Security

Biometric Authentication for the Enterprise: IAM, Passkeys and the Path to Passwordless

Enterprises are adopting biometric authentication for identity and access management to strengthen security, streamline logins, and reduce the risks associated with passwords and push-based systems.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Enterprises have long relied on multifactor authentication (MFA) that combines something users know, such as a password, with a second factor, including SMS codes, time-based one-time passwords or push notifications.

While these methods improve security compared with passwords alone, they remain vulnerable to phishing and social engineering attacks that can trick users into revealing both factors.

Biometric authentication introduces a different model by adding a fingerprint reader or face recognition into the authentication process.

When integrated with modern identity and access management (IAM) platforms and passkey-based authentication, biometrics can help enterprises move toward passwordless security.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

Why Biometrics Are Becoming Core to Enterprise IAM Strategy

Corey Nachreiner, WatchGuard CSO/CISO, explains that biometrics tend to be relatively frictionless for users.

“While no single factor of authentication is perfect or ‘unhackable’, biometrics are strong factors that are harder to mimic,” he says. “They may not be as strong as hardware keys or digital certificates, but they are stronger factors of identity than any password.”

He says authentication is primarily about verifying identity, and sometimes that means continuous authentication.

“Since biometrics really are the unique human factors, we can check to verify identity. They play a strong role in general zero-trust principles and authentication,” Nachreiner says.

CHECK OUT: Get the security trends to watch in 2026.

Biometric-Unlocked Passkeys: Phishing-Resistant Workforce Authentication

Nachreiner explains that biometric-unlocked passkeys allow users to verify their identity quickly, without the risk of entering their credentials into a lookalike phishing site.

“When setting up a passkey, the device or token creates a set of encryption keys tied to the site they are enrolled with,” he says.

This expands the identity process from only verifying the user to also verifying the site they are submitting their credentials to, preventing phishing attacks.

Cristian Rodriguez, field CTO for the Americas at CrowdStrike, says that passkeys are cryptographically bound to legitimate domains: If an adversary tricks you into clicking a fake login page, the passkey simply won’t work there because it recognizes the domain is wrong.

“The credential can’t be stolen or reused elsewhere,” he says.

This cryptographic protection is strengthened by FIDO2-based biometric authentication, which requires verified physical proximity between the MFA device (mobile) and authentication device (laptop, workstation) to approve access.

“This prevents remote phishing attacks like MFA fatigue, where adversaries spam push notifications hoping users accidentally approve one,” Rodriguez says.

Make sure biometric data stays on the device, not in some centralized database that becomes a target.”

Cristian Rodriguez Field CTO for the Americas, CrowdStrike

Physical and Logical Convergence: One Identity Fabric for Facilities and Apps

Frank Dickson, IDC group vice president for security and trust, says that while the concept of a unified identity fabric spanning physical and logical access is compelling, real implementation remains limited.

He notes that most organizations maintain separate ownership and technology stacks, with logical identity managed by cybersecurity (IAM, MFA, single sign-on) and physical access managed by facilities or corporate security (physical access control systems, badges).

“As a result, convergence typically occurs only through HR-driven provisioning, directory synchronization, or shared monitoring via SIEM, rather than unified policy control,” he says.

The main barrier is organizational structure and governance, not technology, making true cyber-physical identity convergence more aspirational than operational in most enterprises.

Retail and POS Biometrics: Faster Checkout, Stronger Fraud Prevention

Biometric technologies have been explored to speed checkout and reduce fraud by linking transactions directly to a verified individual rather than a card, PIN or password.

Approaches such as face recognition, fingerprint reading and palm scanning have been used to enable pay-by-biometric checkout, authenticate cashiers at registers, verify age-restricted purchases and connect shoppers to loyalty accounts.

“However, adoption has slowed after early experimentation from companies like Amazon and others,” Dickson says. “Retailers have found that consumer privacy concerns and deployment costs have limited advantages.”

He points out that fast, contactless payments and mobile wallets have proven to be user-friendly and less “spooky.”

“As a result, biometrics are increasingly focused on employee authentication, loss prevention and targeted identity verification,” Dickson says.

WATCH: Find out how retailers are implementing innovative tech to improve employee productivity.

Privacy and Compliance Risks: Aligning With Regulatory Requirements

Jeramy Kopacko, associate field CISO at Sophos, says that organizations should consult their legal counsel to determine the applicability of local laws and regulations.

“Ideally, technological tools are employed that do not store sensitive biometric data that can directly identify individuals if compromised, but laws in different jurisdictions have specific limitations depending on location,” he says.

Many biometric systems use hashes of information to identify fingerprints or “faceprints” that cannot be reversed that would not allow reproductions to be used to impersonate people if the stored data were compromised.

“This approach is preferred, but they should defer to legal counsel for final determinations,” Kopacko says.

Liveness Detection: Defending Against Presentation and Injection Attacks

Liveness detection serves to prevent the system from being tricked by a “presentation attack.”

This style of attack occurs when an adversary leverages something like a printed photo, digital image, video, mask or artificially created fingerprint. A successful liveness detection verifies that the biometric signal is genuine.

An example of active detection may be that it asks the individual attempting to authenticate to make a facial movement, like turning their head and blinking their eyes.

“Whereas passive detection performs analysis without additional user interaction,” Kopacko says. “Think of texture analysis of skin or depth-sensing technology.”

Click the banner below to begin developing a comprehensive cyber resilience strategy.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

Evaluating Biometric Vendors: Key Criteria for Workforce and Customer Deployments

Rodriguez recommends starting with FIDO2 certification when evaluating biometric authentication, noting that’s the baseline for phishing resistance and interoperability.

“Make sure biometric data stays on the device, not in some centralized database that becomes a target,” he adds. “Check if it integrates with your existing security stack or just adds another silo.”

User experience is also critical; if it's clunky, organizations will be flooded with support tickets and pressure from users to disable it. From Rodriguez’s perspective, the best systems are invisible to users.

“Look for continuous authentication throughout the session, not just at login,” he says. “Modern solutions should adapt to threats in real time.”

FG Trade/Getty Images