Exploring Biometrics and Trust at the Corporate Level

As the world continues to move essential functions to digital environments, companies need trustworthy methods for verifying who is behind the screen. Multifactor authentication (MFA) has become the standard for preventing cyberattacks, with the US National Cyber Security chief saying it could prevent 80% to 90% of attacks. MFA works by requiring multiple layers of authentication, such as one-time passwords (OTPs), physical hardware tokens, or soft tokens.

While these do a better job of securing access and data than traditional passwords, what are they really verifying? In the case of SMS-delivered OTPs, the system is verifying your access to a phone; with hardware tokens, it’s access to a physical card or device. But none of these require the actual person to confirm they are who they say they are. These methods rely on the assumption that the only person accessing these devices is their owner. Clearly, it’s a device, rather than a person, that is being verified. So what can organizations do to improve on traditional MFA methods and build trust with the people behind each digital interaction?

Some methods for MFA verification, including hardware tokens and SMS-based OTPs, have been widely adopted, but they present clear challenges for organizations. Phone-based options require access to a smartphone — not something everyone has and not something companies want out in all environments. Token-based systems are not much better; tokens can be lost, forgotten, or easily handed to another user. The clear solution is to have a biometric measurement that is entirely unique to the user as part of any MFA strategy. But not all biometric methods are created equal, and some still only establish trust at the device level.

Limitations of Device-Based Biometrics
Device-based biometrics, such as a fingerprint captured using the built-in sensor on a phone, PC, or dongle, are stored within the device that they are captured on. These systems offer a high level of convenience for the user, as well as strong security for personal use cases. However, device-based biometrics fall into the same trap as other MFA methods — it is still the device, and oftentimes an encrypted key, being verified, rather…