A digital security point of view for the digital business era

Biometrics combined with Single Sign On solves Password Management challenges

29 Dec 2017

Biometrics combined with Single Sign On solves Password Management challenges

Password proliferation among all kinds of users is a standard problem now. How many passwords do we have and how many of us have them all listed in a strategic place like on the inside back page of our daybook? Maybe even on a post-it note somewhere in the vicinity of our desks? But more seriously, just how much is our own productivity affected by forced password changes and resets and just how much time is the IT department spending on the management of password resets and user lock-outs?

What about those critical passwords that protect access to the servers themselves, the so-called “admin” passwords used to stop, start and administer the servers and data storage systems from where everything is served up to us?

There are all kinds of statistics about the number of passwords; the most popular/obvious ones, strong/weak ones, the need to regularly change them, naming policies and so on. For example, the average consumer uses 25 or more sites that rely on passwords. The average internal employee has 5-10 systems that they need password access to. Employees struggle to remember passwords given all of the rules and hence often end up writing them down and leaving themselves open to compromise.

Dedicated campaigns are run by cybercriminals to hack user accounts on public sites and the resulting data is often traded by criminals on the dark web. An attacker who succeeds in reconstructing a user’s password is likely to then try it on other popular sites and apps. So it isn’t safe to use the same password, or simple variations, everywhere.

Companies looking for ways to keep their users secure should know one thing, a top Google security executive said, Passwords are dead”. Heather Adkins, Google’s manager of information security, said that in the future, the game is over for anyone that relies on passwords as its chief method to secure users and their data”.

Our passwords are failing us,” said Michael Barrett, PayPal’s Chief Security Officer.

According to the Verizon 2017 Data Breach Investigation Report, roughly 81% of all data breaches were enabled by stolen and/or weak passwords and 25% of breaches involved internal actors.

Much analysis of the human-generated password has been made and the research all points to humans not being very good at creating and using “strong” passwords and that randomly generated passwords go a long way towards increasing password strength.

There is however a trend to try to provide a solution to this growing problem.

This can take the form of self-service password reset, enterprise single sign-on/sign-off, privileged access management, and even biometric sign-on. We are perhaps starting to see the latter in the mobile channel as the ideal tool to “sign us on” to our phones and tablets and if this trend continues, we will be seeing far more Apps taking advantage of the biometric sensors in our mobile devices.

Taking a look at the provision of IT services in the banking industry, there are often a multitude of systems that a typical user may need to access in a given working day. The use of SSO, whereby a user has one password which signs them in to all of the systems they need to access, can go a very long way towards increasing productivity, reducing the time and cost of credential management and promoting a pro-active approach to identity governance. Some of the more sophisticated SSO systems work on the basis of a challenge-response where users may need to generate a one-time password (OTP) or provide another token (e.g. smart card) before access is granted.

At the same time however, SSO does present a level of risk and the possibility to gain the “keys to the kingdom” is real. Whilst simplifying things massively for both end-users and the IT department, it does mean that if that single password is compromised in some way, then a potential attacker can get to all of the applications that the user would normally be able to access. It means that the single password is now even more important than ever before and additional safeguards should be considered to maintain the required integrity of that password.

Two-factor authentication or 2FA is the first step where the user provides a second token and 3FA goes a stage further where the user needs to also provide their biometric data. 2FA and 3FA need appropriate integration with the SSO.

3FA is where some of the biggest advances can be made in improving identity governance. In the banking sector where there are so many different types of critical transactions that should only be approved by specifically authorised persons, the addition of a biometric factor can really start to change the game in terms of compliance, segregation of responsibilities and improvements in operational process.

Hitachi works widely in the banking sector and our VeinID biometric tools can work seamlessly with SSO systems to help banks and financial organisations to optimise identity compliance. From the logon process through to individual transaction controls such as authorising payments, executing trades and confirming settlements, VeinID tools ensure that credentials cannot be shared and opportunistic attempts to steal or hack passwords are prevented. As a privacy compliant technology, with the biometric data residing inside the body and unable to be captured without the consent of the individual, VeinID meets all of the needs of the evolving data protection landscape including GDPR.

To talk to us about how our world-class biometric systems and ID management software can simplify identity compliance in your organisation, please contact us at