Authentication has always been the front door to digital systems, but most organizations still treat it like a commodity function. More like a lock from the local hardware store than a high-security system protecting sensitive enterprise assets. That’s why we often hear talk about “multi-factor authentication” (MFA) as though the phrase itself conveys strength. If one factor is good, then two must be better, and three better still.
The truth is, more factors do not necessarily equal greater protection. To properly assess authentication controls, security professionals need to peel back the onion, examining not just how many factors a system uses, but how resistant each factor is to theft, spoofing, and modern attack techniques.
The Fallacy of Factor Counting
Factor counting grew out of necessity: passwords proved weak, so organizations layered on additional steps. In the pursuit of convenience, many chose the path of least resistance. SMS-based one-time passcodes, email verifications, and push notifications became the default second factors because they were easy to deploy and familiar to users.
The results have been predictable. SIM-swapping has become a cottage industry, push bombing exploits user psychology, and adversary-in-the-middle phishing kits now hijack entire sessions, even when MFA is in place. In many cases, the result is MFA window dressing: systems that check the compliance box while offering little resilience against real-world attacks.
Enter the NIST Framework
Fortunately, there is a better way to evaluate authentication strength. The National Institute of Standards and Technology (NIST) Special Publication 800-63B defines three Authenticator Assurance Levels (AALs) that map directly to risk:
- AAL1: some assurance, a single factor like a password.
- AAL2: high assurance, requiring two distinct factors and resistance to replay and man-in-the-middle attacks.
- AAL3: very high assurance, requiring hardware-based cryptographic authenticators resistant to verifier impersonation.
By adopting the NIST vocabulary, we can move the conversation away from “Do we have MFA?” to “Does our system meet AAL2 or AAL3?” This reframing allows teams to evaluate authenticators against a clear, standards-based benchmark.
Why Biometrics Deserve a Closer Look
Biometrics, especially facial recognition, are often misunderstood. Dismissing them as a “single factor” overlooks how modern device-based systems combine biometrics with secure hardware to deliver accurate multi-factor authentication.
According to NIST: “When conducting authentication with a biometric, it is unnecessary to use two authenticators because the associated device serves as ‘something you have,’ while the biometric serves as ‘something you are.’” In other words, biometric login on a trusted device is inherently multi-factor.
An attacker would need both the enrolled face and the exact enrolled device to succeed, an inseparable pairing that meets the requirements of AAL2 and, in some cases, AAL3.
Liveness Detection vs. Spoofing
No authenticator is unbreakable. Biometric systems are only as good as their ability to resist spoofing, known as presentation attacks. Early systems could be tricked with photos; more advanced attackers now use high-resolution video replays or 3D masks.
This is where liveness detection comes in. Passive liveness detection—running invisibly in the background—has become the gold standard. It uses techniques like texture analysis, depth mapping, light reflection patterns, and blood-flow detection to confirm that a live person is present. Importantly, vendors can validate these claims against international standards such as ISO/IEC 30107-3.
CISOs should insist on independently certified liveness detection and presentation attack detection. Without it, “face login” is little more than a flimsy lock on a shiny door.
Addressing the “Stolen Face” Concern
A common objection to biometrics is the fear that once compromised, a face or fingerprint cannot be changed. While emotionally powerful, this concern reflects a misunderstanding of how modern biometric systems work.
High-assurance solutions don’t store images. Instead, they create mathematical templates, encrypted, one-way representations of facial features. These templates can live in secure enclaves on the user’s device or on a central server. They are non-reversible, vendor-specific, and can be reissued if necessary.
This design not only preserves privacy but also inverts the risk model. Breached passwords (or password hashes) are universally reusable secrets. A stolen biometric template, by contrast, is useless outside the system that generated it.
Aligning with the Passwordless Future
There’s good news. High-assurance authentication isn’t just a security upgrade; it aligns with the industry’s move toward passwordless login. The FIDO Alliance and technology giants like Apple, Google, and Microsoft are promoting passkeys, which use device-bound cryptographic keys unlocked by biometrics.
This means deploying biometric authenticators today isn’t a risky bet on niche tech. It’s a strategic step toward a passwordless future already being adopted at scale. Here are five best practices for evaluating your current authentication model:
- Stop counting factors. A weak password plus SMS code may be “two-factor,” but it won’t meet AAL2.
- Evaluate assurance levels. Map your stack against NIST’s framework; modernize if it falls short.
- Prioritize phishing resistance. Ensure authenticators resist SIM swaps, push fatigue, and session hijacking.
- Demand certification. Look for biometrics validated against ISO and FIDO standards.
- Frame the conversation. Treat authentication as an assurance issue, not a compliance checkbox.
Authentication is no longer just a technical safeguard; it’s a business imperative directly tied to customer trust, brand reputation, and organizational resilience. Companies that equate security with the number of factors in use overlook the real issue. When it comes to high-assurance authentication, it’s about quality, not quantity.
Mike Engle is co-founder and CSO at 1Kosmos. He was formerly head of information security at Lehman Brothers and co-founder of Bastille Networks. Mike is a recognized expert in information security, business development, and product design/development.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.