What Is Biometric Security?
Data breaches happen every day.
According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 80% of breaches occur because of compromised or weak passwords.
If you’re a regular reader of Clario’s digital wellbeing blog, you’ll know why strong passwords are important and what a strong password looks like.
Even so, do you still find yourself torn between prioritizing password strength and the ability to remember it?
If you’re sheepishly nodding yes right now, you’re not alone. And that’s why, according to a WP Engine study of 10 million people, the top 5 most used passwords look like this:
From a security perspective, this is terrifying.
But imagine you could create a unique password you didn’t have to remember, one you had on you at all times and could never be stolen?
Many believe biometric security can provide all of this to make our accounts more secure than ever before.
Biometric security is a system capable of verifying an individual’s identity using their unique physical or behavioral characteristics.
What are biometrics?
Biometrics refers to metrics or measurements related to human features or characteristics. They can be broken down into two types:
- Physiological measurements: Fingerprints, hand shape, vein pattern, iris or retina shape or face shape.
- Behavioral measurements: Voice, handwriting or signature dynamics, keystroke dynamics, gait or gestures.
Biometrics can be used to answer two slightly different questions about a person:
- Who are you? (biometric identification)
- Are you who you say you are? (biometric authentication)
Can you see the difference? Here’s a deeper explanation.
Biometric identification compares a person’s biometrics with those in a database to find a match and positively identify an individual.
A good example of this is how law enforcement keeps DNA in a database, then compares it to the DNA of unidentified suspects in order to answer: “Who left this DNA at the crime scene?”
Biometric authentication is a process comparing an individual’s biometric data to stored, confirmed authentic data in a database to answer: “Are you really who you say you are?”
For example, if you set up a fingerprint login on your smartphone, your device will ask you to capture and store your fingerprint pattern. Each time you login using fingerprint authentication, your device will check your fingerprint pattern against the saved template and determine your identity.
How does biometric security work?
So, could biometrics, and in particular biometric authentication, really replace traditional passwords and transform how we access our accounts and devices? After all, we have passwords for everything these days.
The first thing we need to understand is what's involved in a biometric system.
A biometric security system is made up of three components:
- A sensor - to read your biometrics
- A computer - to store your biometrics
- Software - to connect the computer and sensor
Sounds relatively simple.
And it kind of is!
The use of biometrics has ramped up for many reasons - increased public acceptance, improved technological accuracy and the affordability of the sensors, computers and software.
Technology once only used by the military or law enforcement is now cropping up in all aspects of our everyday lives.
What is biometric security used for?
If you haven’t already, you soon notice biometric security appearing more and more as you go about your daily business, in banking, in retail and as mentioned above, even unlocking your mobile device.
Here are some examples of where you’ll see biometrics used today.
Single sign-on (SSO) and Healthcare
Single sign-on (SSO) is an authentication service allowing a user to log in with a single ID and password to any of several related but separate software systems.
For example, your Google username and password can log you in to your Gmail, but also YouTube, Google Drive, your Google Calendar and so on.
That’s one powerful login ID.
SSO is also widely used in healthcare services to allow healthcare providers access to multiple systems quickly and easily. However, healthcare is also among the most vulnerable industries when it comes to data breaches. It means there has been particular urgency amongst the healthcare sector to advance into biometric SSO - to take advantage of the speed and security it offers.
Banking customers are tired of the threat of identity theft and the constant inconvenience of having to prove their identity.
Therefore, demand for banks offering biometric security is on the rise.
And banks are responding.
Many banks with mobile apps use biometrics for user authentication. The types of biometrics used include fingerprint scanning, facial and voice recognition.
Some banks use a combination of these biometrics to add an extra layer of security in the form of multi-factor authentication.
Both Android and iOS devices have added biometric security features over recent years.
In 2011, the Motorola Atrix was the first consumer smartphone to feature integrated fingerprint scanning. It was far from perfect but since then the technology has come on in leaps and bounds and is now a feature of almost every modern smartphone.
But it doesn’t stop at fingerprint scanning.
In 2017, Apple’s iPhone X showcased a new biometric authentication feature - Face ID.
This facial recognition feature works by projecting a pattern of more than 30,000 infrared dots onto the user’s face, then reads the pattern to create a facial map of the user.
This allows the device to read the user’s face and authorize them to login.
Samsung has its own take on facial recognition technology in its Intelligent Scan feature. This combines iris scan and facial recognition to provide biometric multi-factor authentication.
Types of biometrics for security and authentication
As we’ve learned above, biometric security doesn’t end with fingerprint scanners. Human’s have all sorts of characteristics to make them unique. These unique features make them ideal security tools.
Here are some of the different types of biometrics you might see replacing your passwords in the near future.
Facial recognition works when an image of your face is captured on camera. Software then reads various measurements and points of your face, such as the distance between your eyes, to create your facial signature.
Face recognition is a feature of modern Apple smartphones used to unlock the device. According to Apple, the chances of a face other than your own unlocking your phone is about one in a million!
Did you know the human iris holds more than 200 points of reference while a fingerprint holds just 60-70?!
The iris is a muscle in your eye and opens and closes your pupil, controlling the amount of light entering your eye. If you look very closely in the mirror, you’ll see the patterns in your right iris are completely different to your left. And you certainly won’t find another human with the same iris pattern as you.
This makes iris recognition an excellent way to determine your identity. It’s achieved by scanning and recording your iris patterns to use later to authenticate you.
Believe it or not, this type of optical recognition has been used for user authentication in smartphones as far back as 2015, with the Lumia 950 and Lumia 950 XL.
Vein recognition is also growing in popularity due to its simplicity and security.
It works by scanning your finger. But this time, rather than scanning your fingerprint ridges, the device actually scans through your finger to detect your vein pattern.
This is an even more secure biometric than fingerprints. While you may leave your fingerprints on items you touch (which can be lifted and replicated), there’s no way you can leave your vein pattern behind!
The technology can also scan veins in the palm of your hand, as seen in LG’s G8 smartphone and in your face, as in Apple’s Face ID feature.
Biometrics aren’t just limited to your physical features. Voice or “voiceprint” biometrics technology is developing quickly and is already used by some financial institutions to authenticate users carrying out transactions via telephone, for example.
A voice sample is recorded, usually with the user reciting text or phrases, so the sample can be analyzed digitally for tone and frequencies. Then the system compares the user’s spoken pass phrase to this stored digital voiceprint. Some voice recognition technology will require a fixed passphrase while others can recognise the voiceprint even through unfamiliar, unfixed passphrases.
Another non-physical form of biometric security is handwriting recognition.
This captures a person’s handwriting behavior rather than the final handwritten output. Dynamic signature verification technology confirms the user’s identity by analyzing the shape, speed, stroke, pen pressure and timing information during the act of signing.
These unique handwriting behaviors are extremely difficult to recreate by anyone other than you so are a highly effective way of verifying a user’s identity.
Is biometric security safe?
While this technology is undeniably exciting and may seem like the answer to all our cybersecurity problems, it’s important to understand it does not guarantee security.
While it might require a bit more effort to crack than a weak password, biometric security can still be breached.
Cybercriminals have successfully lifted fingerprints left behind on surfaces to make impressions and breach biometric security systems.
We also need to consider the security of the database holding your biometric information. In order to verify your identity, the first step is to scan your unique biometrics, whether it’s your fingerprint, vein pattern or your voiceprint, then save it to a database.
But what happens if your biometric data is compromised?
How will you change your password?
Unfortunately, this is a very real concern and a breach has already happened.
In 2015, the US Office of Personnel Management announced the theft of 5.6 million fingerprints in a damaging cybersecurity incident.
So, biometric security isn’t bulletproof. It comes with its advantages and disadvantages. Here’s a summary.
Advantages of biometric security
- Improved security
Biometric authentication, while not perfect, is much more difficult to hack than traditional logins and passwords.
- No more memorizing passwords
The need to memorize passwords tempts people into setting weak ones. Biometrics removes the need to remember anything.
- No more forgetting passwords
By their very nature, strong passwords aren’t usually memorable. Forgetting your password can be frustrating and time consuming.
If you have fingerprint authentication set up on a modern cell phone, you’ll agree the speed at which technology can read and identify your measurements is significantly faster than inputting any password or pin.
- Identification on the go
The great thing about biometrics is they are always on you, wherever you go. You can’t accidentally leave them at home or on the train!
Disadvantages of biometric security
The environment can impact how well the technology functions. For example, a very cold environment can cause a higher error rate when attempting to authenticate a user.
There’s always a chance the technology will return an error. When the device accepts an unauthorized user it is known as a False Acceptance. When it rejects an authorized person is it known as a False Rejection. Both have been known to happen.
- Requires hardware and integration
Not only does the biometric system rely on having the trio of a sensor, computer and software, it also requires a programmer’s knowhow to manage the system. It’s fair to say a biometric system is more complex than a lot of other security alternatives.
- Scanning challenges
Certain scenarios, such as wearing glasses when trying to scan your iris, can cause scanning difficulties and slow down what should be a convenient and quick process.
While biometric systems are cheaper than ever before, they are still more costly than other traditional security devices.
- Can’t be reset once compromised
To use biometric authentication you need to allow your unique biometrics to be held on a government or organization’s database. What happens if this database is breached? Unlike a password, you can’t change it.
- Physical disabilities and population coverage
Biometric security will not work for everybody. For example, someone may have lost body parts such as fingers or eyes and will be unfairly excluded from the system.
Some biometric systems will require large numbers of people to come in contact with the same scanners which can raise hygiene concerns.
How to protect biometric data?
While most of the responsibility to protect your biometric data falls with the organizations gathering it, you have a personal responsibility to respect and protect it too.
Here are some principles businesses and individuals should follow to protect this valuable information from cybercriminals.
How organizations should protect biometric data
- Use anti-spoofing technology to protect against unauthorized users tricking the system, such as using rubber masks to breach facial recognition.
- Keep all software and systems up-to-date
- Use strong internal passwords
- Use multi-factor authentication
- Use strong cybersecurity software and processes
How you should protect your biometric data
- Respect your biometrics and only share it with highly trusted organizations.
- Check the necessary cybersecurity controls are in place with any organization you share your data with.
- Only share it where necessary. For instance, consider whether enabling Facebook’s facial recognition is entirely necessary.
- Maintain strong passwords to block any easy routes for hackers to steal your biometrics.
- Use a trusted cybersecurity software to keep your digital life secure.
Check out Clario’s digital security solution for an easy way to cover all your online protection and privacy needs in one simple subscription and smart app.
Is biometric security here to stay?
While biometric security might have advantages and disadvantages, one thing is for sure, it’s here to stay.
With every passing month, the technology becomes more fine tuned, convenient, user-friendly, widely-used and accepted.
It has proved to be a more secure way of protecting accounts than traditional logins and passwords. The industries in need of it most such as healthcare and finance continue to demonstrate their trust in it.
As the saying goes, with great power comes great responsibility and this is the case with biometric security. While it has endless benefits, the cost of disrespecting its power could be catastrophic. Businesses and individuals alike have the responsibility to do everything possible to protect this unique human data. Let’s work together to keep ourselves safe online.
We’d like to stay in touch.
We’ve got something special to share! Enter your contact details below to be among the first to find out about the exciting changes we’ve got in the works as well as to receive special promotions.
Thanks for your subscription!
You’ll be the first to know about our updates. Please keep an eye on your mailbox.