What are the pros and cons of biometrics in today's digital age?
When you hear the word biometrics, what's the first thing that comes to mind? Biologists measuring a vial of cells; a science teacher's scoring rubric they use for their student's tests; or maybe it's a feature on one of Batman's state-of-the-art tools he uses as the world's greatest detective.
Think of biometrics in two parts: "Bio" as in "biology". Biology is the scientific study of life and living organisms. "Metrics," isn't just a tool the world uses (excluding the USA) for measuring the distance between places; Metrics are a rules-based system of measuring data, often used for comparative or tracking purposes.
Biology is largely qualitative; metrics are quantitative. How can two things that are seemingly incongruous come together in order to provide an authentication application that creates safety and security in the digital world, bridging the gap between the divide with reality? Many experts today argue that because biometrics identifiers are unique to everyone, biometric identification is ultimately more secure than traditional passwords, two-factor authentication, and knowledge-based answers.
It seems everyone is talking about biometrics, and that makes sense considering 74% of consumers now perceive physical biometrics to be the most secure method for digital identity verification. We'll answer some common questions about what biometrics are, how a basic biometric recognition system works with a person's identity, discuss current biometric identification solutions and screening types. We'll also be discussing the advantages and disadvantages of biometrics.
Biometric types and their indicators: physiological and behavioral
If you've ever unlocked your mobile device with your finger, scanned your face to see how much money is in your bank's app, or yelled "Hey Alexa" to find out how long to cook an egg - congratulations! You've used your biometrics. Biometrics (including the ones used in the aforementioned example) fall into one of two categories: physiological and behavioral biometrics.
A person's fingerprint -the most common biometric used in the world today to identify a person- is categorized as a "physiological" biometric indicator - a specific physical pattern on a person's body. A scan of the same person's face, or face recognition, is also a physiological biometric, but can also be segmented to show other physiological biometric sensors like ear-shape, width of eyes apart from one another, nose shape and length, hair type and others. Physiological biometric data is analyzed with things like facial recognition and fingerprint readers - items that are fairly commonplace on mobile devices like smart phones, laptops, and tablets.
A person's voice is a "behavioral" biometric indicator - specific patterns that are related to an individual's actions. A physical fingerprint can be lifted off of a device, but, the way you use said device can be measured to make a profile. Though there are some crossovers to physical traits, behavioral biometric indicators are increasingly being used in digital applications and online to follow and determine who a person is based on a set of patterns created by how they behave. For example, most modern companies that have a digital platform will look at behavioral characteristics like scrolling on a web page with a mouse, swiping on a web page to indicate mobile browsing, or clicks vs. hard presses as one method of biometric recognition that can help build a profile of a person's identity.
Physiological - shape of the body
1. Fingerprint - the ridges on your finger
2. Hand geometry - how far your fingers are apart from one another, finger length, etc.
3. Palm print - hand lines found on your palm and palm thickness/width
4. DNA - analysis of a genetic sequence
5. Blood - blood type
6. Facial measurements - including ear geometry, nose, head size and shape, eye distance, hair color, etc.
7. Iris and retinas - color and eye shape
8. Veins - vein patterns in eyes, hands,
9. Heart beats and EKG
Behavioral - patterns identified in human behavior
1. Typing rhythm and keystroke dynamics
2. Walking gait
3. Voice and speech inflections
4. Gestures
5. Web navigation - scrolling and swiping
6. Written text recognition like a signature or font
7. Geo-location and IP Addresses
8. Purchasing habits
9. Device use
10. Browser history and cookies
Check out the 2024 Gartner® report: Buyer's Guide for Identity Verification for more on digital identity, biometrics and fraud prevention:
Download complimentary Gartner report now
How do biometrics work? What are biometrics used for?
Let's go back to the intro, where we broke down "biometrics" into two words: biology and metrics. Metrics often involve the comparison of data sets to find patterns and look at trends. Biometrics do the same, by comparing a biological data set of "something a person has" with "something they are" - a phrase often used by identity experts discussing the "lock and key" and token approach to identification and authentication of users in modern password systems.
How biometrics work in tech - - whether physiological or behavioral, here's how a basic system works:
1. Biometric software like "face recognition" captures the biological input that a user provides (in this case, a face)
2. The software measures the capture to create a baseline data point template or the "lock" that will be the determining data point for future uses
3. The biometric characteristics that are measured and captured are converted and stored as data in internal hardware on the device used, or on a cloud platform during the enrollment phase
4. From there, biometric sensors compare any new inputs as a potential "key" to the previously derived string of data in the "lock." Only the matching biometrics, whether its physiological or behavioral characteristics, provided will confirm a person's identity and unlock the service or account
Important things to note:
The biometric template, or the "lock" as we're calling it here, isn't the whole image but rather a code that's generated describing the biometric features of the "lock" image within the context of the specific biometric technology. If a person were to look at the data of a fingerprint someone provided in the template "lock" after they scanned their finger to their phone, it would show a sequence of code instead of zoomed-in picture of your finger's prints.
After enrollment and storage, any time a biometric input is scanned into a system as a "key" to unlock access, the biometric is compared to and measured by the data that's described in the template "lock." If the biometric key matches, the door is unlocked. If the biometric key doesn't fit, the user is denied.
One of the main advantages of biometric authentication is that the "locks" or templates aren't whole images of the entire biometric data a user provides. For example, if a hacker was able to break into a database of biometric "locks," they wouldn't suddenly have access to sensitive images of people's biometrics, nor have the ability to suddenly unlock all of their services that use biometrics with their "key" since they don't physically contain the biometric characteristics or traits.
A large part of why biometrics allow a high-level of security is that current commercial technology prevents biometric characteristics from being re-engineered digitally for nefarious purposes. You have to have the real, physical fingerprint to be able to use and be approved by a fingerprint scanner. However, the speed of technological changes mean it's a matter of "when" not "if" technology is created to replicate biometric characteristics.
Most experts would agree that an ideal biometric system should require a live biometric to be presented every time for access. In addition, biometric identification solutions shouldn't be the only thing that a 'lock' asks for as the 'key'; a multi-factor authentication system that blends biometric characteristics like fingerprint readers in combo with voice recognition among other more traditional items like 2FA or passwords would provide optimal security.
Types of biometric technology and their uses
Today, there are a huge number of applications and services that utilize biometric technology. Here are some common ones that people interact with daily for both physiological and behavioral biometrics:
1. Personal hardware - phones, laptops, PCs, tablets.
2. Financial transactions - payments like wire transfers often ask for verification of a person's identity before processing
3. Healthcare - Biometrics can help doctor's offices, hospitals, and clinicians keep better records of patients, or prevent violations by preventing the disclosure of medical records to non approved parties
4. Law enforcement - Agents use biometrics daily to catch and track criminals. Fingerprints and DNA analysis anyone? Biometrics are also used by jails and prisons to manage inmates. For instance, agents will take pictures of an inmate's tattoos in order to track criminal organization affiliation and build a biometric characteristics profile
5. Airports - Many modern airports are beginning to use facial recognition biometrics. Travelers can enroll by having a photo of their eyes and face captured by a camera. When traveling, instead of waiting in long queues to be processed, passengers simply walk into an expedited queue, look into a camera that compares their face to their biometric database, and are approved
Now that know more about what biometrics are, you can see that biometric authentication and verification is integral to the modern technology landscape and is widespread in more ways than modern users of it fully understand.
While biometric data and authentication are being ramped up and adopted across all aspects of modern life, questions arise on the safety and privacy from the users/consumers who are supplying biometric inputs to businesses and governments, and the purposes for utilization. Why does a business need to know what browser I use? What happens if my biometric data is compromised? I can always change a password, but can I change my fingerprint?
In the next sections, we’ll cover both the advantages and disadvantages of biometric authentication.
Advantages of biometric authentication
Biometric authentication and its uses in modern-day tech and digital applications has a number of advantages:
- High security and assurance – Biometric identification provides the answers to “something a person has and is” and helps verify identity
- User Experience – Convenient and fast
- Non-transferable – Everyone has access to a unique set of biometrics
- Spoof-proof – Biometrics are hard to fake or steal
High security and assurance
Biometrics provide increased levels of assurance to providers that a person is real by verifying a tangible, real-world trait as both something the user has and something the user is. Most user’s passwords and PINs and personal identifying information have likely been compromised with a data breach, meaning, billions of accounts can be accessed by fraudsters who retain the answers to traditional authentication methods. Introducing biometric authentication into the process adds in a roadblock for fraudsters that only a real, authorized user can circumnavigate - though a fraudster may know a person uses their dog’s name and some lucky numbers for most of their online accounts, they can’t use their fingerprint to unlock an account if they can’t provide it on the spot. Additionally, biometric security can only be provided by living, breathing people - at this point in time, a robot would have a hard-time passing an iris scan.
User experience is convenient and fast
While the internal process for biometric authentication is technical, from a user’s point of view it’s incredibly easy and quick. Placing a finger on a scanner and unlocking an account in seconds is faster than typing out a long password that has multiple special characters. In addition, forgetting a password is a common mistake of most users. The chances of you forgetting your own biometrics? Never!
Non-transferable
Biometric authentication requires its input is present upon authorization. You can’t transfer or share a physical biometric digitally – the only way to utilize most biometric authentication systems is with a physical application.
Near spoof-proof
Biometrics like face patterns, fingerprints, iris scanning, and others are near-impossible to replicate with current technology. There's a one in 64 billion chance that your fingerprint will match up exactly with someone else's[1]. Said a different way, you have a better chance winning the lottery than having the same fingerprint as a hacker trying to get into your account that’s secured by biometrics.
Disadvantages of biometric authentication
Despite increased security, efficiency, and convenience, biometric authentication and its uses in modern-day tech and digital applications also has disadvantages:
- Costs – Significant investment needed in biometrics for security
- Data breaches – Biometric databases can still be hacked
- Tracking and data – Biometric devices like facial recognition systems can limit privacy for users
- Bias – Machine learning and algorithms must be very advanced to minimize biometric demographic bias
- False positives and inaccuracy – False rejects and false accepts can still occur preventing select users from accessing systems
Costs
It’s no surprise that a more advanced security system would require significant investments and costs to implement. In a 2018 survey by Spiceworks, 67 percent of IT professionals cite cost as” the biggest reason for not adopting biometric authentication.” Transitioning to a biometrics authentication wouldn’t be the only thing a company would have to pay for, with 47% of the surveyed stating a need to upgrade current systems in order to support a shift to biometric authentication on their devices[2].
Data breaches
Businesses and governments that collect and store users’ personal data are under constant threat from hackers. Because biometric data is irreplaceable, organizations need to treat sensitive biometric data with increased security and caution – something that’s expensive and technically difficult in order to stay ahead of fraud advancements. If a password or pin is compromised, there’s always the possibility of changing it. The same can’t be said for a person’s physiological or behavioral biometrics.
Tracking and data
As the world increases its use of biometric authentication systems like facial recognition technology and other biometric security measures, privacy of users needs to be taken into consideration. When biometrics are converted into data and stored, particularly in places or countries that have large surveillance measures, a user runs the risk of leaving a permanent digital record that can be potentially tracked by nefarious actors. In many instances, organizations and governments have used facial recognition software to track and identify people with scary accuracy that significantly inhibits privacy[3]. As surveillance increases, biometric data can become a permanent digital tag that can be used to track someone, both with and without their knowledge.
Bias
Minimizing demographic bias in biometrics while verifying applicants' identities during digital onboarding is a challenge for providers. Poor implementation of technology or deliberate misuse can result in discrimination and exclusion. Without a proven, document-centric identity proofing solution, cross-demographic performance can be unreliable and limit customer access to essentials like credit and the expanding range of digital services.
False positives and inaccuracy
Most common biometric authentication methods rely on partial information to authenticate a user’s identity. For example, a mobile biometric device will scan an entire fingerprint during the enrollment phase, and convert it into data. However, future biometric authentication of the fingerprint will only use parts of the prints to verify identity so it’s faster and quicker. In 2018, a research team from New York University created an Artificial Intelligence platform that was able to fraudulently crack fingerprint authentication at a success rate of 20% by matching similarities of partial prints to the full biometric data[4].
For more insights on biometrics, check out these Innovator thought leadership videos
Sources
- How Fingerprinting Works: https://science.howstuffworks.com/fingerprinting1.htm
- More Organizations Are Adopting Biometrics for Security—But Barriers Still Remain: https://businessinsights.bitdefender.com/more-organizations-are-adopting-biometrics-for-security-but-barriers-still-remain
- The Secretive Company That Might End Privacy as We Know It: www.nytimes.com › technology › clearview-privacy-facial-recognition
- Machine Learning Masters the Fingerprint to Fool Biometric Systems: https://engineering.nyu.edu/news/machine-learning-masters-fingerprint-fool-biometric-systems
About Chris Briggs - CPO at Mitek
Christopher Briggs is Chief Product Officer at Mitek