What Is Biometric Authentication?

Biometric authentication is a security process that compares a person’s characteristics to a stored set of biometric data in order to grant access to buildings, applications, systems, and more. With cybercrime, fraud, and identity theft on the rise, it’s more important than ever for businesses to help customers and employees verify their identity, and biometric authentication has become one of the most trustworthy methods.

Before we dive too deeply into how biometrics work, their security considerations, and who uses them, let’s get a few definitions out of the way:

Biometrics

The measurement and analysis of an individual’s physical and behavioral characteristics.

Biometric data

A collection of physical and behavioral characteristics (e.g., a fingerprint, voice, or keystrokes).

Biometric identification

The process of using biometric data to confirm a person’s identity.

So how exactly do biometrics fit into authentication? In order to securely gain access to applications and services, users should be prompted to provide several pieces of information that help verify their identity. These factors can be broken down into three main categories:

Something you know: Information such as a password, PIN, or an answer to a security question.
Something you have: Possessions such as a driver’s license, credit card, or phone number.
Something you are: Unique identifiers such as fingerprints and DNA.
Something you do: Behaviors such as typing cadence or screen angle.

The third and fourth categories are where biometric identifiers—both physical and behavioral—come into play.

Types of biometric identifiers

A person can be identified by how they look and behave. While physical identifiers are inherently linked to an individual (e.g., eye color), behavioral identifiers are contextual things that a user does (e.g., how they scan a web page with their eyes). Let’s look at a few examples of each.

Physical identifiers

Fingerprints: No two fingerprints are the same, and scanners have become commonplace on laptops and smartphones as an added biometric security measure.
Physiologicaltraits: While facial and iris/retina recognition software may conjure images of movie villains and secret lairs, any device that is fitted with a camera can be used to authenticate users.
Voice: A person’s individual tone and accent is another form of biometric data. Digital assistants and telephone service portals commonly use voice recognition to identify and authenticate users.
DNA: Like fingerprints, everyone’s DNA is different. It is widely used by law enforcement and healthcare providers to identify individuals.

Behavioral identifiers

Typingdynamics: Every person has a unique style of typing. Biometric authentication can be based on speed, the pressure applied to a keyboard, and other actions.
Navigationpatterns: Similarly, the way a person uses a mouse, trackpad, or touchscreen is unique and can be detected with the appropriate software.
Physicalmovements: How a person walks or carries themselves can be used to authenticate individuals who enter a building or highly secure room.
Onlineinteractions: Everyone interacts with technology in their own way. How apps are opened, where and when devices are used, and how people behave on a web page can distinguish users from one another and from bots.

How do biometrics work?

Think back to the last time you got a new device. It likely guided you through a setup process, asking you to select a time zone, input passwords, and scan your fingerprint or face. The biometric data you provided was then stored in your device, where it could later be accessed and compared in real time to confirm your identity and grant access.

That’s just one example of biometric systems, which are made up of three components:

Sensor: Records a user’s biometric data and reads it whenever the information needs to be recognized.
Computer: Stores the biometric information being used for comparison.
Software: Connects the computer hardware to the sensor.

Biometric systems create a convenient way to access applications and devices—and are only becoming more sophisticated. Sensors in consumer technology, for example, can not only verify biometric fingerprints, but also detect how quickly a person types, how much pressure they apply to buttons, and how a device is held in their hands. How biometric data is stored on devices is also improving, with modern sensors like TouchID and WindowsHello ensuring that user biometric templates can’t be removed from the local computer's secure computing enclave.

However, much like one-time passwords, password managers, and other security methods, biometrics have their pros and cons—and users need to weigh each to determine whether they are a safe and reliable option.

Are biometrics secure?

Biometric data has to be stored somewhere and any collection of data could one day get hacked. While it tends to be stronger and safer than passwords, a key concern is that as people become more familiar with biometric authentication, they also become more complacent—relying on just one security measure instead of taking a multi-pronged approach.

The risk of poorly implemented biometric data storage is that unlike passwords and PINs, this data cannot be changed. Not only that, but physical identities can also be duplicated by bad actors by taking a photo or copying fingerprints from a glass, for example.

With all of this in mind, let’s take a closer look at the advantages and challenges that come with using biometrics.

Advantages of biometrics

Ease of use: Biometric data can be confirmed quicker and easier than other authentication factors. A modern smartphone can recognize a fingerprint in less time than it takes for a user to answer a security question.
Uniquely secure: Compared to other authentication factors, it’s much more difficult for biometric data to be lost, stolen, duplicated, or hacked. Users don’t have to remember their biometric data like they have to remember passwords and PINs—which means fewer sticky notes on the computer.
Privacy protection: Like other forms of personal data, biometric information is protected by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—both of which require organizations to gain consent before processing data, and allow individuals to have their biometric data deleted, among other rights.

Challenges of biometrics

Accuracy: The main challenge with any biometric system is that it can’t be 100% accurate. When someone attempts to log in, biometric systems will assess whether a fingerprint or iris is similar enough to the one stored in a device—which means there’s a chance bad actors can get through. For example, a set of synthetic fingerprints is capable of tricking smartphone sensors.
Enrollment: If the user enrollment experience isn’t secured, then the process of mapping biometric data to a claimed identity can become a point of vulnerability.
Permanence: It’s easy to change a password when an account is compromised. But biometrics are for life—when this data is stolen, its effects are permanent. The U.S. Office of Personnel Management experienced this first hand when 5.6 million fingerprints were stolen in a 2015 cyber attack.
Cost: Biometric-based devices are inherently more expensive than their counterparts.
Softwarevulnerabilities: Researchers have discovered weaknesses in the biometric systems on Android devices, which can allow bad actors to remotely extract user fingerprints.

Which industries use biometrics?

Biometrics technology is used across a wide range of sectors all over the world to provide biometric verification for individuals.

Law enforcement

Law enforcement agencies commonly use biometric identification to match data to individuals. For example, facial recognition is used for biometric security at borders and other public locations to identify offenders. That said, the use of biometrics by law enforcement is controversial, as we’ve seen with the ban in California.

Customs and immigration

Electronic passports are a common biometric authentication system that helps combat fraud. Airports also use biometric scanners to match a traveler’s passport to their face and fingerprints.

Healthcare

Many countries use biometrics to confirm a person’s identity for healthcare and other government services. Insurance, for example, can be verified by hospitals, pharmacies, and clinics with biometric ID cards, which contain photographs, fingerprints, and other data.

Civil services

In some countries, biometric data is linked to civil databases to help confirm identities and voter registration. India’s Aadhaar project, for example, is the world’s largest biometric identification system—used to verify over 99% of the nation’s 1.2 billion people. All Indian residents are issued a 12-digit number (based on biometric data), which has helped make many services more accessible and cost-efficient.

Security

Biometric systems can prevent unauthorized people from accessing facilities and computer networks. The latter is ideal for improving business security by removing reliance on passwords, codes, and access cards, which can easily be lost, stolen, or forged.

Commercial goods

Commercial businesses—from online retailers and financial institutions to restaurants and sports organizations—have been experimenting with facial recognition software and other biometric systems to provide access to services and verify customer identities.

Should my company use biometrics?

Whether you’re securing your workforce or customer experiences, implementing biometric technology is a large undertaking. That’s why, before introducing any type of biometric system, it’s important for businesses to consider:

The hardware that will be required to secure and manage it
How biometric devices will be deployed across the organization or your customer touchpoints
How biometric scanners will integrate with existing systems
What tools employees and customers are comfortable using
How biometric data is protected by regulations like the GDPR and CCPA

Of course, it’s not just the initial setup that matters. In order to keep devices and applications—and the data held within them—secure against various threats, biometric software needs to be kept up to date. Enabling automatic updates and ensuring new patches are installed can help keep things running smoothly.

Another best practice is to require users to verify their identity with multiple factors—such as a password or IP address and location—not just biometrics. Multi-factor authentication (MFA) protects modern systems and applications from all angles, and is one of the best ways to ensure that only the right people gain the right access at the right time.

Want to know how Okta can help secure your business? Check out the following products and resources:

Customer identity solutions
Adaptive Multi-Factor Authentication
Okta + HYPR: Secure, Passwordless Authentication for Employees and Consumers (Datasheet)

Swaroop Sham

Senior Product Marketing Manager, Security

Swaroop Sham is a Senior Product Marketing Manager for Security at Okta. His main focus areas include Multi-factor Authentication, Adaptive Authentication, and Security Integrations. He recently joined Okta, bringing with him over 10 years of experience in cybersecurity. He previously worked at Sift Science, Proofpoint, FireEye and F5 Networks. Swaroop has a Master's and Bachelor's degree in Computer Science.