What is Biometric Authentication?
Biometric authentication is the process of validating a person’s identity based on certain immutable physical or behavioral characteristics. It is used to grant people access to online applications, secure physical facilities, and more. If implemented correctly, biometric authentication is a safer and more convenient alternative to knowledge-based authentication methods like passwords and PINs.
Types of biometric authentication
There are multiple types of biometric authentication in use today, with more being researched for everyday implementation.
Fingerprint authentication uses the unique ridges and patterns of a person’s fingerprint to validate their identity. The ubiquity of electronic devices equipped with fingerprint scanners have made this one of the most common forms of biometric authentication in use today.
Examples: Apple Touch ID, Windows Hello, Some car models with fingerprint scanners, used by law enforcement
Facial recognition systems analyze the unique anatomy and geometry of a person’s face to validate their identity. Each human face has around 80 nodal points including the distance between the eyes, width of the nose, and length of the jawline. Scanners convert these nodal points into a faceprint or an encrypted digital model. Modern face recognition systems can also perform “liveness detection” to prevent cybercriminals from using static photographs or other fake representations in spoofing attempts.
The wide adoption of laptops, tablets, and mobile devices with cameras have made facial recognition a popular form of biometric authentication.
Examples: Apple Face ID, Windows Hello, credit card payments
Iris / retina scans
There are two methods of scanning a person’s eye for the purposes of biometric authentication. Retina scans analyze the unique pattern of blood vessels around the eye, while iris scans analyze the colored rings found in the iris. Iris scanners collect close to 240 biometric features, the numeric representation of which is stored for authentication.
Eye scans are very accurate but can be tricky to implement because they need infrared light sources, compatible cameras, and low light pollution.
Voice recognition technologies analyze the unique tone, pitch, and accent of a person’s voice to validate their identity. Physical traits such as the shape of the nose and the length of the vocal tract determine a person’s voice, making it a viable authentication factor. Just like with facial recognition, voice authentication systems can use liveness tests for additional security to prevent spoofing attempts.
Examples: Call centers, customer support
Emerging biometric authentication methods
The following biometric technologies are nascent but gaining ground:
Gait recognition: Gait recognition systems use a person's manner of walking to validate their identity. This form of biometric authentication is based on factors including length of step and stride, foot and hip angles, and cadence of the gait.
Vein recognition: Vein recognition systems analyze the unique pattern of blood vessels in a person’s hand or finger to validate their identity. Vein recognition, if implemented correctly, is more accurate than any other form of biometric authentication. Amazon Go stores use a form of vein recognition in their palm scanners for shoppers.
Why biometric authentication is growing
Markets and Markets projects that the global biometric systems market will grow to $82.9 billion by 2027. A few key trends are behind this growth:
Biometric scanners in everyone’s hands
The global popularity of smartphones with built-in fingerprint and facial recognition have brought biometric authentication into the mainstream. Counterpoint Research estimated that one billion phones would include facial recognition in 2020, a number that is sure to have increased manifold in 2022.
With Apple, Google, Microsoft, and Samsung including biometric authentication in their devices, it’s no surprise that customer adoption has soared. Mercator estimates that 66% of smartphone owners will use biometrics for authentication by 2024.
The inherent weakness of passwords
Passwords are present in almost every aspect of online existence today, introducing both user friction and security challenges in the process.
People find it hard to create and remember strong, unique passwords for every online account. Forgetting passwords leads to user drop-off and laborious reset processes that are fun for no one. Users also have a tendency to reuse passwords across multiple accounts, which increases the likelihood of credential stuffing and account takeover.
Biometric authentication is a safer and more convenient alternative to passwords. Fingerprint or facial recognition scans take much less time than typing in passwords. These methods also do not require the users to remember anything, thus reducing churn and drop-offs.
Enter stage right, WebAuthn
Once biometrics-enabled devices put the key in the ignition for biometric authentication, WebAuthn pressed on the gas pedal. The Web Authentication API allows web applications to use device-based biometrics to register and authenticate users in a secure, convenient, and passwordless manner. With growing support from popular browsers and operating systems, WebAuthn is sure to make its way into more applications in the months and years to come.
Looking for a way to test your WebAuthn flows? Check out Virtual WebAuthn, a set of Go tools that help developers test WebAuthn flows without needing a browser or an actual authenticator.
Protected by privacy
There have been privacy concerns around biometric authentication, which has led to biometric information being protected by a number of privacy acts and regulations. The Illinois Biometric Information Privacy Act (BIPA) from 2008 was one of the first pieces of legislation that required organizations to have clear policies and guidelines around the collection and use of biometric information.
The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other acts have followed suit by focusing on biometric personal data. These laws require clear consent from the user before their biometrics are collected, allow the user to have their biometric data deleted, and more.
Biometric authentication solutions that are FIDO Certified take an even more privacy-first approach. FIDO certified authentication ensures that biometric information is never stored on servers, but is rather encrypted and stored locally on the user’s device.
Also read: Passwordless Authentication 101
The components of a biometric authentication system
Using an example of a smartphone with a fingerprint scanner, let's see the common components of a biometric authentication system. Generally, there are three components:
In this example, the sensor is the fingerprint scanner built-in with the phone. The sensor has capacitive scanners that read the electric currents created by a user’s unique fingerprint.
When the user sets up their fingerprint for the first time, conductor plates on the surface of the scanner read the ridges and valleys of the fingerprint. The fingerprint is then converted to digital data (as a fingerprint template) that is stored locally on the user’s device.
Most smartphones have local and secure storage for the fingerprint template during verification. The stored template allows the system to validate whether the user currently requesting access is the same user whose fingerprint template is stored on the device.
This is a computing device that compares the captured fingerprint scans from the sensor with the fingerprint template stored in the database.
This video from the Visa security team explains the process in greater detail.
Pros and cons of biometric authentication
Better security: Since biometric authentication is based on “who users are”, they are much tougher to steal and repurpose than passwords, PIN codes, and other forms of knowledge-based authentication. Using biometric authentication as part of WebAuthn also ensures that secrets are never shared with the server, vastly reducing the attack surface.
Improved user experience: Touching a scanner or blinking at a camera happens much quicker than typing in credentials. Biometric authentication also doesn’t require users to create and memorize passwords.
Wide adoption: Biometrics are built into everyday electronic devices and being used by a wide range of applications. Multiple surveys have found that users prefer using biometrics over passwords for authentication.
Edge cases of failed authentication: Although a person’s biometrics are immutable, certain conditions can cause biometric authentication to fail. For example, touching fingerprint sensors with wet or dirty hands or failing voice recognition if the user has a sore throat.
Potential bias in training data: The training data used to hone biometric authentication systems is heavily weighted towards white males. This has resulted in failed authentication and incorrect identification of women, people or color, and other groups not represented in the training data. Tech companies are aware of this problem and continue to make improvements.
No starting over: For all their flaws, passwords can be changed if they are stolen. However, it’s impossible for users to change their fingerprint or face if the associated biometric data is stolen. This makes it even more important to store user biometric data locally rather than on centralized servers.