Most people have encountered biometric authentication at some point in their lives, whether it’s a fingerprint scan at work or a retina scan to log into a smartphone. We’ve long known that passwords are weak—even complex passwords run the risk of being hacked—and biometric authentication seems like an impenetrable force.
Despite the widespread use cases from the everyday to protecting highly sensitive financial or government data, it’s important to understand how biometric authentication works and its limitations.
What is biometric authentication?
At a basic level, biometric refers to biological measurements and calculations. Biometric authentication relies on a person’s unique physical or behavioral characteristics to confirm identity. When a device is first used, biometric data (like a fingerprint) is registered, and subsequent attempts to access the device are compared against the registered data.
Unlike passwords, which can allow remote access if a hacker obtains the password, biometric authentication requires the person to be physically present. It’s like using a key: you need to be standing in front of the lock, holding the key, to open the door. Except each key is unique to the individual.
If the biometric algorithm determines that the provided data is similar enough to the stored data, then access is granted. Over time and with each subsequent login, biometric authentication grows stronger and more accurate.
Authentication that relies on physical characteristics of a person is called physiological biometric authentication. Physical characteristics can include fingerprints, retina scans, facial recognition, and voice recognition. The authentication attempt is captured using scanners or sensors on the device.
Behavioral biometrics analyzes patterns in human activity, such as mouse activity, keystroke movements, or touchscreen behavior (like pressure and press size). Behavioral biometrics, like typing patterns, are very difficult to imitate and can distinguish between the device’s authorized users and activity from an outsider, like a cybercriminal or an automated attack. As a result, behavioral biometrics is gaining traction in high-security industries.
Is biometric authentication secure?
When a user initially registers biometric data, it is securely stored within the device’s systems. It isn’t stored as a “picture” (like a copy of the user’s fingerprint) but as binary data. Even if a hacker were able to obtain the stored data, it would be useless without the system’s proprietary algorithm to “read” the data.
Instead, bad actors try to instead replicate the user’s physical traits to “trick” the system. This is called biometric spoofing and while not impossible to pull off, it’s very difficult. For example, back in 2020, Cisco’s Talos Intelligence Group successfully 3-D printed a fingerprint, making it possible to create fake fingerprints.
More recently, in Australia, an AI-generated voice was trained to sound like a person. The AI was then able to “pass” through a voice recognition security system and access sensitive account information.
Since both of these efforts would take considerable effort and energy, they’re unlikely to be used to attack an ordinary individual. But if spoofing efforts become more scalable as technology improves, the risks become much bigger.
Multi-factor authentication is better
Europe uses an authentication model called strong customer authentication (SCA) specifically for online payments. The requirements went into effect in 2019. Rather than relying on a single authentication method, the person needs to be verified in two ways, such as a password and biometric data.
Multi-factor authentication has also gained popularity in recent years with a similar two-step verification method, usually relying on a code sent to a separate device the user can access. A multi-step process makes it more difficult for fraudsters to gain access since they’d have to bypass not one, but two systems. FIDO Alliance, is a global authentication standard based on public key cryptography with the goal of simplifying login for consumers across devices while maintaining strict security practices.
No matter what new technology arrives on the scene, bad actors will always try to find ways to break in. The best security will come from a combination of verification tactics.