Biometric authentication is a security process that compares a person’s characteristics to a stored set of biometric data in order to grant access to buildings, applications, systems, and more. With cybercrime, fraud, and identity theft on the rise, it’s more important than ever for businesses to help customers and employees verify their identity, and biometric authentication has become one of the most trustworthy methods.
Before we dive too deeply into how biometrics work, their security considerations, and who uses them, let’s get a few definitions out of the way:
Biometrics
The measurement and analysis of an individual’s physical and behavioral characteristics.
Biometric data
A collection of physical and behavioral characteristics (e.g., a fingerprint, voice, or keystrokes).
Biometric identification
The process of using biometric data to confirm a person’s identity.
So how exactly do biometrics fit into authentication? In order to securely gain access to applications and services, users should be prompted to provide several pieces of information that help verify their identity. These factors can be broken down into three main categories:
The third and fourth categories are where biometric identifiers—both physical and behavioral—come into play.
A person can be identified by how they look and behave. While physical identifiers are inherently linked to an individual (e.g., eye color), behavioral identifiers are contextual things that a user does (e.g., how they scan a web page with their eyes). Let’s look at a few examples of each.
Think back to the last time you got a new device. It likely guided you through a setup process, asking you to select a time zone, input passwords, and scan your fingerprint or face. The biometric data you provided was then stored in your device, where it could later be accessed and compared in real time to confirm your identity and grant access.
That’s just one example of biometric systems, which are made up of three components:
Biometric systems create a convenient way to access applications and devices—and are only becoming more sophisticated. Sensors in consumer technology, for example, can not only verify biometric fingerprints, but also detect how quickly a person types, how much pressure they apply to buttons, and how a device is held in their hands. How biometric data is stored on devices is also improving, with modern sensors like TouchID and WindowsHello ensuring that user biometric templates can’t be removed from the local computer's secure computing enclave.
However, much like one-time passwords, password managers, and other security methods, biometrics have their pros and cons—and users need to weigh each to determine whether they are a safe and reliable option.
Biometric data has to be stored somewhere and any collection of data could one day get hacked. While it tends to be stronger and safer than passwords, a key concern is that as people become more familiar with biometric authentication, they also become more complacent—relying on just one security measure instead of taking a multi-pronged approach.
The risk of poorly implemented biometric data storage is that unlike passwords and PINs, this data cannot be changed. Not only that, but physical identities can also be duplicated by bad actors by taking a photo or copying fingerprints from a glass, for example.
With all of this in mind, let’s take a closer look at the advantages and challenges that come with using biometrics.
Biometrics technology is used across a wide range of sectors all over the world to provide biometric verification for individuals.
Law enforcement agencies commonly use biometric identification to match data to individuals. For example, facial recognition is used for biometric security at borders and other public locations to identify offenders. That said, the use of biometrics by law enforcement is controversial, as we’ve seen with the ban in California.
Electronic passports are a common biometric authentication system that helps combat fraud. Airports also use biometric scanners to match a traveler’s passport to their face and fingerprints.
Many countries use biometrics to confirm a person’s identity for healthcare and other government services. Insurance, for example, can be verified by hospitals, pharmacies, and clinics with biometric ID cards, which contain photographs, fingerprints, and other data.
In some countries, biometric data is linked to civil databases to help confirm identities and voter registration. India’s Aadhaar project, for example, is the world’s largest biometric identification system—used to verify over 99% of the nation’s 1.2 billion people. All Indian residents are issued a 12-digit number (based on biometric data), which has helped make many services more accessible and cost-efficient.
Biometric systems can prevent unauthorized people from accessing facilities and computer networks. The latter is ideal for improving business security by removing reliance on passwords, codes, and access cards, which can easily be lost, stolen, or forged.
Commercial businesses—from online retailers and financial institutions to restaurants and sports organizations—have been experimenting with facial recognition software and other biometric systems to provide access to services and verify customer identities.
Whether you’re securing your workforce or customer experiences, implementing biometric technology is a large undertaking. That’s why, before introducing any type of biometric system, it’s important for businesses to consider:
Of course, it’s not just the initial setup that matters. In order to keep devices and applications—and the data held within them—secure against various threats, biometric software needs to be kept up to date. Enabling automatic updates and ensuring new patches are installed can help keep things running smoothly.
Another best practice is to require users to verify their identity with multiple factors—such as a password or IP address and location—not just biometrics. Multi-factor authentication (MFA) protects modern systems and applications from all angles, and is one of the best ways to ensure that only the right people gain the right access at the right time.
Want to know how Okta can help secure your business? Check out the following products and resources:
Swaroop Sham is a Senior Product Marketing Manager for Security at Okta. His main focus areas include Multi-factor Authentication, Adaptive Authentication, and Security Integrations. He recently joined Okta, bringing with him over 10 years of experience in cybersecurity. He previously worked at Sift Science, Proofpoint, FireEye and F5 Networks. Swaroop has a Master's and Bachelor's degree in Computer Science.