Newsletter

Biometric-based Authentication

In the last two months, we covered password-based authentication and token-based authentication. When properly implemented and used, both methods can provide secure user authentication. Still, passwords and tokens each have their shortcomings:

  • Complex—and therefore secure—passwords are hard to remember.
  • A token can be lost.
  • Either can be stolen.

Meanwhile, biometric authentication uses personal data that only we possess. In theory, this data cannot be lost, stolen, or spoofed.

As its name implies, biometric authentication relies on a user’s unique physical characteristics. Specifically, a “biometric” constitutes a measurable anatomical, physiological, and behavioral characteristic used for automated recognition. Biometrics are classified as static (something the individual is), or dynamic (something the individual does). Examples of static biometrics are fingerprints, hand geometry, facial features, retinas, and irises. Barring severe injury, these characteristics are unlikely to vary between measurements, so we can think of them as fixed. Handwritten signatures and voiceprints vary from sample to sample, which is why they are called dynamic biometrics. Compared to passwords and tokens, biometric authentication is far more complex and expensive to implement. Still, biometric technology has matured enough in the past decade for most smartphones and personal computers to adopt it.

See Biometric Authentication in Today’s Devices

Use Face ID on your iPhone or iPad Pro – Apple Support

Use the fingerprint sensor on your Galaxy phone or tablet (samsung.com)

Fingerprint security – moto e (custhelp.com)

Unlock your Pixel phone with your fingerprint – Pixel Phone Help (google.com)

Learn about Windows Hello and set it up (microsoft.com)

Use Touch ID on Mac – Apple Support (MT)

Although the implementations above have existed for only a few decades, they are based on old ideas. In the mid-1800s, the rapid urbanization of the industrial revolution increased the need for formal methods of identifying people. In 1892, Sir Francis Galton developed the first fingerprint classification system, and the FBI sought to automate fingerprint recognition in 1969 (Biometrics 2021). Today, biometrics are used in law enforcement, commercial applications, migration control, civil identification, healthcare, and more.

How it works

Any biometric scheme must map a physical characteristic into a digital representation. A computer stores this digital representation as a profile. Due to the complexity of our physical characteristics, many systems do not demand an exact match between the stored representation and the input during an authentication attempt. Instead, the system scores the similarity between the two, and if the score is close enough, access is granted. A lot of mathematics goes into determining an acceptable threshold for “close enough.” For our purposes, it is enough to say that the designer aims to minimize false positives and false negatives (False Positives and False Negatives explained using “The Boy Who Cried Wolf”).

Despite security improvements from passwords and tokens, biometric authentication alone still has its shortcomings:

Despite its flaws, biometric authentication can be very convenient and secure. As a testament to its security, most financial institutions trust its use in Apple Pay, Google Pay, and Samsung Pay. As with any authentication method, combining biometric authentication with another form of authentication always improves security.

Tips for Biometric Authentication

  • Keep the scanning surface dry. Any type of liquid or cleaning chemicals could damage the device.
  • Clean the scanning surface with office tape or a soft, dry cloth.
  • When using fingerprint detection, save an additional fingerprint for when your finger is cold.
  • For Face ID, make sure you Require Attention for Face ID. This feature verifies that you are looking at your iPhone before unlocking it. This feature is recommended by Apple.

Further reading

About Face ID advanced technology – Apple Support

About Touch ID advanced security technology – Apple Support

Measuring Biometric Unlock Security | Android Open Source Project

USENIX Security ’16 – Virtual U: Defeating Face Liveness Detection by Building Virtual Models… – YouTube

Reference

  • Biometrics. Biometrics | Homeland Security. (2021, December 14). Retrieved November 1, 2022, from https://www.dhs.gov/biometrics