In the last two months, we covered password-based authentication and token-based authentication. When properly implemented and used, both methods can provide secure user authentication. Still, passwords and tokens each have their shortcomings:
- Complex—and therefore secure—passwords are hard to remember.
- A token can be lost.
- Either can be stolen.
Meanwhile, biometric authentication uses personal data that only we possess. In theory, this data cannot be lost, stolen, or spoofed.
As its name implies, biometric authentication relies on a user’s unique physical characteristics. Specifically, a “biometric” constitutes a measurable anatomical, physiological, and behavioral characteristic used for automated recognition. Biometrics are classified as static (something the individual is), or dynamic (something the individual does). Examples of static biometrics are fingerprints, hand geometry, facial features, retinas, and irises. Barring severe injury, these characteristics are unlikely to vary between measurements, so we can think of them as fixed. Handwritten signatures and voiceprints vary from sample to sample, which is why they are called dynamic biometrics. Compared to passwords and tokens, biometric authentication is far more complex and expensive to implement. Still, biometric technology has matured enough in the past decade for most smartphones and personal computers to adopt it.
See Biometric Authentication in Today’s Devices
Use Face ID on your iPhone or iPad Pro – Apple Support
Use the fingerprint sensor on your Galaxy phone or tablet (samsung.com)
Fingerprint security – moto e (custhelp.com)
Unlock your Pixel phone with your fingerprint – Pixel Phone Help (google.com)
Learn about Windows Hello and set it up (microsoft.com)
Use Touch ID on Mac – Apple Support (MT)
Although the implementations above have existed for only a few decades, they are based on old ideas. In the mid-1800s, the rapid urbanization of the industrial revolution increased the need for formal methods of identifying people. In 1892, Sir Francis Galton developed the first fingerprint classification system, and the FBI sought to automate fingerprint recognition in 1969 (Biometrics 2021). Today, biometrics are used in law enforcement, commercial applications, migration control, civil identification, healthcare, and more.
How it works
Any biometric scheme must map a physical characteristic into a digital representation. A computer stores this digital representation as a profile. Due to the complexity of our physical characteristics, many systems do not demand an exact match between the stored representation and the input during an authentication attempt. Instead, the system scores the similarity between the two, and if the score is close enough, access is granted. A lot of mathematics goes into determining an acceptable threshold for “close enough.” For our purposes, it is enough to say that the designer aims to minimize false positives and false negatives (False Positives and False Negatives explained using “The Boy Who Cried Wolf”).
Despite security improvements from passwords and tokens, biometric authentication alone still has its shortcomings:
- Falsepositives and negatives are still possible in any biometric scheme. Sometimes, my smartphone’s fingerprint scanner does not recognize my fingerprint. As for false positives, Apple’s FaceID, while extremely secure, is still vulnerable to false positives if you have a twin or are a child under the age of 13.
- Coercion—courts in the US have been asking, and trying to answer, whether giving up your biometric data is the same as testifying against yourself. As of the writing of this article, there is no consensus. Biometric authentication could be coercive in other countries, so protect yourself and WashU by not taking any sensitive or private information while traveling internationally. Visit our travel page for more information: Travel | Office of Information Security | Washington University in St. Louis (wustl.edu)
- Trickery—a thief may try to trick you into giving up your biometric data to unlock your phone. In defense, you can temporarily disable your smartphone’s biometric authentication. Here are guides on how to do so on popular smartphones:
- Cost—the technology and maintenance costs for biometric authentication are much higher than they are for password-based authentication.
Despite its flaws, biometric authentication can be very convenient and secure. As a testament to its security, most financial institutions trust its use in Apple Pay, Google Pay, and Samsung Pay. As with any authentication method, combining biometric authentication with another form of authentication always improves security.
Tips for Biometric Authentication
- Keep the scanning surface dry. Any type of liquid or cleaning chemicals could damage the device.
- Clean the scanning surface with office tape or a soft, dry cloth.
- When using fingerprint detection, save an additional fingerprint for when your finger is cold.
- For Face ID, make sure you Require Attention for Face ID. This feature verifies that you are looking at your iPhone before unlocking it. This feature is recommended by Apple.
About Face ID advanced technology – Apple Support
About Touch ID advanced security technology – Apple Support
Measuring Biometric Unlock Security | Android Open Source Project
USENIX Security ’16 – Virtual U: Defeating Face Liveness Detection by Building Virtual Models… – YouTube
- Biometrics. Biometrics | Homeland Security. (2021, December 14). Retrieved November 1, 2022, from https://www.dhs.gov/biometrics