Biometric Authentication

What is Biometric Authentication?

Biometrics is a technical term to refer to humans’ physical or behavioral traits. Biometric authentication is a concept in data security. Biometric authentication solutions create a data-generated model that represents the individual. With that model and biometric information, security systems can authenticate access to applications and other network resources. Biometric authentication is quickly becoming a popular component of multifactor authentication strategies, because it combines a strong authentication challenge with a low-friction user experience. 

Passwords vs Biometrics – Which is Stronger?

Usernames and passwords have been a foundational security measure for decades, but no longer. Multiple high-profile breaches at major financial and business institutions have resulted in millions of username/password combinations stolen and listed for sale on the Dark Web. Combine this with the tendency to repeat passwords across multiple accounts, and the scale of the vulnerability becomes more apparent.

Biometric authentication systems are less exposed to this vulnerability because the user’s biometric data is unique. It is very difficult for an attacker to fraudulently replicate an individual’s fingerprint or facial recognition scan when taken by robust solutions with strong liveness/spoof detection, and yet takes only a moment for the appropriate user to authenticate. Because of this, biometrics are considered more convenient than passwords and more secure.

According to Gartner, “Biometric authentication cannot and does not depend on the secrecy of biometric traits, but instead relies on the difficulty of impersonating the living person presenting the trait to a capture device (‘sensor’). This latter point is not widely known, leading to some common misconceptions, reinforced by limited presentation attack detection (PAD) in consumer devices and publicity about successful attacks against Apple Touch ID, Samsung swipe sensors, Android face recognition and so on.” This should be a reassuring message to those skeptical about the long-term viability of biometric authentication.

Types of Biometric Authentication Methods

Facial Recognition

Facial recognition is a very well-known form of biometric authentication popularized in the many spy dramas and sci-fi tales in popular media. Truly, this technology is rooted in our biology. We use facial recognition every day to identify our friends and families and distinguish strangers. In authentication, the principles of this process are digitized to allow a smartphone or mobile device to recognize a face in much the same way.

Facial recognition software analyzes the geometry of the face, including the distance between the eyes, distance between the chin and nose, etc., to create an encrypted digital model for your facial data. When authenticating, the facial recognition tool will scan your face in real time and compare the model to the one stored within the system. Though facial recognition is evolving, there are still some risks involved.

Pros:

• Mobile devices are widely adopted and most if not all of them have a camera.

• Very little setup. With most modern mobile devices,  these capabilities are included as standard features.

• Facial recognition is among the more convenient biometric authentication modalities. Looking into the device’s camera involves less friction than a fingerprint scan or authentication code.

Cons:

• Not all facial recognition systems are created equally. Some are easier to spoof than others.

• Device-native solutions are not as effective as third-party or proprietary solutions.

• Facial recognition systems with “active liveness detection” require the user to move their head, blink or perform other actions in the moment to verify the request. This process can be easier for an attacker to analyze and circumvent and can make for an awkward user experience  whereas “passive liveness detection” occurs behind the scenes, so that it doesn’t get in a user’s way and is harder for an attacker to identify and understand.

Fingerprint Recognition

Law enforcement officers have used fingerprints as a form of identification for years. A fingerprint reader operates on the same principles, but the entire process is digitized. Everyone’s fingerprints are unique to them. So, by analyzing the ridges and pattern of the print, fingerprint scanners create a digital model which is compared against future attempts to authenticate.

Pros:

• Used in many industries
• Among the most ubiquitous modalities

Cons:

• Performance can suffer due to the quality of the fingerprint or current conditions, such as wet or dirty fingers.

Eye Recognition

Contrary to popular belief, there are actually two methods of scanning the eye for the purposes of authentication. The scan leverages iris recognition or retina recognition to identify users.

In a retinal scan, the authenticator shines a light briefly into the eye to illuminate the unique pattern of blood vessels in the eye. By mapping this pattern, the eye recognition tool can compare a user’s eyes against an original. Iris scans work similarly, but they analyze the colored rings found in the iris.

Pros:

• In some implementations, eye recognition can be as fast and accurate as face recognition (though less user-friendly).

Cons:

• It can be difficult to get a sample for comparison when in sunlight (pupils contract).
• Depending on the implementation, it can require specialized hardware.

Voice Recognition

Voice recognition analyzes the sound of the user’s voice. Each person’s unique voice is determined by the length of their vocal tract and the shape of their nose, mouth, and larynx. All these factors make analyzing the user’s voice a strong method of authentication.

Pros:

• Offers a convenient authentication experience
• Some software provides a phrase for the user

Cons:

• Background noise can distort recordings.
• The common cold, bronchitis, or other common illnesses can distort the voice and disrupt authentication.
• In public scenarios, a person may feel uncomfortable speaking out loud (such as on a train or bus).

Biometric Authentication Use Cases

Biometric authentication is being used in a wide variety of applications across many industries. Here are just a few examples of how these industries are employing the use of biometrics to improve safety and efficiency of existing processes.

Travel and Hospitality:

Select airlines and airports are offering their passengers the option to check into their flight using facial recognition. Similarly, hotels and hospitality companies are beginning to enable self-check-in using biometric authentication.

Banking and Financial Services:

Security and authentication is essential in many industries, but particularly so in mobile banking. Financial institutions are leveraging biometric authentication as part of two-factor authentication or multi-factor authentication strategy to protect the bank and its customers from account takeover attacks.

Healthcare:

Biometric authentication in the form of fingerprint scanners, iris scanners, and facial recognition can help hospitals confirm the patient’s identity, ensure caregivers have access to the right medical information, and more.

Biometrics Myths Busted

Though biometric authentication systems are gaining popularity in the security space, there are still several prevailing myths around biometrics that are slowing adoption. Here are four of the most significant misconceptions around biometric authentication:

• Myth – Biometric technology is an invasion of privacy: There is a significant distinction between biometric authentication options that require the user to opt-in and facial recognition technology deployed in public spaces. Biometric authentication solutions require the user’s consent by their very nature since the user must first enroll their biometric. In addition, photographic images of faces are not stored in a database. Rather, a mathematical model of the face is encrypted and kept on file for comparison purposes. It is essentially useless to an attacker even if it were stolen.   
• Myth – Biometric identification can be fooled by static images and photographs: This may have been true in older or less sophisticated iterations of authentication technology. However, modern biometric authentication solutions include liveness detection capabilities that can discern whether the biometric trait presented is authentic or a mask, model, image, or even a video. To authenticate, the user may be asked to blink or turn their head, but other liveness detection capabilities work entirely in the background.  
• Myth – Biometric models expire as the user ages or features change: The concern is that as a user ages, their face will change slowly over time until it no longer registers as a match. In biometric authentication applications, the user is typically authenticating regularly enough that these small changes in appearance will not be large enough to invalidate the match. Instead, the mathematical model will be updated as it recognizes changes in appearance.
• Biometric identification is only applicable if the user is already known: Behavioral biometrics analyze the ways in which an individual user interacts with their device. How they hold their phone, swipe, type on their keyboard, and more can be used to develop a profile with which to authenticate a user or determine relative risk of a transaction. For example, in a new account opening scenario, behavioral biometrics can compare the applicant’s behavior against a representative pool of users to  determine whether the new applicant appears to be a genuine, legitimate user or a bot or attacker.