Biometric Authentication: Good, Bad, & Ugly | OneLogin (2024)

Authentication is a way to verify, beyond a doubt, that a person is who theysay they are. Biometric authentication performs this verification by checkingdistinctive biological or behavioral characteristics.

An authentication system works by comparing provided data with validateduser information stored in a database. In traditional systems, thisinformation is passwords. In biometric authentication, this information isdefined as physical or behavioral traits.

For example, in a facial recognition system, different facial features areprocessed and converted into numerical data, which is stored in a database.When a person tries to log in, the system recaptures their face, extractsnumerical data, and then compares it with what’s stored in the database.Other types of biometric authentication are:

• Fingerprint scanning
• DNA matching
• Retina scanning
• Vein scanning
• Behavioral biometrics

Behavioral biometrics verify identity by analyzing physical and cognitivebehavior of a user. They use machine learning algorithms to determinepatterns in user behavior and activities. These patterns are then used todetect whether someone is who they say they are.

Examples of behavioral biometrics are:

• Touchscreen use (how much area of the screen are they using)
• Typing dynamics (keyboard shortcuts or typing speed)
• Mouse activity

The whole point of biometrics is that they are unique. Knowing that, you maythink that biometric authentication can’t be hacked. But that’snot true.Just like any other system, biometric authentication isn’t hack-proof.Modern AI algorithms can be used to generatefingerprints, which can deceive fingerprint scanners.

Moreover, several vulnerabilities have been observed in the data collection,processing, matching, and enrollment processes of even the most sophisticatedbiometric systems.

A unimodal biometric authentication system verifies only one distinct characteristic, e.g. a face or a retina. But as we just saw, such a system is susceptible to spoofing.

This is where multimodal biometric authentication can help. It’s an approach in which various biometrics are checked during identity verification. This makes it much harder for a malicious actor to spoof.

For example, a hacker may be able to find a person’s photo on the internet, which they use to successfully trick a facial recognition system. But if the system requires them to provide additional info, e.g. a video of the person saying their password, they are highly unlikely to find it.

Additionally, combining physical and behavioral biometrics can also enhance your security posture. Even if a malicious actor manages to spoof a fingerprint, the system can detect change in behavior and deny entry. E.g., their speed of interaction with the system may be slower than the real user, or they are using keyboard shortcuts that the real user never used.

Biometrics are a much needed improvement over passwords. Passwords are veryeasy to hack. Sometimes, all a hacker needs are a person’s birthdate,and the name of their cat. Biometrics on the other hand, are much harder toobtain.

You won’t find a person’s biometric data written on a stickynote, or auto-filled in their browser. Attackers thus find it much harder tobreak into passwordless biometric systems, especially those using multimodalauthentication.

A main reason for the popularity and prevalence of biometric authenticationis that users find it much more convenient. No need to remember a complexpassword, or change one every other month. Just put your finger over a keypad,or look into an eye scanner, and you are in.

Some systems, such as facial recognition, can even authenticate without theuser consciously making a gesture. Simply moving into a room, or sitting infront of your computer, can suffice.

Biometric authentication and zero-trust models go hand-in-hand. To build a true zero trust model, one where nothing is intrinsically trusted, you can depend on the resilient identity validation of biometric systems.

Yes, biometrics are generally more secure, but they aren’t foolproof.Hackers can spoof biometric data by using various techniques like downloadingor printing a person’s photo, using a fake silicone fingerprint, or a 3Dmask. Such attacks are known as presentation attacks.

Moreover, smartphone fingerprint scanners often rely on partial matches.Researchers have found that it’s possible to create “masterprints” that match partials of many people and can thus give access to alarge number of user accounts.

In addition to being hackable, biometric systems can also sometimes fail torecognize a valid user: someone could be wearing different makeup or newglasses, or the voice of a user might sound different when they are sick orhave just woken up.

So, it’s no surprise that quality biometric solutions cost more. Infact, 67%of IT professionals cite cost as the biggest reason for not adoptingbiometric authentication. There are hidden costs, too, with 47% of thosesurveyed reporting a need to upgrade systems in order to support a shift tobiometrics.

There are some serious ethical concerns surrounding many forms ofbiometrics. One of them involves bias. Facial recognition systems may notrecognize persons of color or non-cisgender people as accurately.

Moreover, many biometric systems have been trained primarily using white orwhite male photos. This incorporates in them an inherent bias that results indifficulty recognizing women and people of color.

Additionally, there are fears about how biometric data is shared. Is itacceptable for companies to sell or provide their biometric data to others,such as law enforcement, immigration enforcement, or repressive foreigngovernments? These privacy concerns have caused many US states to enact biometric information privacy laws.

For businesses, another ugly side of biometric data is its storage. Whereverbiometric data is stored, it must be stored securely. Because it can’tbe reset like a password. If biometric data is hacked, there’s no goingback—a person can’t change their fingerprint or their iris.

Companies that choose to store employees’ or customers’biometric data are taking on a big financial and ethical responsibility. Thisis one reason to consider on-device storage: where the biometric data isstored on the device that authenticates the user like their smartphone orcomputer.

This gives the user control over the data. It also restricts its location toa local device, reducing the likelihood of a single breach, allowing access tolarge sets of biometric data.

While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. The good side of biometrics is still outweighing the bad and ugly sides, so much so that companies are expected to continue adopting biometrics for authentication.

Request a Demo