Biometrics is not enough: Salesforce exec on enterprise MFA and digital identity

Over the past years, multi-factor authentication (MFA) has spread across the world, entering every industry and reaching thousands of users. Many of us are using the technology several times a day to access our work or social media sites.

Cloud-based software giant Salesforce has been one of the companies following the trend, making MFA a mandatory requirement for its customers two years ago. But MFA, including those that rely on biometrics, is still facing challenges – from shifting regulations to the dangers of deepfakes.

Biometric Update sat down with Salesforce’s Principal Security Advisor Ivan Djordjevic to talk about the company’s MFA strategy, biometrics and digital identity.

Salesforce turned to MFA for good reasons: A vast majority of identity-related incidents in the cloud are based on misuse from the consumer side, meaning that people were not looking after their credentials, Djordjevic says.

“We know that username and password isn’t really a secure method, especially if you want to protect some valuable data,” he says. “ Using MFA is a really, really a strong protection for a large number of threats.”

Customers can choose to use their existing single sign-on (SSO) platform with any MFA provider that can integrate through standards such as FIDO2 and WebAuthn or SAML and OpenID Connect. Salesforce also offers an ecosystem of partners that build solutions on its AppExchange cloud marketplace for specific use cases.

Among more than 7,000 AppExchange apps are those from Onfido, Shufti Pro, Okta, Yoti, Signicat and other identity verification firms. Salesforce Ventures, the venture capital arm of Salesforce, has even invested in some of these firms, including Onfido and Auth0.

Cybercriminals, however, have come up with more sophisticated attacks at MFA, as witnessed during a January SIM swap attack on the U.S. Securities and Exchange Commission’s Twitter account. In October, top U.S. cybersecurity agencies urged digital identity and access management (IAM) developers and vendors to strengthen MFA against increasing attacks. In the wake of these events, companies such as Microsoft have been making more effort to speed up sluggish MFA adoption, in the tech giant’s case among its Entra customers.

Some experts have been urging a switch to more secure MFA methods, including biometrics. But this technology is not a silver bullet, Djordjevic cautions.

Laws such as the upcoming European Union AI Act plan to set up rigorous rules around biometric data. This is why having MFA systems that can protect biometrics is important, he adds.

“Going back to things like WebAuthn and FIDO standards which preserve biometrics on the device, from that perspective is good because you limit the exposure of biometrics,” says Djordjevic (Salesforce is a sponsor level member of the FIDO Alliance). “The problem with biometrics is that you cannot revoke them like you can change a password […] If you have something like cryptographic keys, a public private key you can revoke certificates.”

Another aspect of these challenges are deepfakes. Regardless of how biometrics are handled, whether they are kept on the device or on the server, the question is whether deepfakes can interfere with the process of authenticating and identifying a person.

The technology has exploded over the past several years and it now feels like facial recognition and voice recognition vendors are playing a game of catch-up, adds Djordjevic.

“Clearly, deepfakes are getting better and better in trying to trick the system,” he says. “It’s a difficult space.”

Biometric and multi-factor authentication remains an important component for security, but it is just a component. A more holistic approach is required because no one single control is sufficient, says Djordjevic: “That’s probably the main kind of mindset.”

Salesforce has also been offering its Salesforce Identity tool to enterprise customers. The company sees digital identity as a key component of digital services and it is fully integrated into its business processes such as sales, service and marketing user journeys, according to Djordjevic.

Article Topics

biometrics  |  digital identity  |  enterprise  |  identity access management (IAM)  |  multi-factor authentication  |  Salesforce