Biometrics is exploding in popularity as a security tool with research indicating that 81 percent of consumers consider biometrics a more secure method of identity verification than traditional methods. Illustrating the embrace of this technology is the global biometric authentication and identification market which, according to Global Market Data, is set to hit nearly $90 million by 2029, growing at a 14.6 percent annual rate.
So, how can – and should – managed service providers (MSPs) incorporate biometrics into their client security packages?
Choosing the right biometric security
Cache Merrill, CEO and founder of software development company, Zibtek, says the first task is to determine the type of biometrics is best for you. He explains that there are two types of biometrics in use: physical and behavioral. Physical biometrics relies on fingerprints, facial features, or irises for identification. In contrast, behavioral biometrics examines user actions, such as keystrokes or mouse movements, to detect deviations.
“These two methods combined form the basis of a multi-layered security that prevents unauthorized access,” Merrill explains. Biometrics can be a more secure alternative than relying on the perils of a password-based authentication system. He adds, “Regrettably, passwords tend to be the weakest defense against hacking attempts; however, organizations can use either biometric or behavioral information to strengthen the restrictions against unauthorized entries.”
Behavioral biometrics is a great choice because it doesn’t rely just on an identical iris or fingerprint, but on actions, which are more difficult to mimic. “Behavioral biometrics not only authenticates users, it also manages their activities by tracking their recent actions,” Merrill says, going on to describe, “Whenever ‘unusual’ activities occur, for example, accessing confidential data from new devices not linked to the account, the feature triggers further verification processes, thereby reducing the risk of account takeovers or fraudulent activities.”
Biometrics also improves the user experience. “While it is true that most emphasis goes to the security features, usability should not be an afterthought,” Merrill shares. “Whether it is MSPs using it for security or end users, if it is too cumbersome, it won’t be used. Leveraging fingerprint scans or facial recognition for biometric authentication is a better approach. It allows authorized users to gain access quickly and without unnecessary hassle. The security level and ease of use can accommodate the desired level of user acceptance.”
Integrating biometrics as part of a holistic security offering
Merrill advises MSPs to offer biometric and behavioral authentication as part of the services they provide to clients. “That not only gives them an advantage over the competition but also opens up chances of becoming leaders in the field of cyber security implementation,” he says. Additionally, he shares that a strategy combining multiple authentication approaches with other security methods can create a layered security architecture. This approach helps build a more dimensional defense capable of withstanding evolving threats.
Other cybersecurity experts echo Merrill’s praise of biometrics as an MSP security tool.
Jason Casey, CEO of Beyond Identity, also thinks biometrics can be of great value to MSPs as part of a holistic approach. “When properly deployed as part of phishing-resistant authentication, biometrics can significantly improve the user experience and reduce the attack surface from vectors including social engineering, brute force, and credential stuffing,” Casey states. One of the benefits he adds is that, unlike more traditional methods where someone can “forget a password,” someone can’t “forget their iris” or “forget their fingerprint.” “It’s just there,” he says.
“This makes them simple for the user experience,” Casey explains. He adds that, from a security perspective, biometrics cannot be shared or transferred between users like passwords or security keys. This provides strong assurance that the user is who they claim to be.
But biometrics is not a phishing cure-all.
“It is important to note that biometrics cannot alone deliver phishing-resistance. Additionally, there is significant privacy risk for organizations to manage biometric authentication in-house,” Casey says.
Combining biometrics and hardware-backed credentials for stronger security
Casey recommends that the deployment of phishing-resistant authentication should provide two strong factors for multi-factor authentication (MFA), which would include “something you are” and “something you own.” For instance, biometrics for the “are” and hardware-backed, device-bound credentials for something “owned”.
“To achieve this, we recommend device-bound public key credentials in which the private key is created and never synced out of the hardware component of the device,” Casey notes. He adds that the biometric validation happens locally on the device. Biometric information remains local and doesn’t get transmitted or stored in your cloud or the authentication service’s cloud.
As biometrics continues to reshape security practices, MSPs have a unique opportunity to enhance their service offerings. By integrating biometric and behavioral authentication into their security frameworks, they can provide more robust protection for their clients. By embracing this technology, MSPs not only strengthen their clients’ defenses against increasingly sophisticated cyber threats but also position themselves as leaders in a rapidly evolving cybersecurity landscape.
Photo: Futurframes / Shutterstock
