Bio-whatrics? In the Identity Market, Biometrics Solutions are Gaining Traction, but With Too Narrow a Focus

Sep 17, 2024 9:46:36 AM

I recently had the opportunity to attend Identity Week in Washington, D.C. While this is a smaller conference compared to RSA Conference or Black Hat, some of the conversations were just as powerful and much more focused on the identity market. I was at first encouraged by the large focus of biometrics at the conference, but quickly discouraged upon seeing the limited use cases many of the vendors were promoting.

Biometrics has the potential to make identities more secure while improving ease of access for users. Smart phone companies have caught on to this, and most major cell phones now allow unlock utilizing a fingerprint or even facial recognition. But one of the challenges, of course, is capturing those biometrics, securely storing a representation of them in digital format, then accurately comparing the biometrics on file to a user. So, I was very happy to see a large number of biometrics vendors at the conference featuring their capture and storage technologies. Unfortunately, many of these vendors seem unsure what to do with the biometrics once they’ve been captured.

The most common question I asked these vendors was, “What can I do with these biometrics after I’ve captured them?” In most cases, the response was focused on background checks or similar verification of identity, such as employee onboarding requirements for human resources. But that seems to be where most of these vendors stopped – no integration with identity access management, identity governance, or access control technologies. While there were several vendors present offering identity governance, none of these vendors seemed to have strong integration with any of the biometrics capture technologies.

Imagine an employee onboarding experience that goes something like this:

  • An new employee utilizes a kiosk to scan his or her onboarding documents, such as drivers license and passport.
  • The kiosk then captures the employee’s biometrics, including a photo of the employee and the employee’s fingerprints or palm prints.
  • Utilizing optical character recognition, the kiosk identifies the employee’s name and personal information, then prompts the employee to review and verify.
  • After the employee reviews and verifies the information is accurate, the employee submits the onboarding package through a single button push at the kiosk.
  • The kiosk utilizes the employee’s information to retrieve the background check information, as well as compare fingerprints to national databases, if necessary.
  • Once the background check is complete and the employee’s identity is verified, the kiosk creates the employee’s HR records, as well as the network login.
  • A smart card badge prints and the employee is prompted to enter his or her PIN.
  • The smart card badge is provided to the employee, as well as a record of the employee’s new login account, which is disabled by default. This information is then sent to the IT department to assign permissions to the new account and enable it.
  • The smart card and any needed biometrics information is also sent to the physical security department, so that the proper physical access control permissions can be implemented.
  • All of this information is tied directly to the login account of the new employee, so when HR indicates that they have left the organization, the employee’s login account and physical access are automatically disabled at the same time.

With biometrics and identity governance technology currently available, all of this should be possible. As an industry, though, we seem very siloed and unable to expand the scope of what our solutions can do, even if it’s through third-party integrations. Instead of developing smooth integrations for easy onboarding, we put the bulk of the work on the new employee, requiring them to fill out multiple forms with duplicate information and visit multiple departments, then employees perform duplicate working entering this same information into multiple, separate systems. While it’s great that these duties are separated, the usage of an integrated system should be the true goal of any identity governance efforts through the total management of a complete employee identity’s lifecycle.

I’m very encouraged by the advances being made in the realm of biometrics, identity access management, access control, and identity governance. Now, it’s time to bring it all together and operate as a single, unified system for enterprise identity governance.

Topics: Identity Governance Cybersecurity biometrics

Ken Buckler

Written by Ken Buckler

Kenneth Buckler, CASP, is a research director of information security/risk and compliance management for Enterprise Management Associates, a leading industry analyst and consulting firm that provides deep insight across the full spectrum of IT and data management technologies. Before EMA, he supported a Federal agency’s Enterprise Visibility program, providing security insights and compliance trending for the agency’s national network of computers and devices. He has also served in technical hands-on roles across multiple agencies in the Federal cyber security space and has published three Cyber Security books. Ken holds multiple technical certifications, including CompTIA’s Advanced Security Practitioner (CASP) certification.

[fa icon="linkedin-square"]
  • There are no suggestions because the search field is empty.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts

About Us

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm that specializes in going “beyond the surface” to provide deep insight across the full spectrum of IT and data management technologies. We deliver research, analysis, and consulting services to two key client groups: Enterprise IT Professionals and IT and Data Management Vendors.

For our Enterprise IT clients, we deliver in-depth research and practical advice to help them make better decisions, succeed with key projects, and align IT with business objectives. For our IT Vendor clients, we provide the deep insight required to build the right product, reach the right prospects, and establish credibility in the marketplace. This means that – unlike many firms – EMA is both in tune with how real-world IT organizations are applying IT and data management technology to solve business problems and intimately familiar with the pros and cons of available vendor solutions. Our dual focus arms us with the insight to help both audiences be more successful!

 

More Links

    Contact Us

    [fa icon="phone"]  303-543-9500

    [fa icon="envelope"]  info@enterprisemanagement.com

    [fa icon="home"]  2770 Arapahoe Road, Lafayette CO
    Copyright 2024 Enterprise Management Associates. All rights reserved.
    [fa icon="chevron-up"]