Biometric authentication, the good, the bad, and the ugly

The pros and cons of using biometrics for authentication

Biometric authentication

Up until a few years ago, biometrics were considered to be an impregnable means of passwordless authentication. But how do they fare today? Is biometric authentication infallible? Or are there ways to hack it? Should it be your authentication mode of choice? In this article, we’ll examine the good, the bad, and the ugly sides of biometrics for authentication.

What is biometric authentication?

Authentication is a way to verify, beyond a doubt, that a person is who they say they are. Biometric authentication performs this verification by checking distinctive biological or behavioral characteristics.

An authentication system works by comparing provided data with validated user information stored in a database. In traditional systems, this information is passwords. In biometric authentication, this information is defined as physical or behavioral traits.

For example, in a facial recognition system, different facial features are processed and converted into numerical data, which is stored in a database. When a person tries to log in, the system recaptures their face, extracts numerical data, and then compares it with what’s stored in the database. Other types of biometric authentication are:

  • Fingerprint scanning
  • DNA matching
  • Retina scanning
  • Vein scanning
  • Behavioral biometrics

Behavioral biometrics verify identity by analyzing physical and cognitive behavior of a user. They use machine learning algorithms to determine patterns in user behavior and activities. These patterns are then used to detect whether someone is who they say they are.

Examples of behavioral biometrics are:

  • Touchscreen use (how much area of the screen are they using)
  • Typing dynamics (keyboard shortcuts or typing speed)
  • Mouse activity

Is biometric authentication hackable?

The whole point of biometrics is that they are unique. Knowing that, you may think that biometric authentication can’t be hacked. But that’s not true. Just like any other system, biometric authentication isn’t hack-proof. Modern AI algorithms can be used to generate fingerprints, which can deceive fingerprint scanners.

Moreover, several vulnerabilities have been observed in the data collection, processing, matching, and enrollment processes of even the most sophisticated biometric systems.

What is multimodal biometric authentication?

A unimodal biometric authentication system verifies only one distinct characteristic, e.g. a face or a retina. But as we just saw, such a system is susceptible to spoofing.

This is where multimodal biometric authentication can help. It’s an approach in which various biometrics are checked during identity verification. This makes it much harder for a malicious actor to spoof.

For example, a hacker may be able to find a person’s photo on the internet, which they use to successfully trick a facial recognition system. But if the system requires them to provide additional info, e.g. a video of the person saying their password, they are highly unlikely to find it.

Additionally, combining physical and behavioral biometrics can also enhance your security posture. Even if a malicious actor manages to spoof a fingerprint, the system can detect change in behavior and deny entry. E.g., their speed of interaction with the system may be slower than the real user, or they are using keyboard shortcuts that the real user never used.

The Good

Biometrics are a much needed improvement over passwords. Passwords are very easy to hack. Sometimes, all a hacker needs are a person’s birthdate, and the name of their cat. Biometrics on the other hand, are much harder to obtain.

You won’t find a person’s biometric data written on a sticky note, or auto-filled in their browser. Attackers thus find it much harder to break into passwordless biometric systems, especially those using multimodal authentication.

A main reason for the popularity and prevalence of biometric authentication is that users find it much more convenient. No need to remember a complex password, or change one every other month. Just put your finger over a keypad, or look into an eye scanner, and you are in.

Some systems, such as facial recognition, can even authenticate without the user consciously making a gesture. Simply moving into a room, or sitting in front of your computer, can suffice.

How biometric authentication works How biometric authentication works

Biometric authentication and zero-trust models go hand-in-hand. To build a true zero trust model, one where nothing is intrinsically trusted, you can depend on the resilient identity validation of biometric systems.

The Bad

Yes, biometrics are generally more secure, but they aren’t foolproof. Hackers can spoof biometric data by using various techniques like downloading or printing a person’s photo, using a fake silicone fingerprint, or a 3D mask. Such attacks are known as presentation attacks.

Moreover, smartphone fingerprint scanners often rely on partial matches. Researchers have found that it’s possible to create “master prints” that match partials of many people and can thus give access to a large number of user accounts.

In addition to being hackable, biometric systems can also sometimes fail to recognize a valid user: someone could be wearing different makeup or new glasses, or the voice of a user might sound different when they are sick or have just woken up.

So, it’s no surprise that quality biometric solutions cost more. In fact, 67% of IT professionals cite cost as the biggest reason for not adopting biometric authentication. There are hidden costs, too, with 47% of those surveyed reporting a need to upgrade systems in order to support a shift to biometrics.

Biometric authentication concerns Biometric authentication concerns

The Ugly

There are some serious ethical concerns surrounding many forms of biometrics. One of them involves bias. Facial recognition systems may not recognize persons of color or non-cisgender people as accurately.

Moreover, many biometric systems have been trained primarily using white or white male photos. This incorporates in them an inherent bias that results in difficulty recognizing women and people of color.

Additionally, there are fears about how biometric data is shared. Is it acceptable for companies to sell or provide their biometric data to others, such as law enforcement, immigration enforcement, or repressive foreign governments? These privacy concerns have caused many US states to enact biometric information privacy laws.

For businesses, another ugly side of biometric data is its storage. Wherever biometric data is stored, it must be stored securely. Because it can’t be reset like a password. If biometric data is hacked, there’s no going back—a person can’t change their fingerprint or their iris.

Companies that choose to store employees’ or customers’ biometric data are taking on a big financial and ethical responsibility. This is one reason to consider on-device storage: where the biometric data is stored on the device that authenticates the user like their smartphone or computer.

This gives the user control over the data. It also restricts its location to a local device, reducing the likelihood of a single breach, allowing access to large sets of biometric data.

Biometric authentication risks Biometric authentication risks

While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. The good side of biometrics is still outweighing the bad and ugly sides, so much so that companies are expected to continue adopting biometrics for authentication.

Related Resources:

5 reasons relying on passwords is a recipe for disaster

Passwords alone are not enough to protect your corporate data. Here are five reasons why.

Read More

How MFA helps prevent common cyberattacks

See how Multi-Factor Authentication (MFA) helps to prevent some of the most common and successful types of cyber attacks.

Learn

Solving the password problem in the tech industry

Find out how SSO and MFA together are key to protecting your tech company’s corporate data and intellectual property.

Download the Paper