Biometric Fingerprint Authentication Explained

July 9, 2023

Fingerprint authentication is one of the most widely used and effective types of biometric authentication available to developers. It works by leveraging the biological phenomenon of human fingerprints, which are among the most unique identifiers a person can have.

Because of a complex interplay of genetic and environmental factors, even identical twins do not share fingerprints. This is why accurate scans (along with other security assurances) make fingerprint authentication a boon to any login system.

What is biometric fingerprint authentication?

Fingerprint authentication is a secure way of verifying identity without using passwords, relying on unique biometric data to prevent identity fraud. With the rapid adoption of technology that incorporates fingerprint scanning functionality (cellphones, laptops, etc.), fingerprints have become increasingly popular authentication methods.

Other biometrics commonly used for authentication include scans of facial features, retinas, palms, voice analysis, or a combination thereof. For example, palm scans may include fingerprint data and facial recognition may include retinal scans.

How accurate is fingerprint biometric auth?

The National Institute for Standards and Technology (NIST) has periodically conducted studies and provided commentary on the accuracy of fingerprint biometrics and matching technology. In a 2004 press release, NIST said:

“The best system was accurate 98.6 percent of the time on single-finger tests, 99.6 percent of the time on two-finger tests, and 99.9 percent of the time for tests involving four or more fingers. These accuracies were obtained for a false positive rate of 0.01 percent.”

More recently, NIST also conducted a fingerprint identification accuracy test, the executive summary of which states:

“The most accurate fingerprint identification submissions achieved false negative identification rates (FNIR, or “miss rates”) of 1.9% for single index fingers, 0.27% for two index fingers, 0.45% for four-finger identification flats (IDFlats), 0.15% for eight-finger IDFlats, 0.09% for ten-finger IDFlats, 0.1% for ten-finger rolled-to-rolled, 0.13% for ten-finger plain-to-plain, and 0.11% for ten-finger plain-to-rolled.”

In short, successful biometric identification happens in over 98% of cases at worst. In ideal applications, you can expect upwards of 99% accuracy when using multiple fingers. Moreover, modern fingerprint scanners (such as those on your phone or laptop) ask users to scan fingerprints repeatedly while taking the initial samples to improve accuracy even further.

How fingerprint authentication works

First, users must onboard fingerprint data onto the device or platform they’re using their fingerprints to authenticate. This involves scans of one or more fingers, usually with an optical scanner.

In most cases, light is directed at the finger(s) from multiple angles to detect how the ridges and valleys (and other features) capture and reflect it. Thermal or ultrasound processing may also be applied in more advanced deployments. All these analytics contribute to a baseline fingerprint value that's compared to future verification attempts.

Once the fingerprint data is captured, users are prompted to press their finger or fingers against the scanner at login. The app will compare the input against the baseline fingerprint and provide access if it matches.

It’s important to note that the fingerprint biometric data is stored as an encrypted numeric value as opposed to raw data. This means that even if a criminal managed to infiltrate a system and gain access to biometric data, they would only find the encrypted value which is virtually impossible to exploit further.

Sometimes developers may prioritize ease of access over security and reduce the accuracy burden of the match. Fingerprint authentication can also be combined with other credentials for maximum multi-factor authentication (MFA) effectiveness.

Advantages of fingerprint authentication

Fingerprint auth builds on the benefits of passwordless authentication with:

Improved UX. After the initial onboarding scan, users can rely on swift and easy authentication for login without memorizing a complex password.

Enhanced security. The accuracy and uniqueness of fingerprints make fingerprint auth significantly more secure than primary factors like passwords, PINs, or questions.

Better integration possibilities. Users’ fingerprint data is primarily collected and managed through the device(s) used to access your app, allowing for flexible integration.

If end users of your app or website will likely access it on mobile devices with built-in fingerprint scanning functionality, consider building it into your auth scheme. However, it’s always best as an available option rather than the only option.

Drawbacks of fingerprint authentication

As noted above, fingerprint scans are accurate at least 98% of the time at worst, with ideal outcomes topping out around 99.91% accuracy. However, biometrics overall do not meet NIST’s standards for accuracy. NIST’s ideal miss rate is 0.00001% or one error in every 100,000 scans.

Even the best fingerprint auth methods are not hitting 99.99999% accuracy— yet.

Just like any other auth method, fingerprint scans are also not 100% secure. In one recent study, cybersecurity professionals attempted to fake fingerprint scans by creating a replica from traces of users’ fingerprints. In about 80% of cases, the fabricated fingers could grant access. However, the researchers also said:

"Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties.”

This means the barrier for cybercriminals attempting to spoof fingerprint authentication is much higher than attempting to steal users’ passwords.

Fingerprint authentication and FIDO

Fingerprint authentication based on the FIDO2 and WebAuthn standards addresses most of the drawbacks mentioned in the previous section.

The FIDO standard has stringent requirements for both False Acceptance Rate (FAR) and False Rejection Rate (FRR) to ensure that incorrect users aren’t falsely accepted or correct users aren’t falsely rejected, further improving accuracy requirements.

FIDO-based fingerprinting is also MFA without the extra step. Users scanning their fingerprint unlocks a private key on their device which is then matched with the public key on the account they are trying to access. This means that both the users’ inherence (biometrics) and possession (device) are used as authentication factors.

When should you adopt biometric fingerprint authentication?

Fingerprint auth is applicable in a wide variety of contexts. Some of the most common are:

Mobile apps: Since most smartphones come with built-in fingerprint scanners today, any mobile application can add fingerprint authentication for fast, easy, and secure login for users.

Travel-related apps. Airlines and terminals in the United States and worldwide are increasingly open to using biometric information to authenticate travelers, including face and finger scans.

Healthcare services. Environments with sensitive data subject to HIPAA protections require greater attention to detail for authentication, making fingerprint identification ideal.

Government functions. Many law enforcement, military, and other government offices already utilize fingerprints and other scans. Apps for these departments, or the many organizations that work with them, leverage fingerprint scans for various applications.

Ultimately, any app targeting users with current biometric technology can put fingerprint authentication to use, at least optionally.

Implement FIDO-based fingerprint auth with Descope

Fingerprint authentication gives developers another accurate, easy way to verify user identities. Fingerprint scans streamline the login process, providing better UX without compromising privacy and security. And they work best when integrated seamlessly into your auth suite.

Descope helps developers easily add fingerprint authentication through WebAuthn and passkeys to their applications with a few lines of code. Descope’s drag-and-drop workflows, SDKs, and APIs abstract away the complexity of building fingerprint authentication in-house – saving time for developers to focus on their core app efforts.