The Case for Multimodal Biometric Authentication in the Enterprise

Identity verification has always been a cornerstone of enterprise security. Businesses must be able to create identities for each of their employees, and determine the extent of access granted to those identities across physical and digital assets. They also need to authenticate the identity of users each time they attempt to access an information system to verify who is behind that request.

There are trends around how we work that are driving change around how employees authenticate. A Gallup poll tells us that 43 percent of Americans spend time working remotely, and they’re also doing it more often.

Historically, personnel have used usernames as digital identities and passwords as verification tokens. This was “good enough” for some time, but hackers developed myriad tactics to pilfer these credentials. A report from Google estimates there are two billion stolen usernames and associated passwords on the dark web. It’s a vibrant market, with credentials available for sale to anyone who wants to use them for crime, which creates financial incentives for successful breaches.

Many businesses have attempted to make it more difficult for hackers to steal user’s identities by incorporating a second factor of authentication, using physical tokens such as USB dongles or RFID cards. It’s much harder to steal these physical tokens than it is to steal passwords. But they require possession and are fairly easy to lose, so are not terribly convenient.

The rise of the smart phone has them being used as tokens as an authentication factor. “Phone-as-a-token” is more convenient than traditional token approaches; another Gallup poll tells us that over 81% of us are essentially inseparable from our devices, and so for most of us this means that there’s not an extra device to have to carry and care for. Our phones can be used in an “out-of-band” authentication, where upon entering a username on a PC, a message is sent to the corresponding user’s phone, prompting some sort of action. But as with other tokens, our phones can be lost or stolen, and so incorporating an additional authentication factor is attractive to help prevent the device from being used for authentication by anyone other than their owner.

Enter biometrics

Pairing smart phones with biometrics is a way to use them for extremely secure multifactor authentication. Smartphones are powerful computing devices, and so they can used for biometric authentication. They also have cameras, microphones, and keyboards that can be used for collecting biometric samples without relying on the native biometric sensors and software a device may have, which vary between devices and offer no external control over performance or user experience.

While passwords are secrets that can be stolen or phished, and smartphones can be stolen or lost, biometrics are different. They are “inherent” identity factors that are physically part of who we are, and so they are convenient as authentication factors; it can hardly be easier to assert our identity than by use something that we inherently are.

Biometrics are also secure. They aren’t just secret text strings like passwords, they are detailed physical characteristics that must be physically presented upon authentication, and so they can’t just be “stolen”; to be used by a fraudster, they must be also be recreated, or “spoofed”. That’s not to say that spoofing isn’t a concern, because it is definitely a way that determined fraudsters can defeat biometric security mechanisms. Spoofing is a particular concern for facial recognition, given that the biometric data of potential fraud victims is so readily accessible on social media and elsewhere in the form of images and videos containing their facial images.

For this reason, biometric authentication using facial recognition requires more than just a comparison of the biometric features. Two effective enhancements that prevent spoofing are liveness detection and multimodal biometrics:

Liveness detection, also referred to as presentation attack detection (PAD) or spoof detection, comprises techniques that assess whether a biometric sample is taken from a live user. They may employed either passively (algorithms detect artifacts created by a non-live sample) and/or actively (e.g. the user is challenged to blink, move, or speak during a photo capture).

Multimodal biometrics is the use of more than one biometric modality simultaneously, such as face and voice together, which improves matching performance and makes spoofing much more difficult.

Benefits of multifactor authentication using multimodal biometrics and liveness detection for enterprise security

Biometrics are a powerful alternative to passwords for authentication, particularly when paired with a device in an out-of-band, phone-as-a-token multifactor authentication approach, and particularly for the remote worker. By requiring a physical presentation of a face, voice, fingerprint, typing sequence, or any other biometric, we can eliminate many of the most ominous and scalable attack vectors responsible for large-scale breaches. Nevertheless, we can make biometrics even more secure by adding features like liveness detection and multimodality without negatively impacting the user experience.

Liveness detection is a requirement for biometric authentication to ensure that digital biometric data (such as a Facebook photo) can’t be used for spoofing. Multimodal biometrics increase the amount of data that is analyzed, helping biometric matching engines make more accurate comparisons between live samples and the enrolled templates. Ideally, multiple samples can be collected without negatively impacting the user experience, such as by collecting them simultaneously. In the case of face and voice used in concert, the user’s facial image can be captured while speaking their passphrase.

Multimodal biometrics also make it exponentially more difficult for a fraudster to spoof, simply because by adding multiple modalities makes it harder to find and use all the biometric data that is needed to spoof the algorithm. Again using face and voice as an example, a fraudster may have a digital image of a potential victim, and maybe even a sample of their voice. But it is surely unlikely that they would have video of a person speaking their passphrase. Additionally, voice biometrics can be equipped with its own liveness detection measures. Digital recordings can be detected, and dynamic passphrases make it still more difficult to spoof.

No security mechanism is unbeatable for the determined fraudster, but multimodal biometrics with liveness detection make the ROI for an attack much harder to justify for most enterprises.

No one will miss passwords when biometrics become our primary means of authentication for the enterprise; particularly employees who will benefit from the convenience, and the security personnel responsible for protecting the company’s digital assets.