Is a Combination of Authentication Methods the Right Approach?
It seems that we're always recovering from, or hearing about, the latest security breach or vulnerability. Remember the Target breach that effected 70 million customers and holiday shoppers in 2013? Then there was the massive Home Depot breach in 2014 which forced the company to undertake a "major payment security project to provide enhanced encryption of payment data at point of sale" in efforts to comfort effected customers.
The fallouts were systematically followed by the implementation of enhanced encryption techniques, to improve multifactor authentication via EMV “Chip and PIN” technology".
One of the most powerful elements of EMV is the fact that it combines authentication methods to strengthen the security of a transaction. Passwords themselves have taken a beating as a standalone authentication method, with many organizations choosing to deploy second or multi factor authentication, and some choosing to forgo passwords all together.
Biometrics are emerging as an answer to the "Password Problem", offering a unique credential that represents something the user "is" instead of something they "know" (which can be discovered, and reused by a bad actor), but each method has its drawbacks. This article discusses the good and bad of each method, and argues that a secure transaction may well require multiple methods at once to be optimally secure.
This idea is a compelling one, especially if the combined solution can offer an elegantly simple end user experience. Biometrics may be an ideal "enhancement" for authentication precisely because of what they are - something the user "is" (nothing to remember, receive, carry, or otherwise maintain). As we continue to discuss how to enhance security, the conversation will likely become one of the best combination of methods, instead of any one method, for security.