINs, etc.
Credentials of credential management system should also be no less than biometric powered MFA. If an attacker gains access to credential management system, he can enroll himself as a user with all the privileges. This can be a much severe situation than one time data breach.
In today’s connected world, an organization’s ability to control access to its network can be crucial for sustainability of business. User ID and password based network authentication is how different resources including servers identify its users and devices on the network. This has been a traditional way of network authentication, which has served its purpose until internet grew large, complex and insecure. In today’s scenario, when malicious hacking attempts knocking door, traditional network authentication can no longer be considered reliable. Anyone with a valid login ID and password can login to the network because it knows its user by something users know (login ID and password) and not by “something users are”. This “something users are” factor can be implemented with MFA with biometrics.
Firewalls can save from outside threats, but when an insider pose a security threat, it becomes hard to protect the network. Introducing user’s inherent factors to multi-factor authentication on network makes sure that even if other factors of authentication is compromised, biometric factors will keep the network secure from malicious users.
Passwords had their time, they looked and felt great in 90s, when there were only a few PCs and fewer online services, and we never thought that there would be ever be a thing like Password Fatigue! With every next service going online, there comes a next password to remember, and that makes a lot of passwords to remember. Different email accounts, e-commerce accounts, social network, forums, banks, financial websites, payment cards, ATM pins and what not, all these add up to our challenge your memory.
Single Sign-on with biometric MFA can be the answer to all the frustration caused by too many passwords. With single sign-on, an instant biometric scan makes users eligible for all related but independent services. It not only saves time wasted in repetitive password attempts but also reduces IT cost by lowering the number of IT-helpdesk password resets calls.
Auditing and logging
Audits can be a scary thing, especially when performed by a government regulator and required compliance are not in place. Regulatory requirements can also differ significantly, for example US Health Insurance Portability and Accountability Act (HIPAA) demands confidentiality of patient information, on the other hand Payment Card Industry Data Security Standard (PCI DSS) demands security of payment card information, however, the thing that auditors across all regulations are particularly interested in is: access control and authentication. The level of access control and authentication required by most regulators can be easily achieved by implementation of multi-factor authentication, mandatorily including biometrics methods. Biometrically authenticated audit trails and logs are also strong proof of events that took place on an information system, that further ease-up audits.
Security for kiosks
Kiosks serve a number of business applications nowadays. They not only improve business representation, but also expedite services that could be time consuming and keep an employee engaged. Retail, banking, coupon dispensing, self-service, etc. are some of the examples where kiosks have taken over. Self-service kiosks are gradually outnumbering customer service representative desks. Check-in Kiosks are making real change at the airports. To check-in through self-service kiosk, a passenger often needs booking reference number, frequent flyer number or credit card/passport for identification. This is where MFA with biometrics can even further improve passenger experience and expedite check-in process. Multi-factor biometric authentication can ensure security as well, not only at the airport check-in kiosks, but at all industry fronts. Biometric identification offers a viable solution of quick and secure customer identification and authentication. Forgetting ID card can be an irreversible damage at the airports, but scenarios like this can be easily avoided with biometrics.
Traditionally, kiosks have been using cards to identify its customers, but that seems to be changing now. Modern kiosks come equipped with biometric capture devices like fingerprint scanner, iris scanner, palm vein scanner, facial recognition system, etc. and enough processing power to quickly process the biometric identification data. Biometrics is on its way to change how we pass through the login screens.
Multi-factor authentication, that mandatorily includes user’s inherent factors, can be the answer to all authentication challenges. Biometric authentication methods not only eliminate passwords, they save time wasted in failed passwords attempts and password reset procedures. Biometric Certificates can further automate user authentication and can work as private key in a public key infrastructure. Biometric MFA powered network authentication and credential management system are virtually impossible to access by an unauthorized user. Unauthorized user can forge passwords or PINs, but counterfeiting multi-factor biometrics is near impossible. Single sign-on with biometric MFA alone is better than password implementation at every service login; it not only eliminates passwords but improves user experience as well. Authentication and access control is always in focus of auditors, especially when business comes under regulated industry. Multi-factor biometric authentication can demonstrate its superiority to auditors and keep processes in compliant state.