What are the pros and cons of biometrics in today's digital age?
In 2020, biometric authentication and verification is integral to the modern technology landscape and is widespread in more ways than modern users of it fully understand. As we discuss in our blog post “Biometrics – A complete guide,” most people use biometric verification in their everyday lives in some capacity: at the airport to get whisked through long security lines, at their doctor’s office to ensure confidentiality of medical records, or simply unlocking their phones to respond to a notification.
Most common biometric devices and their verification applications today require physiological biometrics, like face recognition and thumbprints to unlock their services… but they’re not the only key. There’s a wide range of other biometric uses that are ‘physical’ (like iris or palm shape) as well as a growing acceptance of behavioral biometrics. For example, the way that you navigated to this page on the internet, how you click on it, whether it’s on a smart phone or laptop, to even the web browser you use are increasingly being used by businesses and governments alike to create a biometric profile of users to be used for identification and tracking purposes.
While biometric data and authentication are being ramped up and adopted across all aspects of modern life, questions arise on the safety and privacy from the users/consumers who are supplying biometric inputs to businesses and governments, and the purposes for utilization. Why does a business need to know what browser I use? What happens if my biometric data is compromised? I can always change a password, but can I change my fingerprint?
In the next sections, we’ll cover both the advantages and disadvantages of biometric authentication.
Biometric authentication refresher
As discussed in our blog “Biometrics – A complete guide,” Biometrics are the measurement and analysis of an individual’s physiological or behavioral traits (Biology + Metrics = Biometrics).
Experts break down multi-factor authentication of a person’s identity by technology into three parts: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). Biometrics falls into the possession and inherence parameters - when a device or service uses biometrics for identity verification, the purpose is to verify that a user is who they say they are by comparing their biometric input with the biometric data that’s been previously stored – something a user is and has.
There are two main categories of inputs for biometrics: physiological and behavioral. Main physiological biometrics utilized in today’s tech include a person’s fingerprints, hand geometry, face shape, or eye pattern. Main behavioral biometrics include a person’s web behavior and internet cookies, IP addresses, voice recognition, or how someone is likely to act – both online or in the real-world. Physiological and behavioral traits can be stored as inputs that are converted into data and stored to unlock in future uses as well as create unique user profiles.
Biometric data is stored and processed with database servers, encrypted tokens, or physical tokens. More secure devices will use on-device (or on-premises) storage of biometric templates, which ensures identity authentication occurs without any sensitive biometric information being sent over the internet to a different server or location.
Advantages of biometric authentication
Biometric authentication and its uses in modern-day tech and digital applications has a number of advantages:
- High security and assurance – Biometric identification provides the answers to “something a person has and is” and helps verify identity
- User Experience – Convenient and fast
- Non-transferrable – Everyone has access to a unique set of biometrics
- Spoof-proof – Biometrics are hard to fake or steal
High security and assurance
Biometrics provide increased levels of assurance to providers that a person is real by verifying a tangible, real-world trait as both something the user has and something the user is. Most user’s passwords and PINs and personal identifying information have likely been compromised with a data breach, meaning, billions of accounts can be accessed by fraudsters who retain the answers to traditional authentication methods. Introducing biometric authentication into the process adds in a road-block for fraudsters that only a real, authorized user can circumnavigate - though a fraudster may know a person uses their dog’s name and some lucky numbers for most of their online accounts, they can’t use their fingerprint to unlock an account if they can’t provide it on the spot. Additionally, biometrics can only be provided by living, breathing people - at this point in time, a robot would have a hard-time passing an iris scan.
User experience is convenient and fast
While the internal processes for biometric authentication is technical, from a user’s point of view it’s incredibly easy and quick. Placing a finger on a scanner and unlocking an account in seconds is faster than typing out a long password that has multiple special characters. In addition, forgetting a password is a common mistake of most users. The chances of you forgetting your own biometrics? Never!
Biometric authentication requires its input is present upon authorization. You can’t transfer or share a physical biometric digitally – the only way to utilize most biometric authentication systems is with a physical application.
Biometrics like face patterns, fingerprints, iris scanning, and others are near-impossible to replicate with current technology. There's a one in 64 billion chance that your fingerprint will match up exactly with someone else's. Said a different way, you have a better chance winning the lottery than having the same fingerprint as a hacker trying to get into your account that’s secured by biometrics.
Disadvantages of biometric authentication
Despite increased security, efficiency, and convenience, biometric authentication and its uses in modern-day tech and digital applications also has disadvantages:
- Costs – Significant investment needed in biometrics for security
- Data breaches – Biometric databases can still be hacked
- Tracking and data – Biometric devices like facial recognition systems can limit privacy for users
- False positives, bias and inaccuracy – False rejects and false accepts can still occur preventing select users from accessing systems
It’s no surprise that a more advanced security system would require significant investments and costs to implement. In a 2018 survey by Spiceworks, 67 percent of IT professionals cite cost as” the biggest reason for not adopting biometric authentication.” Transitioning to a biometrics authentication wouldn’t be the only thing a company would have to pay for, with 47% of the surveyed stating a need to upgrade current systems in order to support a shift to biometric authentication on their devices.
Businesses and governments that collect and store users’ personal data are under constant threat from hackers. Because biometric data is irreplaceable, organizations need to treat sensitive biometric data with increased security and caution – something that’s expensive and technically difficult in order to stay ahead of fraud advancements. If a password or pin is compromised, there’s always the possibility of changing it. The same can’t be said for a person’s physiological or behavioral biometrics.
Tracking and data
As the world increases its use of biometric authentication systems like facial recognition technology and other biometric security measures, privacy of users needs to be taken into consideration. When biometrics are converted into data and stored, particularly in places or countries that have large surveillance measures, a user runs the risk of leaving a permanent digital record that can be potentially tracked by nefarious actors. In many instances, organizations and governments have used facial recognition software to track and identify people with scary accuracy that significantly inhibits privacy. As surveillance increases, biometric data can become a permanent digital tag that can be used to track someone, both with and without their knowledge.
False positives, bias and inaccuracy
Most common biometric authentication methods rely on partial information to authenticate a user’s identity. For example, a mobile biometric device will scan an entire fingerprint during the enrollment phase, and convert it into data. However, future biometric authentication of the fingerprint will only use parts of the prints to verify identity so it’s faster and quicker. In 2018, a research team from New York University created an Artificial Intelligence platform that was able to fraudulently crack fingerprint authentication at a success rate of 20% by matching similarities of partial prints to the full biometric data. Biometric authentication can also be biased to users who cannot provide the physical input it requires (i.e. handicapped individuals), as well as changes to existing users. If a person injured their finger they use for biometric authentication, the print might not match the data and they’d be barred from access.
- How Fingerprinting Works: https://science.howstuffworks.com/fingerprinting1.htm
- More Organizations Are Adopting Biometrics for Security—But Barriers Still Remain: https://businessinsights.bitdefender.com/more-organizations-are-adopting-biometrics-for-security-but-barriers-still-remain
- The Secretive Company That Might End Privacy as We Know It: www.nytimes.com › technology › clearview-privacy-facial-recognition
- Machine Learning Masters the Fingerprint to Fool Biometric Systems: https://engineering.nyu.edu/news/machine-learning-masters-fingerprint-fool-biometric-systems