Biometric Tokenization Puts Password Woes behind Us

As technology progresses toward the Internet of Things, so too must cyber security. Enter biometric tokenization.

George Avetisov
George Avetisov

Catastrophic data breaches are affecting large enterprises at an alarming rate. When an organization is hacked, information including usernames, passwords and email addresses, as well as personally identifiable information (PII)—like a person’s date of birth—are all at risk. Breaches like these affect millions of users and are becoming increasingly widespread.

As technology progresses toward the Internet of Things (IoT) era, so too must our cyber security. PIN numbers and passwords were traditionally the verification methods of choice for everything from mobile banking to online shopping accounts, but it is easy for their security to be compromised. Also, the burden of creating multiple complex passwords has more unintended consequences than their intended result of a safer online experience.

To resolve the dangerous failings of traditional PIN numbers and passwords, companies should adopt biometric tokenization, a marriage of two familiar technologies implemented in a novel way. Biometric tokenization combines public key cryptography and biometrics, enabling enterprises to turn any mobile device into a secure authenticator. By breaking a longstanding rule that increasing security typically reduces usability, biometric tokenization allows users to securely replace passwords with a combination of strong encryption and biometric authentication.

Biometric tokenization, when deployed correctly, empowers companies to integrate a fully biometric and flexible multimodal authentication experience. Enterprises can finally offer employees and customer-facing applications the ability to authenticate with voice, face, touch, eye and palm recognition. How often do solutions in today’s crowded security marketplace offer ironclad security, a pristine user experience, as well as flexibility for both application provider and user?

Verifying identity and transactions on device in a wholly decentralized protocol ensures that a user’s biometric data never leaves their personal device. Rather, the user’s correct biometric signature generates a token that grants entry to various online services. Try to picture tokens as really strong passwords that change every time you log in and are only accessible to you. Tokenization is already in use on the chips that were added to most new debit cards. When the card is swiped, the chip sends a unique token that represents the card number and changes every time, so it becomes much more difficult for a hacker to steal the card’s actual information.

Biometric tokenization takes on a similar approach, with users’ biometric information never actually leaving their own devices. A token, even if intercepted in transit, is only usable once and contains the information required to perform a function already authorized by the user. In essence, a stolen token is useless to a malicious hacker.

Decentralization of encrypted biometric data is the key differentiator with yesterday’s password-based security systems. Decentralization is designed to prevent the creation of a single repository for sensitive data that, when stockpiled in, for example, a bank’s central server, becomes a juicy target for hackers. Decentralized biometric tokenization also utilizes end-to-end encryption to safeguard data in transit and eliminate the risk of hacking, enabling companies—from small businesses to Fortune 500 enterprises—to scale decentralized biometric security across millions of users.

With 2 billion people carrying a biometric device, biometric tokenization offers enterprises an easily deployable authentication solution. Advances in mobile devices and security features, such as Touch ID and Windows Hello, create a pristine user experience that can be used for everything from biometric banking to biometric smart cars. Rapid adoption of technologies like selfie pay demonstrate that there’s a pressing need to secure users' biometric data and this responsibility falls on service providers, such as financial institutions and retailers.

Consumers want the convenience of biometrics for login, payment and anything an enterprise-deployed app can do, but lower on most consumers’ list of priorities is the concern for whether these convenience features are, in fact, secure. Enterprises responding to that demand by offering this experience should ensure that biometrics stay with the user for the security and privacy at risk after a data breach. With biometrics being irrevocable, unlike revocable passwords, enterprises should look at securing biometrics now because their adoption for convenience’s sake alone is taking off rapidly.