top of page

Moving on from Passwords: Biometrics and Multi-factor Authentication

It’s time to move on from passwords. We can do better, and companies in regulated industries really must. The good news is, now it’s not only possible, but with biometrics, it’s easier than you might think.

How do you know it is time to move on from nearly anything? Here are a few clues:

When the risks of sticking with it are higher than the risks of changing.When the outside pressure to change is intense with a valid reason.When the current situation generates non-value-added effort.

For most pharmaceutical and biotech companies, passwords raise all of these clues. Every error and password re-set creates risk and added pressure, concerns for regulators, and lost time for everyone involved. So it’s time to move on.

Passwords Fail Regulators’ Requests

For the past 10 years, companies have worked to comply with the FDA’s 21CFR Part 11. This is the regulation about electronic signatures and electronic records. There are two main aspects that point away from passwords.

Authenticated users. Electronic signatures “must be unique to the individual - not reusable by or reassignable to anyone else.” This is also called user authentication, and the more secure this process is the better.

Passwords fail: They have proven easy to reuse or share either intentionally or unintentionally.Non-repudiation. “Persons who use closed systems …[for] electronic records shall …ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include …Limiting access to authorized individuals. … Ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”

Passwords fail: If a password is written down, recorded, told to or transmitted in any way to another person, these clauses are not met. Someone else could access the system, and the data could be challenged or repudiated as not authentic.

Biometrics to Comply

Biometrics are inherently unique to an individual, so people cannot easily share and cannot possibly share or lose them as they might passwords, tokens or cards. The FDA lists biometrics as the first option for electronic signatures. (The alternative is multi-factor combinations such as password and additional identifier.)

A biometrically-authenticated user can simply log into computer systems in a way that is secure and electronically sign within applications. This speaks to the other component regulators seek, non-repudiable data. There can be no argument or repudiation that the person who entered the data did so him or herself, and they can vouch for the data.

We Can with Biometrics

Using biometrics is the streamlined and secure way to comply with both user authentication and non-repudiation requirements. Many people now happily use biometrics to access their personal mobile devices. This widespread use in smartphones and tablets has helped to make this technology widely available, reliable and cost-effective.

While biometrics is becoming commonplace with consumer electronics, it has yet to come of age for businesses.  Industries are at the beginning of adopting biometrics, but it’s been slow to progress. Biometrics is requires a shift in mentality for employees to move  from “what they know” to “who they are.” This shift brings concerns and questions about privacy. Adoption is still hampered because of the fears of sharing biometrics.

Intuitively, it stands to reason that biometrics should make tasks easier for the person being positively identified. You want those who work in labs, production, quality, maintenance, and other operational jobs to focus on the task at hand. Stopping to authorize or e-sign actions becomes cumbersome and represents an operational and compliance risk. There are some barriers for traditional biometrics - places that have labour agreements on privacy and/or anywhere that utilizes personal protection equipment (PPE) will hamper usage of biometrics. Protective eyewear or facegear prevent retina scanning or facial recognition from working properly, and wearing gloves also restricts the practicality of fingerprints.

Biometrics makes Multi-factor Authentication a secure reality

Multi-factor authentication is two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). The goal is to make it more difficult for an unauthorized person to gain access to anything they are not supposed to be in. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Multi-factor authentication helps to protect access to all of a company’s systems and intellectual property (IP). This is crucial to fight today’s cyber-hacking, counterfeiting, and hyper-competitive global markets. In 2018, the pharmaceutical industry was the most targeted by hackers, according to Health IT Security.

Moving On

With such high stakes and so much pressure, it is time to move on from passwords. Many companies are in the process of adding a layer of software and biometric sensing devices to make multi-factor a reality. The users find it convenient, and with the Nymi approach, the user authentication happens once and stays on consistently while the band is on the user. User biometrics never leave the band and cannot be accessed, maintaining the individual’s privacy.

Once you migrate from passwords to biometrics, no one will want to go back. The authenticated users, IT team, regulators, and company leaders will all find it feels like progress. It’s time to move on from passwords to biometrics.


bottom of page