The traditional trade-off between authentication usability and security has finally ended. Who would have thought? For years we were taught to believe that when it comes to authentication there is a clear divide between the two – usability vs. security. If you were in search of strong authentication that would usually come at the cost of usability. As part of the authentication process, users were required to answer questions, get one-time codes over text messages or email, or use hardware devices. A process full of roadblocks and frustration.
The shift to biometric authentication
Thanks to the introduction of device biometrics, all that has changed. Device biometrics are the biometric readers embedded in your phone, laptops, desktops, and tablets. Whether it’s a fingerprint or face reader, they both work the same way – capturing your biometric profile and verifying it on the endpoint device.
Why is it more secure? For a bunch of reasons. For one, device manufacturers have successfully accomplished to implement highly secure readers and trusted environments in their endpoint devices. Also, FIDO has contributed greatly by standardizing the way applications communicate with these devices. Allowing us to avoid having to check every interface to understand whether it’s secure or not.
So what is it about biometrics that allow for a better user experience? Once again, device manufacturers are to thank for creating readers that are super easy to use. Whether you choose to scan your finger or face, it’s an effortless, almost mindless experience (unlike in the early days where finger acrobatics were required). It’s reliable, works in sub-optimal conditions and frees users from having to type or remember any kind of information.
A new way forward with usable security
We’re on the fast track for a biometric digital experience. The technology is already here. With new devices being shipped with highly secure and usable device biometrics, more and more organizations are realizing that this is the way forward. This is the way to end the long (and hated) trade-off between authentication security and usability. Soon we will live in a world where all authentication will be achieved using biometrics. I can already see it. Based on the upward trend, it’s not hard to.
Usable security. This is how we refer to this new era at Transmit Security. It’s no longer security vs. usability. It’s security and usability tied together. Device biometrics is usable security. This mindset has been the driving force behind our latest technology.
But (and there’s always a but) the balance between security and usability is now shifting to another front – the trade-off between usable security and ease of implementation. Let me explain what I mean by that. You could implement the biometric authentication interfaces in your applications yourself really quickly and have your customers start using biometrics overnight. But at the same time you would be breaking the concept of usable security. Leaving you with a solution that’s neither easy to use nor secure.
Why is that? Because device biometrics and FIDO acts as a binder between the biometrics, the application domain, the device and the browser. If any of these factors change, you lose the ability to authenticate the user with device biometrics. Causing users to go into registration mode. When your users replace a device, re-install an application or clear their browser these events all disable the ability to authenticate with biometrics. And this happens way more often than you think.
Once users move into registration mode they lose everything that device biometrics has to offer. From a security perspective, you are now forced to rely on other means of authentication in order to re-register users to once again enable the use of biometrics. This could be a variety of older (less secure) methods including, username and password, one-time codes (OTPs), knowledge-based questions and more. Which brings us right back to all the security vulnerabilities and challenges we faced before. And just like that, attackers can fall back to their familiar tactics to bypass any authentication session.
From a usability perspective, this is a nightmare. For example, I use four different devices (mobile, laptop, desktop, and a tablet) with multiple browsers across dozens of websites. Which means, as I switch between a device or browser I have to re-register my biometrics every single time. This is the definition of a cumbersome, frustrating experience.
The good news is that you can, with the right planning process and the right technology, overcome this and minimize (maybe even eliminate) re-registrations. Ideally, you could have a user register once and that’s it. We call this identity portability. Whichever application, device or browser you choose to use, your biometrics travel with you. The concept of enabling usable security just like device biometrics do is something we are very excited about. The combination of usable security and identity portability is the future of authentication.