2015 has been an impressive year for biometrics in terms of deployments and compromises. We’ve seen massive shipments of devices with biometric authenticators like fingerprint sensors as well as massive compromises like the US Government Office of Personnel Management that highlight the server-side biometrics security issue.
While Apple has certainly made a big push with Touch ID, other players such as Samsung have quickly followed suit and included fingerprint biometrics on their devices. 2015 not only showed fingerprint biometrics is here to stay, but it also has also shown that the other forms of biometrics are starting to arrive into the mainstream - facial recognition and iris namely.
As we are seeing dramatic growth in the inclusion of various forms of biometric technologies on computing devices, it is time for the enterprises to start better examining and executing what is the right way to deploy biometrics to their user base.
Unlike the government space where biometrics is used in the server side for things like border control, using server side biometrics in the commercial market is going to have challenges around privacy, cost, and user acceptance for sending their personal biometric information to a remote server.
Implementing server biometrics also does not mitigate the risk of server side attacks, which will compromise users at scale with their personal biometrics information. Additionally, using biometrics as a password vault or passport application also does not eliminate passwords flying around the Internet, which does not kill the disease.
Using a standards-based approach to biometrics such as the FIDO Alliance is pursuing represents an “open” way to deploy online services to the users at scale.
2016 should be another strong year to watch accelerating interest in biometrics. While the market is getting comfortable and users are accepting biometrics as an “unlock” mechanism into their devices, more should happen. The industry is at an optimal inflection point to exploit that shift in user behavior and to address the business pain of the increase in attacks on their assets, due the continued reliance of usernames and passwords.