Unlike password-based methods, biometrics provides "strong authentication", by which someone cannot later repudiate having taken an action, Taule says. And depending on how the system is implemented, there's the potential to use biometrics to authenticate to a portal or access authority, which then affords access to other resources.
Biometrics, if done correctly "can solve many problems with only using user [identification] and passwords," says Mary Chaney, senior team leader, Incident Response & Data Management, at financial services company GE Capital Americas.
"If you use a dynamic/behavioral biometric measure, like keystroke dynamics, you can gain the advantage of two-factor authentication," Chaney says. Using keystroke dynamics allows organizations to measure each person's keystroke dwell time (how long a key is held down) and flight time (the amount of time between keystrokes), Chaney says.
"In this scenario, just simply typing in your password will give you two-factor authentication," Chaney says. "In addition, keystroke dynamics are very accurate and not very intrusive for the user, which are two of the biggest challenges with using biometrics in any security program."
Another huge benefit of using biometrics is that it's extremely hard to fake, Chaney says. "When measuring both [physiological and dynamic data], the information collected is unique for each individual and rarely changes over time," she says. "Once done correctly there is nothing more to do or even remember in some cases. Lost IDs or forgotten passwords may be rendered nonexistent."
Because personal data is extremely difficult to counterfeit, "biometric identifiers could be used to facilitate both physical access, for example, to certain parts of an enterprise complex, or virtual access [to] selected sites on a corporate intranet," says Windsor Holden, research director at Juniper Research.
"These log-ins can be linked directly to a specific action, meaning that if there is a security breach from within the organization, the person who is responsible can rapidly be identified," Holden says.
And biometrics can be used to incorporate bring-your-own-device (BYOD) into corporate security strategies, "as they link an individual to access via their personal mobile device," Most says.
On the negative side, two of the biggest drawbacks of biometrics over the years--high costs and privacy concerns--are still issues, according to experts.
"There are typically very large startup costs to getting the infrastructure in place to make use of biometrics," Taule says. "This is also true of second-factor physical tokens as well."
As for privacy, it remains a major concern "because you are collecting data not only about a person, but information that makes that person unique," Chaney says. "Many people inherently find this intrusive and a violation of their rights."
User acceptance "can be a significant challenge, especially if individuals are uncomfortable with the idea of biometrics and see the technology as privacy invasive," Most says. "This can create user resistance and intentional failure to acquire or authenticate via biometric readers/sensors."
Sign up for Computerworld eNewsletters.