What is Biometric Authentication?
Biometric authentication is the use of physical traits from users to verify their identity when they attempt to access systems or user accounts. In this discussion, “authentication” means requesting information from a user to compare against a previously enrolled biometric to verify their identity. Traditionally, authentication was accomplished through passwords, PINs, or knowledge-based questions (or some combination of these).
The introduction of physical traits changed how identity verification worked. Previous approaches to authentication relied on something the user knew (passwords or knowledge questions) or something the user-owned (a mobile device with an authenticator app or an email to which a code or link can be sent).
Biometrics added the possibility of authenticating against something the user is… that is, an immutable part of their body. Aspects of our bodies like fingerprints, iris structure, or voice could be used to present unique identifiers for user identity.
While we all know how fingerprints are used to identify individuals, many don’t know that several physical traits can uniquely identify an individual. Advances in AI and pattern-recognition algorithms have opened the doors to how you can feasibly authenticate with certain physical aspects.
Types of Biometric Authentication
Accordingly, the use of different aspects comes with several pros and cons. Here are some common physical traits used in biometric authentication:
- Fingerprints: Fingerprint scans are incredibly common. Many smartphones, laptops, and smart devices use fingerprints because they are unique to most individuals (the likelihood of a repeating fingerprint pattern is unbelievably rare).
Their commonality doesn’t replace the fact that fingerprints can be problematic: dirty scanners or fingers can make reading the print hard, and years of hard work or hand injuries can ruin fingerprints and make this form of verification unusable for people who labor with their hands.
- Facial Recognition: Many new phones use facial recognition as part of their biometrics, so much so that the practice is becoming as common as fingerprint scanning. This approach is touch-free, frictionless and easy.
However, as we’ve found out during COVID-19, blocking the face with a mask, sunglasses, etc., can make recognition impossible. Likewise, facial scanners are possibly one of the more accessible forms of biometrics to spoof.
- Iris Scanning: Newer scanning technology can use Near-Infrared Light (NIL) to scan the contours and shape of the human iris as a unique “fingerprint.” These scanners are accurate and non-invasive, and the iris is a much safer and immutable physical aspect compared to fingerprints. Iris scanning also presents several ethical questions regarding privacy, security and bodily autonomy.
Alongside physical traits, verification systems are increasingly turning to behaviors as biological traits. Many of us have repeated behaviors that we exhibit daily, often not knowing we are even performing them. Some behavioral characteristics include:
- Voice Recognition: While this approach does involve some physical traits, voice recognition systems also use patterns like dialects, accents, patterns of speech, and word choice alongside pitch, tone, and tenor to determine identity. The use of voice as a reliable form of biometrics is relatively new, and advances in AI and recognition algorithms have driven its adoption.
- Signature Analysis: While signatures can be forged, it’s much harder to fake how someone signs a document. Advanced biometrics can include analysis of handwriting and signature patterns as a form of behavioral identification.
- Gait Analysis: Yes, even the way we walk is somewhat unique. Patterns in gait length, frequency, and shape are part of a unique signature that algorithms can use as identifiers.
Behavioral biometric IDs are already used in specific industries, like finance. Theoretically, behavioral biometrics can be faked more readily than physical biometrics. Additionally, to make biometrics more effective, an organization might collect data about multiple behaviors: keystrokes, gait, signatures, etc. This involves a lot of data collection as well as what some might consider an invasion of privacy.
Biometrics vs. Passwords
The major benefit of biometrics over passwords is that biometrics are much harder to fake. Another advantage is that by requiring a biometric credential, you will, in many cases, confirm that the user is physically present at the point of authentication.
However, some might argue that biometrics can provide more space for abuse of user privacy. Some users may not be OK with providing information about their physical body to every company that expects it.
What Are Different Modes of Biometric Authentication?
The strength of biometrics isn’t simply that they use strong identifiers to determine identity in an authentication scenario. Biometrics can often fit into different authentication schemes. Because of this, you can, and will often, see biometrics in various modes of implementation.
Some different modes of biometrics include:
- Continuous Biometric Authentication: Takes the concept of continuous authentication (where users are constantly verified in real-time as they perform daily computing tasks) and adds biometrics. This can include using behavioral or scanned biometrics taking data in real-time to maintain user identity throughout a task or workday.
- Multimodal Biometrics: As the name suggests, this method uses multiple physical or behavioral traits to verify identity. This provides more accuracy and reliability from a biometric identification system.
These modes are lovely for organizations that want to have more flexible and reliable biometric systems in place. However, both raise issues regarding ethics and legality. To continuously verify someone’s biometric information, you have to scan physical traits no matter what they are constantly doing. Likewise, you can implement multimodal biometrics if you collect multiple forms of biometric data… a practice that could cause friction with users or the law.
What Are the Laws Regulating Biometric Authentication?
In the United States, there aren’t any solid federal laws against collecting biometric data, but several state laws are in place. One of the flagship laws is the Illinois Biometric Information Privacy Act (BIPA), enacted in 2008. It requires employers to have clear policies, guidelines, and explanations about the data they collect and its purpose.
Furthermore, this law also requires employers to gain consent from their employees before collecting biometric data. Similar laws are in place in states like California and Texas. The General Data Protection Regulation (GDPR) for European Member States also addresses the use of biometric data.
Privacy and data laws can hinder more complex biometrics. In many cases, it stands to reason that employers or other organizations seriously consider how invasive they want to be with their employees. A mandatory and extensive biometric collection might infringe on employee privacy.
Biometrics Aren’t A One-Size-Fits-All Authentication Solution
While it is tempting to see biometrics or biometric passwords as the solution to all our problems, this sadly isn’t the case. Alongside the issues raised in the previous section, the fact remains that biometrics aren’t foolproof.
Take physical traits. We like to think of these as immutable and eternal, but they aren’t. Fingerprints can be worn down, as workers often handle rough or hot materials daily. A fingerprint verification system would essentially marginalize these people.
Additionally, physical traits like fingerprints or facial features change as we age, so some authentication systems must update biometrics over time for the same person.
Additionally, biometric data can be faked or stolen. Biometric templates are stored in digital systems, which means they can be stolen. And, while it is much harder to fake physical traits, it isn’t impossible.
Modern authentication should not rely too much on just biometrics. While there have been incremental improvements to biometrics, it isn’t enough. Real innovation in identity verification will include practices and technologies that can use biometrics and other forms of ID while eliminating weaknesses. This includes liveness testing to thwart faking biometrics and passwordless systems.
Finally, no method should make the user experience more complex or ethically challenging. Your company should absolutely use biometrics but never rely on it solely as a way to verify users.
You also cannot keep forcing employees to give more of their data to you for security, regardless of whether it is fingerprints, iris scans, voice recordings, and so on. Users should provide documents, liveness test artifacts and minimal biometrics in a self-onboarding platform that makes authentication less invasive and more intuitive.
Use Cases for Biometrics
Biometrics are literally used in almost every industry that requires authentication. This is because authentication and authorization as practices are not limited to technical, financial, retail, etc. Instead, regulations regarding the use of authentication almost uniformly call for MFA and biometrics.
With that being said, you can find biometrics in industries like:
- Financial Services
- Data Management
- Government and Defense Contracting
Biometrics are also increasingly part of consumer tech use. Devices with fingerprint scanners and facial recognition are now the norm, and many service providers use this as part of their MFA schemas. However, not all providers require 2FA or MFA.
Innovating Biometrics and Empowering Users with 1Kosmos BlockID
Identity management is one of the more critical functions in an IT system. 1Kosmos BlockID is taking that important function and revolutionizing it. The future is passwordless, and BlockID combines identity-proofing with passwordless systems to bring together tight, compliant security with a streamlined and intuitive user experience.
BlockID includes features like the following:
- KYC compliance: BlockID Verify is KYC compliant to support eKYC verification that meets the demands of the financial industry.
- Strong compliance adherence: BlockID meets NIST 800 63-3 for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
- Incorruptible Blockchain Technology: Store user data in protected blockchains with simple and secure API integration for your apps and IT infrastructure.
- Zero-trust security: BlockID is a cornerstone for a zero-trust framework, so you can ensure user authentication happens at every potential access point.
- Liveness Tests: BlockID includes liveness tests to improve verification and minimize potential fraud. With these tests, our application can prove that the user is physically present at the point of authentication.
- Enhanced User Experience: With the BlockID app, authentication and login are simple, straightforward, and frictionless across systems, applications, and devices. Logging into a system isn’t difficult, and you don’t have to sacrifice usability in the name of security.
With these measures, you won’t have to worry about the typical weaknesses of password systems like brute-force attacks or stolen passwords.
If you’re ready to learn about BlockID, how to use biometrics, and how to revolutionize your IAM and security efforts, read our guide on Workforce Identity Verification: And Authentication Prerequisite.