With over 80 percent of data breaches resulting from compromised passwords, biometric authentication systems emerge as a solution to avoid multimillion-dollar losses, hefty fines and burdensome management of multiple complex passwords. ImageWare’s David Harding discusses.
Passwords don’t work anymore; in fact, they never have. The first record of a password being used was in 413 BC. The Greek army used memorized secrets for identity confirmation and access to private information; however, this initiative failed. The compromised passwords were one of the reasons the Greeks were slaughtered at the Battle of Syracuse. Over 2,000 years later, humankind still uses the same flawed technique to protect themselves.
The biggest misconception with data security is the notion of how hacks happen. We have a Hollywood-driven idea that hackers are extremely computer-savvy individuals in dark rooms using state-of-the-art technology to access information by penetrating through firewalls and other cybersecurity defenses. The actual process is much simpler: All an attacker needs to do is compromise a password. It could be anything from a sticky note with the password written down, a data breach at another company exposing previously used login credentials, passwords being shared by multiple users, and so on.
According to the 2017 Verizon Data Breach Investigation Report, over 81 percent of data breaches resulted from stolen or compromised passwords. So, why hasn’t this ancient practice evolved to a more secure, unbreachable method? Well, now it has.
Biometric identity authentication is the evolution away from passwords. The process relies on analyzing unique biometric data to identify and authenticate the user. This solution is far superior to passwords, as the user does not need to remember or protect a unique set of characters and numbers; the user is the password.
Companies are embracing biometric authentication systems for two main reasons:
As stated previously, over 80 percent of breaches happen due to a compromised password, and these breaches are expensive. In 2018, the average cost for an organization that has suffered a data breach was $7.91 million. The loss column is not filled only with dollar signs; high-level jobs have been lost as well. Some noteworthy examples are former Target CEO, Gregg Steinhafel; former Sony Pictures CEO, Amy Pascal; and former Utah Department of Technology Services CIO, Stephen Fletcher – all were forced to resign after their systems were hacked. As illustrated, data breaches have evolved from being an IT problem to an executive boardroom discussion.
The requirements for passwords have increased in an attempt to strengthen them. However, it is impossible to remember dozens of complex passwords that require upper- and lower-case characters, numbers, symbols, inspiring messages and hieroglyphs. Biometrics simplify this process tremendously by using a person’s very own traits as their password. Additionally, biometrics might be a corporations’ helping hand against strict legislation.
In the United States, very little legislation regulating cybersecurity and data breaches exist in comparison to Europe. GDPR’s new set of rules puts the burden of data and privacy protection on the companies collecting the data. Big companies are already being sued and potentially fined. Most recent cases include Marriott and British Airways, with potential fines of $123 million and $230 million respectively. In both cases, the penalties are due to poor handling of customers’ data.
In the U.S., the most notorious case has been Equifax’s data breach, which exposed extremely sensitive information of over 15 million people, including knowledge-based authentication questions (such as what street you grew up on or the name of your kindergarten teacher). One of the defenses hackers went through to complete this breach was, not surprisingly, an easy-to-guess password. Equifax’s data breach illustrates why biometrics have not been implemented more widely: Companies think they will never be the next victim. It is like texting and driving: we know the risks and hear of fatal crashes, but some still choose to do it. Since the pain has not been felt directly, the consequences seem foreign.
The additional expense of a biometric authentication system, coupled with the perceived complexity of deploying such a solution (many solutions are turnkey and implemented in a matter of minutes), might feel like too big of an investment since most companies believe breaches will never happen to them. However, with 49 percent of businesses suffering data breaches in 2016 and the potential of GDPR’s hefty fines, biometrics is moving from a nice-to-have system to an essential security pillar of every company.