What is Biometrics as a Service?
And why is it a preferred method to provide biometrics for multifactor authentication?
There’s been a lot of upheaval in recent weeks, and the existing trend of everything-as-a-service is shifting as we all adapt to the “new normal”. Service-based is still around, though, and doesn’t change the fact that most modern, future-focused software solutions are continuing their move to an as-a-service model. Businesses now are able to pick and choose which software solutions work for their unique use case, and build a technology stack that blends numerous providers. Each business has a technology stack as unique as a fingerprint, leveraging themes by vertical but ultimately applied in ways unique to their specific enterprise.
It may seem obvious that your business technology stack would be unique to your specific business, but less obvious is that you can customize each element of your security to a similar level of granularity.
One of the first steps to a secure enterprise environment is the simple act of logging in to a device, or logging into a business system.
NIST has been recommending 2FA (two factor authentication) to end consumers for years, but for the enterprise, the bar for security is higher. MFA, or multifactor authentication, is a step above 2FA, and an essential layer of authentication needed for sensitive business data or high stakes situations.
With MFA, it’s typically easiest to improve security by using biometrics as the complete authenticator; it’s convenient, and it’s two factors by default. The device capturing your biometric data is something you have, and the biometric data itself is something you are. The hard part becomes selecting a solution for deploying MFA. Which one has the best algorithm? Should you just use Windows Hello? How do you roll this out if your workforce is fully remote?
Being tied to a biometric algorithm drags down your business.
The premise behind offering biometrics as a service is that you shouldn’t have to pick just one biometric modality for your organization to successfully deploy MFA.
One of the core problems with traditional identity and access management providers is that you’re limited to the modalities for which they’ve developed their own algorithms. This sounds good on the surface; you want to work with a company that’s made its own algorithms and is, as a result, an expert with that algorithm, right?
The reality is that biometric algorithms are actually a dime a dozen. Someone is always coming out with a new one, or a better one, than the algorithm currently being used to generate templates of whichever modality you’ve chosen. In a year or two, that proprietary algorithm is likely to be eclipsed by the latest introduction from MIT.
The workaround is to not tie yourself to specific biometric algorithms.
In its simplest form, that’s what Biometrics as a Service offers. You get the flexibility of plugging in biometrics as a multifactor authentication method, and the future-proof options of using the best algorithms on the market.
New algorithm becomes available, and it’s more secure than anything else? Not a problem to swap it into your technology stack. Your cybersecurity can keep pace with innovation.
Why Biometrics as a Service?
Tie Identity to the Individual, Not the Device
While FIDO can be useful in consumer implementations, it’s limited by a significant logical flaw: it assumes that you always have your device on you. It makes your mobile device a proxy for you as an individual, which only works if you accept the premise that every person and every use case will be able to leverage a specific mobile phone for access.
What about when you have multiple users on a single workstation, such as call centers or hospital environments?
Or if your security policy requires that mobile devices not be allowed access to the corporate network, or corporate data?
Perhaps your office still allows users to bring personal cell phones into the work areas (we’re not all in a Batman movie, after all), but what about the server room? Or confidential meetings, either in person or digitally? Having an authentication method that’s authenticating people, not the devices they can’t bring with them, is a necessity.
Choice of Modality Based on Situation
When you select an identity and access management provider that built their reputation on a single modality, you’re effectively locking yourself into that modality and their ability to keep that algorithm competitively up to date.
The drawback with this approach is that you’re shackled to that algorithm, and that modality. So if, for example, your multifactor authentication only works with facial recognition and the lighting is bad, you’re out of luck! Or, worse, the workaround for environmental challenges is to hold your mobile phone at odd angles, and endure a barrage of flashes while it lights you up brightly enough for the sensor to work properly.
Requiring that level of diligence may make sense if you’re transferring a million dollars within your organization, but simply to log in to a device? Why not use voice recognition, or a palm scan, or fingerprint?
Biometrics as a Service means being able to set parameters around when each modality is required, and the ability to offer choice to users based on their situation or environment (something for which we’ve received a patent).
When you’re tied to a specific algorithm, you also become tied to all the related software that uses that algorithm to work. If you want to upgrade elements in your network but they aren’t compatible with the outdated algorithms you are still using, you end up stuck on both counts. That inability to update and upgrade software becomes a serious security risk over time.
Future Proof Your Algorithm Use
On one hand, the whole reason you choose a company whose expertise is a specific algorithm is precisely because you want to let them figure out how to keep that algorithm up to date. No IT team wants to have to become biometric algorithm experts, unless that’s their hobby - and even then, keeping up on algorithms is a full time job. Analysts at large firms such as Gartner and Forrester do precisely that and nothing else; there’s a reason companies consult with them for guidance.
The reason Gartner and Forrester need to keep analysts on the payroll for monitoring biometric algorithm trends is because they shift so rapidly. The company with the best algorithm this year may be entirely eclipsed by a college grad or tenured researcher next year. Many researchers resell their algorithms, and companies who develop their own algorithms are in a constant arms race against each other for the next best iteration. Why engage in the arms race if you don’t have to? MIT’s research labs and similarly prestigious and brilliant organizations are coming out with new algorithms all the time. If you’re using biometrics as a service, the BaaS provider is focused simply on finding the best algorithms to use. A purpose-built biometric processing system that is entirely algorithm agnostic means you’re always using the best algorithms available for each modality.
How it Works
The core difference between BaaS and your run-of-the-mill MFA provider is that Biometrics as a Service operates through match-on-cloud, rather than match-on-device. This is an important distinction, tying back to why you’d leverage BaaS in the first place: it authenticates an individual, not a device.
If you’re already using Active Directory, you can install a simple plugin that replaces the username/password login with a biometric authentication method. For a remote workforce, this makes it easy for users to log in - and easy for IT to securely access remote machines at an administrative level. How this works is detailed in the second half of this article on enterprise security through user convenience.
If you’ve blocked admin rights to machines with a biometric authentication gate, this drastically reduces risk for phishing and ransomware viruses that seek to gain username/password access to grant admin rights. Hacking a biometric algorithm is so exponentially difficult compared to simply brute-forcing poor password choices that most hackers just give up and move on.
Biometrics as a Service isn’t limited to just Active Directory implementations, but that use case is easily one of the fastest and simplest methods to improve your network security right now.
We’re happy to discuss your current setup, and see if Biometrics as a Service would make sense in your organization. Answer a few questions here, and our solutions team will reach out to walk through it with you.