More Employers Are Using Biometric Authentication

​Biometric authentication technology—including facial and voice recognition, and hand and iris scans—is now used in a majority of workplaces, according to a recent survey of IT professionals.

Spiceworks, a professional network for the IT industry, polled 492 IT professionals from North America and Europe in February 2018.

Sixty-two percent of the respondents' companies currently use biometrics for various security and business purposes such as employee access and data security, and an additional 24 percent plan to use it by 2020, the survey found.

[SHRM members-only online discussion platform: SHRM Connect]

Fingerprint scanners are the most common type of biometric authentication used on corporate devices, with 57 percent of organizations using them, followed by facial recognition (14 percent), hand geometry recognition (5 percent), iris scanning (3 percent), voice recognition (2 percent) and palm-vein recognition (2 percent).

"With fingerprint readers being built into [mobile devices], it should come as no big surprise that the most common place for biometric authentication in the workplace is on smartphones," said Peter Tsai, senior technology analyst at Spiceworks. "In fact, 46 percent of organizations are using biometric authentication tech on smartphones, which may be influenced by employees bringing their own mobile devices for work purposes."

Twenty-five percent of respondents reported using biometric authentication on laptops, 22 percent use it on tablets, and 17 percent use it on time clock systems to verify the identity of employees and prevent "buddy punching," a practice in which workers clock in for colleagues who are not present. Biometrics are also used for room access (20 percent) and for desktop computer logins (7 percent).

"With stories of computer hacking and data breaches making headlines, we're frequently reminded that passwords are far from a perfect way to secure sensitive accounts or data," Tsai said. "The use of default, weak or even nonexistent passwords is rampant."

Put simply, passwords are vulnerable, said Kevin Wheeler, founder and president of the Future of Talent Institute, a San Francisco-area think tank. "We're all very likely to jot down our passwords on a Post-It note and stick it in a drawer, where a determined person could find it and compromise the system. Companies are very concerned about losing proprietary information, and private communications getting out because of compromised security."

Tsai added that even when strong passwords are used, cybercriminals can find clever ways around them, especially if they're easily reset, reused on multiple sites or hit with an automated brute-force attack, which systematically generates a large number of consecutive guesses.

They're also expensive for companies to manage, according to Alex Simons, director of program management in Microsoft's identity division, in an interview with CNN. Simons said he spends over $2 million in help desk calls a month helping people change their passwords. In 2015, Microsoft introduced Windows Hello, which uses face scans or fingerprints to log in to Windows devices.

"To address password security concerns, many organizations have introduced additional layers of protection, such as two-factor authentication, which requires using another authentication method in addition to the standard username and password," Tsai said. "This second identification factor can come in many forms, including a PIN number; a passcode delivered over SMS; or some form of biometric input, such as a thumbprint scan."

Barriers to adopting biometric authentication in the workplace include the cost, reliability concerns, systems upgrade requirements, and worries about the storage and management of biometric data, according to the survey.

Security Concerns

Spiceworks also found that although most IT professionals believe biometric authentication is more secure than traditional text-based passwords, PINs and personal security questions, only 10 percent of respondents believe biometrics are secure enough to be used as the sole form of authentication.

That's because biometrics can be stolen. Over 5.6 million employees' fingerprints on file were compromised in the 2015 data breach at the Office of Personnel Management, leading some to wonder whether stolen fingerprints could be used to log in to devices.

A majority of survey respondents were especially concerned with the risks of false positives, compromised or replicated identifiers, and the lack of standards around biometrics.

"Many IT professionals aren't convinced biometrics can serve as a secure and reliable replacement for the standard username and password combo," Tsai said. "Unless technology vendors can address the security issues and privacy concerns associated with biometrics, the technology will likely be used side by side in the workplace with traditional passwords or as a secondary authentication factor for the foreseeable future."

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.