Biometric security technologies are increasingly dominating the digital world as a way of authenticating users. The term “biometric security” encompasses an array of these technologies, which we discuss in this post.
What is Biometric Security?
Biometric security technologies are designed to make breaking into a computer or other system more difficult than if there were just usernames, access codes, or passwords. Biometrics can possibly increase security levels as well as speed and convenience of user access rather than just relying on traditional authentication methods.
Computers and devices with built-in biometric security systems use the one-of-a-kind characteristics of a person to determine whether they are allowed access. Theoretically, these physical details should be more secure than traditional passwords because they are unique to each individual.
Types of biometric Detection
Biometric markers fit into 1 of 2 categories:
- Physical markers
- Behavioral markers
Physical markers are mostly unchangeable by the individual, whereas behavioral markers can be modified on purpose or simply change over time with a person’s age and health status.
Physical markers can include:
- Iris pattern
- Voice characteristics
- Facial structure
Behavioral markers can include:
- Speech pattern
- Facial expressions
- Typing cadence
- Finger and hand movements
- Body gate
These are just a few of the ways biometrics can determine the identity of an individual. There are also a few pros and cons associated with biometrics, as they are not entirely full-proof. Hackers and cybercriminals can still find ways around biometrics, or even steal a person’s biometric marker and use it to access their system or accounts. To enhance security, biometrics can be used alongside other types of authentication, such as logins and passwords.
Physical Biometric Markers
Retina and Iris Recognition
Retina scanners authenticate an individual by using the blood vessels in the back of their eye. However, retina scanners may be too intrusive to be applied to consumer products such as smartphones. They can also potentially expose a person’s health privacy to hackers or risk their employment or medical insurance coverage by uncovering a medical condition.
Iris scanners measure color patterns in a person’s iris which is unique to them as individuals. An iris scanner can detect a person’s identity without intrusion. Iris scanners are currently more popular than retina scanners.
Due to recent mass implementation in smartphones, fingerprint scanners are very common. These are not limited to fixed fingerprint buttons either. They can include any surface that can be touched, such as computer mice, and door handles. Fingerprint scanners are the most common type of biometric scanner among enterprises today. However, they may have some problems
Facial recognition is the second most common type of visual authentication that is currently in use by companies. Any device or PC that has a built-in or connected camera can be used to authenticate a user via either retinal scans or facial recognition.
Hand recognition includes hand geometry and palm vein recognition. This is an image-based recognition type and requires only a camera or a specially designed hand scanner to implement.
Ears, not surprisingly, are obvious targets for biometric authentication technologies due to their static nature. Each individual has unique ear cavities, similar to fingerprints. So, any sound that bounces off of a person’s ear cavity will be specific to them.
Accuracy of determining individual ear cavities are close to 100 percent. Other biometric authentication methods suffer from complicated and expensive capture, storage, and retrieval technologies. And although fingerprint and iris scanning are common, they face several security risks and are not invulnerable to cyberthieves. Ears, however, do not change like facial expressions, nor are easily photographed and re-created like fingerprints. So, it is possible that in the near future, a user’s ears will be the preferred method to unlock their smartphones.
Voice-based recognition systems are becoming more common with the popularity of smart home devices such as Amazon’s Echo and Apple’s Homepod. These have A.I. assistants included that respond to the user’s voice queries and commands. Telephone-based services today also use voice recognition when identifying customers and employees among enterprises.
However, voice recognition may not be entirely secure from cyberthieves. A person’s voice can easily be recorded and used to access a user’s system and accounts, including on smart home devices.
Digital signature scanners are very common today and have been for some time. These can be found at most retail checkout counters where customers insert credit cards into readers. Banks are also a place to find these as they often require customers to give their signatures to complete a transaction.
DNA sequencing has become much cheaper since the first genome was sequenced in 2003. It will soon be affordable enough for enterprises and individuals to use genome scanners as authentication devices. However, DNA is completely static in nature, so if stolen could prove a problem for user privacy because it cannot be changed.
Behavioral identifiers are a form of biometric security that can be used alone or in combination with other authentication methods. Currently, behavioral identifiers are not as reliable as fingerprint or facial recognition because of the crudeness of the technology. Over time, however, this method will likely increase in usage and expand to encompass many types of behaviors as technology improves.
Behavioral identifiers are specifically useful for distinguishing between a human and a robot imposter. However, as androids improve in their realistic portrayals of humans, biometrics will be less effective unless they also improve their detection capabilities.
Typing patterns vary depending on the person, including speed (time period moving from one letter to another) and the finger pressure placed on the keyboard. These can be used to identify the user that is doing the typing.
Speech patterns can be detected by the way a person says a word or sentence. These can go beyond just the sound level, and pitch of the person’s speech, and also includes their entire pattern of communication. A person having a conversation on a phone can be authenticated using their speech pattern.
Each person has a distinct way they move their body when they walk. This includes arms, legs, and head movements. This is a useful way to authenticate a person who enters any type of building.
Finger and Hand Movement Patterns
Using a person’s mouse or trackpad movements is a way to detect them without needing expensive hardware or software. Just the mouse or trackpad will suffice.
General Behavioral Patterns
Each individual has general behavioral patterns throughout the day, including when and how they use devices and the internet. For instance, how far down the battery goes on their smartphone, how much they use social media, and how they hold their devices all show behavioral patterns.
However, as androids and bots become more human-like, these activities will be less accurate at identifying actual people. For now, detecting these activities are useful for authentication when used in combination with other technologies.
Local or Device-based Authentication
Authentication Via Devices
Smartphones today have built-in hardware security mechanisms that store biometric data within the device. These include facial recognition via the camera, fingerprint scanning, and voice scanning with the microphone. The original scan is stored in the device’s memory where it is used to compare the authentication scan. If it matches, the user can access the device.
On today’s iPhones and iPads, something called the “secure enclave” keeps biometric data secure on the device. This separates the biometric data from the main application processor(s) on the device so it cannot access it. The secure enclave uses its own processor and RAM with a specific encrypted portion.
Samsung and Android phones have a similar mechanism and rely on ARM’s TrustZone technology. If an attacker breaks into the main operating system of the device, the secure chip will prevent them from getting to your biometric data or security keys. No software outside of this area of the device can access this secure module.
How Reliable is Biometric Authentication?
Storing biometric data, such as voice, video, and fingerprint scans can create a risk of data loss if the device or server is compromised. False positives of users can allow someone to access a device and change or steal information. Facial recognition is particularly susceptible to false positives (or negatives) when users wear makeup, hats, glasses, or if they appear sick.
Benefits of Biometrics
Analysing Behavioral Patterns
Biometric security can go so far as to analyze changes in a person’s behavioral patterns to judge if it is a fraudulent actor attempting to be authenticated.
Behavioral biometrics can detect potentially dangerous login attempts and fund transfers before they happen. In fact, biometrics can help banks stop fraud and money laundering attempts which cost the economy trillions of dollars every year.
Downsides of Biometrics
Voice and Fingerprints Are Not Foolproof
Voice recognition could prove faulty when a legitimate user tries to get verified while standing in a crowded place, such as a concert or public transit stop. Fingerprints can also prove ineffective when the hands are dirty or become injured.
Biometric scanners can be fooled using photos, voice recordings, masks, or copies of fingerprints. Voice recording is particularly susceptible to theft when the user regularly interacts with a home smart device, such as an Amazon Echo.
For more information, read our post 12 Dangers of Amazon Echo here.
To mitigate this chance, businesses are encouraged to use multiple types of authentication to verify employees. Banks and other financial institutions are most advised to do this as they are prime targets for cybertheft.
What Happens When Biometric Authentication Data Gets Leaked?
Many types of criminals can use private data for profit or to harm individuals if it gets leaked. Famous athletes, actors, businessmen, and anyone who wants to keep their information private are at risk.
Any corrupt group or government can wield enormous power over individuals if they manage to steal one of their biometric markers. Terrorist groups or dangerous governments can use biometric data to control a population or extract ransoms from individuals.
Seemingly trustworthy companies are not immune to abusing their customer’s data either. This could put individuals in legally and personally difficult situations. Medical conditions, geographic locations, and social relationships can all be exposed by wayward companies.
Reliability of Biometrics
Is Biometric Authentication Data Secure?
Biometric authentication data needs to be secured more carefully than login passwords which can always be reset and changed if they are compromised. Each body part used in biometrics is fixed for the individual’s lifetime, so having it leaked or stolen can be potentially catastrophic to users. A company that loses its customer’s biometric data will likely face significant financial and legal repercussions.
Proper Encryption Is Needed
Companies that keep biometric authentication data on their servers need proper encryption and best practices to keep it safe from attack. These include in-transit, rest, and runtime encryption to keep it protected at all times.
Biometrics and Enterprises
Companies can partner with tech companies such as Apple or Google that offer biometric authentication technologies. But if there is a breach on a customer data server, the blame can spread beyond the technology supplier. So it is up to each business to decide and be responsible for their customers’ information when it is protected by biometrics.
Companies can protect themselves by keeping customer payment data off of their servers. This is called “out of scope” and means payment information is encrypted and immediately sent to a payment processor.
No encryption is absolutely secure, however. If any authorized users or applications turn malicious, then the data they have access to can be compromised. One solution is for companies to avoid storing encrypted data on their servers at all.
Companies of all types can utilize smartphone biometric scanners for authenticating their users that own their own devices. Their customers can also be confident that their biometric data is secure on their phones and cannot be accessed by the company to be used without their consent. Many different types of devices include secure biometric modular technology, such as biometric scanners for PC’s, smart door locks, and tablets.
Fingerprint recognition is the most commonly used biometric authentication in use by companies today. These are mostly from user’s smartphones, such as with Apple’s Touch ID, Face ID, and Android Face Unlock.
Workers that use their own smartphones for facility biometric access are more likely to have their devices with them and recover them faster than badges if they are misplaced. This can make business operations work more smoothly with fewer disruptions related to worker authentication.
Special smartphone hardware can handle security for online payments as well, such as Google Pay and Apple Pay. They can also authenticate popular third-party apps that do not have access to biometric data.
Smartphone biometric scanning technology is not standing still. Technology companies are rapidly advancing their biometric technology to keep pace with the competition. Other industries currently cannot match the scale of technology funding that mobile devices receive today.
Limitations of Biometrics
One current limitation with biometric authentication on smart devices is that each one needs to be unlocked separately by the user. Door locks, PCs, or other devices do not communicate biometric data with each other, requiring a separate biometric scanner for each of them.
If a company wants to authenticate users on multiple devices without requiring them to log into each one of them, they need technology that allows for storing the data centrally. A solution is a company-authorized smart badge or another smart object the user carries with them. This can communicate the biometric login data via WiFi, Bluetooth, NFC, or the internet to the main security module where it can be verified.
For more information, read our post Problems With Fingerprint Biometrics.
Businesses Using Encryption and Tokenization
A company can use tokenization or one-way encryption to authenticate their employees on special issued devices. The company would NOT store the biometric images, videos, or audio files on their servers.
The biometric data would be converted to code and sent to a proprietary authentication technology on a company server. However, this could limit the company to only a specific form of authentication.
Using More Than Just Passwords
Passwords are effective but still leave sensitive information vulnerable to theft. Many user passwords are very simple and easy to break, such as a consecutive string of letters or numbers.
Two-factor Authentication and Passwords
Adding two-factor authentication to passwords has created a new layer of security for user’s accounts. The most popular form is sending text messages or emails to users and having them enter an access code.
Biometrics have the possibility of replacing an extra authentication step, or the entire process altogether. The newest smartphones include fingerprint scanners and/or facial recognition and they continue to add more capabilities with each new product release.
Legal Issues With Biometrics
Another problem with biometrics is that they do not yet fall under the protection of the fifth amendment. This exposes users to potential risks with regard to law enforcement. There will be more legal developments in this area as time goes on and biometric usage enters into criminal cases. Biometrics will increasingly be included in consumer products and allow individuals to access their devices in the near future.
The Future of Biometrics
Biometrics is the Future of Security
Billions of people are connected online, with billions more following in the years ahead. This means authenticating them effectively and reliably is important to keep the global economy operating. Biometric security will play an increasing role in this regard as it continues to improve in terms of ease-of-use and technological capability.
Facial Recognition Adoption Has Been Slow
Since smartphones have included fingerprint scanners for several years, consumers have become comfortable with them. New biometric technologies will have to overcome user skepticism, such as with facial recognition which is not used as often.
However, smartphone makers may eventually only allow users to access their phones with facial recognition. Governments are more than happy to include facial recognition to quickly track their citizens for security purposes. This will speed up the adoption of this technology for both business users and individuals.
China, for instance, requires its citizens to submit a facial recognition scan to be able to get access to devices or state identification cards.
The privacy of users will be the first casualty of the increase in biometric authentication technologies hitting the marketplace. But user growth is unstoppable as scanning technology keeps improving and false-positive rates drop.
The Hacker Arms Race Will Continue
Fingerprint cloning can be used to trick fingerprint scanners, and thieves wearing masks can get past facial recognition. This only shows biometrics are not fool-proof and companies are far from achieving perfection with these technologies. Hackers will continue to maneuver around companies that attempt to protect their users from theft, so the arms race between them will go on.
Biometrics are proving to be a powerful and effective way of authenticating users in today’s digital world. Companies and individuals that rely on their smart devices will adopt them more and more in the coming years. This has both positives and negatives in relation to ease-of-access and personal privacy. More debate and technological developments will be needed to secure data for everyone who relies on devices with biometric scanners as a part of their daily lives.