Biometric Authentication – An Essential Guide

Oct 6, 2020 | Essential Guides

What is Biometric Authentication?

Biometric authentication is a method of verifying a user’s identity using an inherence factor or something of ‘who they are’. Physical identifiers can be fingerprints, facial features, iris or retina patterns and voice. Behavioural identifiers can be gait analysis, handwriting analysis or typing patterns (how strongly a user depresses keys on their keyboard.)


What are the types?


A popular type of biometrics is the use of fingerprints. An obvious example of this is the Touch ID, a biometric access authentication used on the Apple Iphone from 2013 onwards before they moved over to Face ID in 2017.

These systems use a digital camera and light. Once a user places their finger on the flat surface, the software aligns the print against several pegs to ensure a correct reading. Next, it is converted into a mathematical file called a biometric template which is stored for later retrieval. When retrieved, it is compared against a fresh scan to either confirm or deny a match based on the same algorithmic pattern used to initially capture and convert the information.

Facial recognition

Facial recognition is when software is used that maps an individual’s facial features and then stores the data of these features. A facial recognition system will use biometrics to map the face and compare it with a database to find a match.

This technology analyses over 80 elements of the human face. In addition to Apple’s Face ID, Facebook uses DeepFace software, which can identify a specific person in any new photo uploaded onto the social network platform.

Facial recognition and fingerprint data are being used at airports and border control in the form of electronic passports. In addition to being able to verify authentication, using biometric scanners in airports and at border control speeds up the process. Disney Theme parks also now uses fingerprint scanning as a quick way of authenticating entry.

Iris recognition
Iris scanning uses a digital camera, visible light, and near-infrared light. When the eye is between 3-10 inches from the camera, the computer works to identify the size, shape and details of the eye. There are over 200 points of reference, as opposed to 60-70 in fingerprints. The pattern of the iris is then translated into a line of code.

Vein recognition

Like your iris or fingerprints, your veins are unique. So much so that not even twins have identical veins. Their shape also changes very little as we age.

To use a vein recognition system. You would place your finger, wrist, or the palm or the back of your hand on a scanner. A digital camera will then take a picture using near-infrared light. The haemoglobin we have in our veins will appear black in the photo and the software will create a template based on the shape and location of the structure of your veins.

Retina scanning

Retina scanning is different from iris scanning, as this biometric technology used an image of your retinal blood vessel pattern as an identifying trait. Retina scans are also about 70 times more accurate than iris scans and 20,000 times more accurate than fingerprint scanning.

One downside: retina scans require a person to focus on a single point for 15 seconds, without moving their eyes.

Voice recognition

Voice recognition, otherwise known as voiceprints, is unique in the sense that your vocal cavities create a specific shape when your mouth moves to speak. For this to work, you would need to say an exact word or phrase that the system requires, or give an extended sample of your speech so that it can recognize you no matter what you’re saying.

The data used in a voiceprint is called a sound spectrogram, which is essentially a graph that shows sound frequency. Different speech sounds will create different shapes on the graph.

DNA scanning
DNA scanning is the identification of someone using the analysis of specific segments from their DNA. This can be anything from a hair follicle to a drop of blood. DNA scanning is an up-and-coming type of biometrics and is used primarily in law enforcement to identify suspects.

When analysing handwriting, biometric systems don’t examine the shape of each letter, but rather the act of writing. Things like the pressure used, the speed, and the rhythm of how someone writes. Also recorded is the sequence in which letters are formed – like whether the i’s are dotted and t’s crossed as they’re written, or after the word is finished.


Some Pros and Cons of Biometric Authentication

Accurate and convenient

The data biometric authentication uses has such fine variations from one person to the next, that they’re almost impossible to replicate without advanced tools.

Biometric authentication lets users access their resources instantaneously. All they need to do is present their biometric factor (face, fingerprint, voice, etc.), and assuming it matches the data stored in their authenticator, they will be granted access. This eliminates the need for passkeys, cards, and other traditional forms of 2FA.

As an organization grows, their security needs to grow with them. Most biometric 2FA solutions easily accept new user data when new people join the company.

Typically, biometric authentication involves very expensive and sophisticated technology. Hardware such as finger print and retina scanners are still not a cheap option. However, the biggest growth area is the deployment of systems that make use of a smartphone as a portable biometric sensor. Taking advantage of sensors in mobile devices – the camera, for face or iris recognition, the microphone for voice recognition, and the keyboard for typing rhythm, means it may not always be necessary to purchase any special biometric hardware. Users are likely to have their phone with them any time they need to log on to a system, and the phone’s cellular or Wi-Fi connectivity can be used to transmit biometric information to a back-end authentication system.

Since biometrics rely entirely on identifying a unique part of our body, even a slight change can disrupt it from workings. If someone injures their eye or goes blind, the information protected by the retina scan is now inaccessible. If someone burns or damages their fingers, regardless of whether it’s a temporary or permanent impairment, that can cause issues with the new print being accepted (or being a match for the existing print.)

Bias and inaccuracy
Not all facial recognition models are created equal, and even the best of them aren’t perfect. Even Apple’s Face ID, which builds a 3D depth map of your entire face using a 30,000 point dot matrix let the side down when it failed to tell apart a Chinese woman from her colleague, and subsequently a Chinese boy from his mother.

False positives
The main drawback of any biometric system is that it can never be 100 percent accurate.

In 2018, a team from New York University trained an AI neural network to fraudulently crack fingerprint authentication at a success rate of 20%. They relied on the fact that most fingerprint scanners only scan a portion of the finger. Common elements can be used to fool them into mistaken authentication in a manner similar to a dictionary attack.

As the technology advances, so does the skill and ingenuity of the hackers. For example, cryptographers at the GeekPwn 2019 conference in Shanghai demonstrated how to create and use a photograph of a user’s fingerprint to unlock their smartphone in no more than 20 minutes. Today, the very latest biometric technology deploys a range of anti- spoofing measures, some voice recognition systems require users to authenticate by asking them to speak a series of random words, preventing them from using a previously recorded voice sample. Similarly, face recognition systems may attempt to detect blinking to ascertain that the image in front of the camera is not a photograph. Sophisticated fingerprint readers also measure heat or electrical conductivity to establish that the finger is “alive.” and to counter false authentication, such as unlocking Face ID when the user is asleep, Apple also uses ‘liveness’ detection.

Vulnerability to data breaches
There are several ways in which biometric data may be stored and processed. Typically, smartphones use on-device storage of biometric templates, which ensures authentication occurs without any data being sent to a server. The biometric data remains secure as long as the device itself is not compromised, biometric information stored on portable tokens such as a USB drive or security card are also at low risk of data breach.

Local device storage is not always feasible, however, and many organisations use database servers, which can house sometimes hundreds of thousands of biometric templates. They allow companies to grant user-specific access and in multiple locations. but these servers come with a higher security risk from hackers.

Distributed data storage is a method that stores biometrics on both a local device and a server, both of which must be accessed concurrently for authentication. Because of the split nature of this biometric storage method, it is nearly impossible to hack and therefore highly secure.

Inability to reset if breached
Because biometric data is irreplaceable, corporations need to treat it with the utmost caution. If one’s password or PIN were to be compromised, there is always the possibility of resetting it. But the same cannot be said for one’s face, fingerprints, or irises.

Some biometric systems may deal with this challenge by uniquely distorting or transforming the biometric template when it is stored, and transforming or distorting the biometric in the same way during the match process.

Privacy and Tracking
Biometric authentication is still in its early stages, yet it already poses serious questions about privacy. When biometrics are stored on servers, particularly in areas of the world where surveillance is common and human rights questionable, one risks leaving a permanent digital record for potential tracking by government authorities. For instance, during the recent Hong Kong protests, it is known that the government used facial recognition to track protesters.

It’s certainly worth considering, as CCTV use and prevalence increases, could one’s biometric data be used as a permanent digital tag to identify and track us for the rest of our lives?